PingOne MFA

The PingOne MFA services provide capabilities for enabling MFA actions in authentication flows, configuring MFA settings and policies, and specifying MFA devices.

For MFA authentication:

The /deviceAuthentications endpoint initiates and completes an MFA action without requiring a call to the PingOne authorize service. It supports actions to select a supported MFA device device type and to validate a one-time passcode (OTP). Refer to MFA Device Authentications.

For MFA policies and settings:

The MFA settings endpoint supports operations to read, update, and reset the PingOne MFA settings associated with a specified environment. Refer to MFA Settings.
The Device authentication policies (identified in the PingOne UI as "MFA Policies") enable you to configure different settings per MFA authentication method, according to your security policies. Refer to Device Authentication Policies.

For MFA device management:

The enable user settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability. refer to Enable Users MFA.
The MFA devices service defines the MFA method or methods associated with a user, such as email, SMS, voice, or other MFA device types for use in an MFA flow. Refer to MFA Devices.
To enable multi-factor authentication (MFA) via push notification on a native device, the user resource must have a native device and an application associated with its user ID. The association is implemented with a pairing key. Refer to MFA Pairing Keys.

Important: These requests require PING_ONE_MFA in the Bill of Materials (BOM) for your environment. To check the BOM for the list of PingOne products associated with your environment, refer to Read One Bill of Materials. If PING_ONE_MFA is not in the BOM, contact your PingOne administrator to check whether your license supports adding this product to your environment.

Authentication methods

PingOne MFA supports the following authentication methods:

Authentication Method Reference (amr)	Description
`EMAIL`	OTP through email
`MCA`	Multiple-channel authentication, indicating that an out-of-band operation through mobile push, either interactive or "silent"
`MFA`	Multi-factor authentication, indicating some MFA method, as opposed to a Bypass scenario
`OTP`	Time-based one-time passcode using an authenticator application or mobile OTP
`SMS`	OTP through SMS text message
`SWK`	Software-secured key, indicating device authorization using a trusted mobile device
`TEL`	OTP through a phone call
`USER`	User presence test, indicating an interactive push notification approved by the user, as opposed to a non-interactive "silent" push notification

Note The mobile application can pass any string (such as as face, ftp, pin, etc.) as AMR using the approve() method to indicate how the user approved the authorization on a push notification flow. Refer to PingOne MFA SDK for Android.

Use Cases

Enable Users MFA

The multi-factor authentication settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability.

Note: You can enable multi-factor authentication by setting mfaEnabled to true with POST Create User, POST Create User (Import), or PUT Update User MFA Enabled. You cannot update mfaEnabled with PUT Update User or PATCH Update User.

For information about user MFA device management, refer to MFA devices.

MFA settings data model

Property	Type	Required?	Mutable?	Description
`id`	String	Required	Immutable	The user resource's unique identifier.
`mfaEnabled`	Boolean	Required	Mutable	Whether multi-factor authentication is enabled. This attribute is set to 'false' by default when the user is created.

Response codes

Code	Message
200	Successful operation.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
404	The requested resource was not found.

Read User MFA Enabled

Update User MFA Enabled

MFA Bypass for User

You can use the bypassMFA endpoint to define a period during which a specific user should be allowed to bypass MFA. You can also use the endpoint to check whether a specific user is currently permitted to bypass MFA.

Allow MFA Bypass for User

Check MFA Bypass Status for User

MFA Devices

To enable multi-factor authentication (MFA), the user resource must have an MFA method associated with its user ID. PingOne supports email, SMS, voice, TOTP authenticator application, and native application method types for use in an MFA flow. Multiple MFA methods can be associated with a user ID. MFA methods must be in the active state to be used in the multi-factor login flow.

With this API, MFA methods are called MFA devices. The devices endpoints provide operations to manage device resources associated with a specified user ID. You need the Identity Data Admin role to perform operations on device resources.

Note: A user cannot create a native (mobile) device with POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices. The user must create the device with a pairing key. Refer to Creating a native device with a pairing key.

Device order

With the release of the device order feature (Jan 11, 2021), the active devices of most users now have an order (first...last). By default, the order is according to the device activation time (oldest...newest). Each subsequently activated device is appended to the end of the order list. The first device on the list is designated the default device. In most cases, the default device is automatically used for authentication; users no longer need to select a device.

There are a small number of users whose devices do not have a default order with this feature. If a user has more than one active device as of the release of the device order feature, the current active devices and subsequently activated devices have no order. The user therefore has no default device and must choose a device each time they authenticate. In this case, the order must be explicitly set (refer to Setting device order).

Note: If a user has more than one active device as of the release of the device order feature, and they delete enough devices so that they are left with zero or one active device, their devices then automatically have a default order. The first device activated (or the one existing active device) is the default device.

Cases where the default device is not used for authentication

In most cases, the default device is automatically used for authentication. However, there are two exceptions:

If authenticating from a native app and device authorization is enabled, the native device is used for seamless authentication (refer to Automatic device authorization under PingOne MFA Native SDK Flows).
If the user is paired with a FIDO2 platform device and a session token cookie exists on the browser, the FIDO2 platform device is used for authentication even if it is not the default device.

Setting device order

The operation POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices with required header Content-type: application/vnd.pingidentity.devices.reorder+json explicitly orders a user's existing active devices according to the request body. The active device listed first becomes the default device.

After this operation explicitly sets device order, subsequently activated devices are appended to the end of the order list. You can use this operation to explicitly reorder active devices as many times as needed.

Retrieving an ordered list of devices

The operation GET {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices returns the list of active devices sorted in their order, with the default device listed first. Devices with a status of ACTIVATION_REQUIRED are listed after the active devices, in no particular order. If devices have no order, GET {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices returns the list of devices in no particular order.

You can expand the GET {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices results with the expand=order query parameter. The response is then expanded to contain an array of activated device IDs listed according to device order. If devices have no order, an empty array is returned.

Deleting a default device

If the default (first) device is deleted, the second active device on the order list becomes the default device.

Removing device order

The operation POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices with required header Content-type: application/vnd.pingidentity.devices.order.remove+json removes the ordering on a user's active devices. With the execution of this operation, the user no longer has a default device.

Custom device pairing notification with device creation

To send a custom device pairing notification when a new email, SMS or voice device is created, add the notification property to the request body of POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices. The status of the created device must be ACTIVATION_REQUIRED.

{
    "notification": {
        "template": {
            "locale": "en",
            "variant": "variant_B"
            "variables": {
                        "sum": "1,000,000",
                        "currency": "USD",
                        "recipient": "Charlie Parker"
            }
       }
    }
}

When the device is created, a request is executed to select the content for the notification. The notification template is device_pairing. The deliveryMethod is Email, SMS or Voice, depending on the device created. The locale, variant, and all dynamic variables are defined in notification.

For more information on content selection, refer to Runtime logic for content selection. For more information on dynamic varables, refer to Dynamic variables.

Note: The notification property is not returned with GET requests and cannot be used with PUT requests.

Device failure in flows

When the flow returns a NO_USABLE_DEVICES error, and the user has devices that are temporarily unavailable (for example, the device is locked because of too many invalid OTP retries), the IDs of these devices are returned as part of the response.

In the flow response, the status property returns FAILED, and the error message includes the NO_USABLE_DEVICES error code. The following samples show common error messages for a device failure with identified unavailableDevices:

"status": "FAILED",
    "error": {
        "code": "NO_USABLE_DEVICES",
        "message": "Couldn't find authenticating device for user: {{userID}}",
      "unavailableDevices": [
            {
                "id": "edccc773-6f31-4d28-a8e1-0f427d9a9df8"
            }
        ]
    },

"status": "FAILED",
    "error": {
        "code": "NO_USABLE_DEVICES",
        "message": "Daily limit of SMS authentication attempts has been exceeded",
        "unavailableDevices": [
            {
                "id": "7ea99e29-6f8f-42be-af75-232588235e30"
            }
        ]
    },

Device properties

Property	Type	Required?	Mutable?	Description
`block.status`	String	Optional	Read-only	Whether the device is currently blocked. The possible values are `BLOCKED` and `UNBLOCKED`.
`block.blockedAt`	Date	Optional	Read-only	The date and time that the device was blocked.
`createdAt`	Date	N/A	Read-only	The date the device was created.
`environment.id`	String	N/A	Read-only	The environment ID associated with the device resource.
`id`	String	N/A	Read-only	The device resource's unique identifier.
`lock.status`	String	N/A	Read-only	Indication of whether the device is currently locked out due to too many failed attempts. Values are LOCKED, UNLOCKED.
`lock.expiresAt`	Date	N/A	Read-only	For devices that are currently locked out, the date and time when the lock will expire.
`lock.reason`	String	N/A	Read-only	For devices that are currently locked out, provides the reason for the lock. Values are OTP or PUSH. OTP means that the user passed the defined limit on the number of unsuccessful OTP tries. PUSH means that the user passed the limit on the number of push notifications that can be declined or ignored within the defined time period.
`nickname`	String	Optional	Mutable	Identifies the authentication method in the UI. If defined, this string also appears on the authentication screens. This property has a limit of 100 characters. All characters are supported. An empty string is also supported to delete the value. Use Update Device Nickname to set this property.
`notification.policy.id`	String	Optional	Mutable	The policy ID for the notification.
`policy.id`	String	Optional	Mutable	The device authentication policy ID associated with the device resource. Specifying a device authentication policy ID applies that policy on the API, which determines the MFA methods and mobile applications that are allowed. This property is not returned with GET operations and cannot be used with PUT operations. Currently, if a policy ID is not specified on the request, the environment policy is used. However, this behavior is temporary; it is highly recommended that you specify a policy ID in the POST operation request body.
`status`	String	Optional	Mutable	The device status. Options: `ACTIVE` `ACTIVATION_REQUIRED` If the actor makes the request on behalf of another user (typically using a Worker App), you can use either of the values: `ACTIVE` (default, if not provided): The device is pre-paired for the user. The user is not required to activate the device before using it for authentication for the first time. `ACTIVATION_REQUIRED`: The user must activate the device before using it for authentication for the first time. If the actor making the request is the same user for whom the device is created, the status can only be `ACTIVATION_REQUIRED` (default, if not provided). Thus in this case, the user is required to activate the device before using it for authentication for the first time. If the status is `ACTIVATION_REQUIRED`, you can use the `notification` property during device creation to create a custom device pairing notification. This is only applicable with SMS, Voice and Email devices. The `notification` property is not returned with `GET` operations and cannot be used with `PUT` operations. For more information, refer to Custom device pairing notification with device creation. Note: An actor making a self request must have an access token that includes the `p1:create:device` scope.
`tokenType`	String	N/A	Read-only	For devices of type OATH_TOKEN. Possible values are `HOTP` and `TOTP`.
`type`	String	Required	Mutable	The device type. Options: EMAIL FIDO2 MOBILE OATH_TOKEN (for PingID users) SMS TOTP (third-party TOTP authenticator applications) VOICE WHATSAPP PLATFORM - FIDO2 bound biometrics devices (deprecated, use FIDO2 instead) SECURITY_KEY - FIDO2 or U2F security key devices (deprecated, use FIDO2 instead)
`updatedAt`	Date	N/A	Read-only	The date the device was last updated.
`user.id`	String	Optional	Mutable	The ID of the user associated with the device.

EMAIL device properties

Devices whose type is EMAIL also have the following properties:

Property	Type	Required?	Mutable?	Description
`email`	String	Required	Immutable	The email address, which is required during `POST` only if the device type is `EMAIL`. The email address must be valid.
`notification`	Object	Optional	Immutable	Contains notification information. When this property is supplied during device creation, the information within is used to create a custom device pairing notification. For more information, refer to Custom device pairing notification with device creation.
`notification.template`	String	Optional	Immutable	An object that contains template parameters.
`notification.template.locale`	String	N/A	Read-only	The ISO language code (string) used for the device created notification. For example, `en`.
`notification.template.variant`	String	N/A	Read-only	The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents.
`notification.template.variables`	Map[String, String]	Optional	Read-only	An object of name-value pairs that defines the dynamic variables used by the content variant. For more information on dynamic variables, refer to Dynamic variables.
`testMode`	Boolean	Optional	Mutable	To simplify automated testing of your applications, you can create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. To specify that a device should serve as a testing device, set the value of `testMode` to `true`. If this parameter is not provided, the default value is `false`. For dedicated testing devices, the response to authentication requests includes the OTP value in the field `test.otp`.
`test.otp`	Integer	Optional	Read-only	If you use the `testMode` parameter to create a dedicated testing device, and `status` is set to ACTIVATION_REQUIRED in the request, the response will include `test.otp`, which is the passcode that you should use to activate the device.

SMS/Voice device properties

Devices whose type is SMS or VOICE also have the following properties:

Property	Type	Required?	Mutable?	Description
`phone`	String	Required	Immutable	The phone number, which is required only if the device type is SMS or VOICE. It must be a well-formed phone number consisting of a leading plus sign, 1 to 3-digit country code, and 4 to 14-digit phone number (e.g. +11235557890).
`extension`	String	Optional	Immutable	When creating a device of type `VOICE`, use `extension` for phone numbers that also have an extension. Can include digits, commas, #, and *. For nested extensions, separate the parts with a comma.
`notification`	Object	Optional	Immutable	Contains notification information. When this property is supplied during device creation, the information within is used to create a custom device pairing notification. For more information, refer to Custom device pairing notification with device creation.
`notification.template`	String	Optional	Immutable	Contains template parameters.
`notification.template.locale`	String	Optional	Read-only	The ISO language code used for the device created notification. For example, `en`.
`notification.template.variant`	String	Optional	Read-only	The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents.
`notification.template.variables`	Map[String, String]	Optional	Read-only	An object of name-value pairs that defines the dynamic variables used by the content variant. For more information on dynamic variables, refer to Dynamic variables.
`testMode`	Boolean	Optional	Mutable	To simplify automated testing of your applications, you can create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. To specify that a device should serve as a testing device, set the value of `testMode` to true. If this parameter is not provided, the default value is false. For dedicated testing devices, the response to authentication requests includes the OTP value in the field `test.otp`.
`test.otp`	Integer	N/A	Read-only	If you use the `testMode` parameter to create a dedicated testing device, and `status` is set to ACTIVATION_REQUIRED in the request, the response will include `test.otp`, which is the passcode that you should use to activate the device.

Native device properties

Devices whose type is MOBILE also have the following properties:

Property	Type	Required?	Mutable?	Description
`apiVersion`	String	Required	Mutable	The native SDK API version.
`application.id`	String	Required	Immutable	The ID of the native application associated with this device.
`application.nativeName`	String	Optional	Mutable	The name of the application retrieved from the native app in runtime.
`application.pushSandbox`	Boolean	Optional	Immutable	Indicates if the native application uses production or sandbox push credentials (if the app was built and installed by a developer from Xcode, or installed ad hoc). Only relevant on iOS devices.
`application.version`	String	Optional	Mutable	The version of the application retrieved from the native app in runtime.
`deviceIntegrityState.advice`	String	N/A	Read-only	If available, Google advice for the `deviceIntegrityState.reason`.
`deviceIntegrityState.compromised`	String	N/A	Read-only	Indicates if the device's integrity is compromised: TRUE FALSE UNKNOWN
`deviceIntegrityState.reason`	String	N/A	Read-only	Indicates the cause of the device's current integrity state: JAILBROKEN BASIC_INTEGRITY CTS DATA_UNAVAILABLE SAFETYNET_UNAVAILABLE SAFETYNET_ERROR SAFETYNET_VALIDATION_ERROR DATA_EXPIRED INTERNAL_ERROR INVALID_CERTIFICATE_DIGEST INVALID_PACKAGE_NAME
`deviceIntegrityState.timestamp`	Date	N/A	Read-only	The date and time (UTC) of the latest integrity check for the device.
`integrityStateCurrent`	String	N/A	Read-only	Used for internal PingOne purposes.
`locale`	String	Optional	Mutable	The device's locale.
`lockEnabled`	Boolean	Optional	Mutable	Whether the device is lock enabled.
`logs.expiresAt`	Date	N/A	Read-only	The date and time the request for expires, if the logs have not been sent yet. The value is set at 24 hours from the time of the request, and remains only while the `logs.status` is PENDING. `logs.expiresAt` is reset when the logs are sent, or when the system date reaches the request's expiry time.
`logs.level`	String	Optional	Mutable	The level of log detail. Values: VERBOSE DEBUG INFO (default) WARN ERROR
`logs.status`	String	Optional	Mutable	The returned status of a request for logs from a particular user device. Possible values: PENDING: The request for logs was issued. When the user connects to the app, it will send the logs. RECEIVED: The logs were sent from the device, and received.
`manufacturer`	String	N/A	Read-only	The manufacturer of the device.
`model.marketingName`	String	Required	Read-only	The model's marketing name.
`model.name`	String	Required	Read-only	The device's model name.
`name`	String	N/A	Read-only	The device name given by the manufacturer.
`notificationProvider`	String	N/A	Read-only	The messaging system used for push notifications. For the possible values, refer to the `type` property in the MFA push credentials data model.
`os.type`	String	Required	Read-only	The device's operating system.
`os.version`	String	Required	Mutable	The device's operating system version.
`otpEnabled`	Boolean	N/A	Read-only	Whether OTP authentication is enabled for the device.
`pushEnabled`	Boolean	N/A	Read-only	Whether push is enabled for the device.
`pushToken`	String	Optional	Mutable	The push token for this application on this device (for internal use).
`rooted`	Boolean	N/A	Read-only	Has been replaced by `deviceIntegrityState`. Can still appear in responses.
`sdkVersion`	String	N/A	Read-only	The version of the MFA Mobile SDK used.

Time-based One-time Password (TOTP) authenticator application device properties

Devices whose type is TOTP also have the following properties:

Property	Type	Required?	Mutable?	Description
`secret`	String	N/A	Read-only	The unique secret key shared by the prover (token) and the verifier (authentication server). Only returned if the device's activation status is ACTIVATION_REQUIRED. Both the `secret` and the `keyURI` values expire after 30 minutes.
`keyUri`	String	N/A	Read-only	The authenticator key URI, for example, `otpauth://totp/abc@example.com?secret={secretValue}`. Both the `secret` and the `keyURI` values expire after 30 minutes.

FIDO2 devices

Devices whose type is FIDO2 also have the following properties:

Property	Type	Required?	Mutable?	Description
`attestation`	String	N/A	Read-only	Specifies the public key and signed challenge used to complete registration and device activation. Devices with a status of `ACTIVATION_REQUIRED` are activated using a valid `attestation` and `origin`. The `attestation` is generated by the browser as a response to a specific user action, such as a fingerprint or clicks on the security key. This is a required property for FIDO2 device activation.
`attributes`	Object	N/A	Read-only	Object returned in the response for FIDO2 devices.
`attributes.isCrossPlatform`	Boolean	N/A	Read-only	Value is `true` if the device has ever been cross-platform.
`attributes.previousDeviceType`	String	N/A	Read-only	Included in the response for devices that were converted to FIDO2 from one of the deprecated device types. Value can be SECURITY_KEY or PLATFORM.
`backup`	Object	N/A	Read-only	Included in the response, contains the information regarding the backup eligibility of the device.
`backup.backupEligibility`	Boolean	N/A	Read-only	Whether the public key credential source is allowed to be backed up.
`backup.backupState`	Boolean	N/A	Read-only	Whether the public key credential source is currently backed up.
`challenge`	String	Optional	Immutable	If you want to use dynamic linking to attach a unique identifier to the registration of a FIDO device, provide a value for the `challenge` parameter. The value should be a custom challenge to replace the automatically-generated challenge that is ordinarily used. Must be a valid and unique Base64URL string that decodes to a data array of at least 32 bytes. You can generate a challenge that meets these criteria by adding a random nonce to the registration details to ensure uniqueness and then using SHA-256 to hash the information.
`displayName`	String	N/A	Read-only	The name displayed for the device in self-service registration and authentication windows. The name is taken from the relevant FIDO2 policy. Returned in the response only for request to read all FIDO2 devices.
`fidoDeviceMetadata`	Object	N/A	Read-only	For FIDO2 devices that have already been activated, contains metadata for the specific type of FIDO2 authenticator. Included in responses only if the `mdsAuthenticatorsRequirements.option` was set to a value other than `NONE` in the FIDO policy that was used when the device was paired. By default, the object contains only the `mdsIdentifier` field. If you want responses to include additional authenticator-related data, include the `expand` parameter in your query and set it to `fidoDeviceMetadata`, for example, `GET {{apiPath}}/environments/{{envId}}/users/{{userID}}/devices/{{deviceID}}?expand=fidoDeviceMetadata`. When the `expand` parameter is used, the object containing the data is included in the response under `embedded`.
`fidoDeviceMetadata.custom`	Boolean	N/A	Read-only	Indicates whether the authenticator is a custom authenticator that was added to the PingOne global authenticator table.
`fidoDeviceMetadata.mdsIdentifier`	String	N/A	Read-only	The Authenticator Attestation GUID (AAGUID) for the type of authenticator.
`fidoDeviceMetadata.name`	String	N/A	Read-only	The name of the authenticator.
`fidoDeviceMetadata.platform`	Boolean	N/A	Read-only	Indicates whether the authenticator is attached to a platform, as opposed to a cross-platform authenticator.
`fidoDeviceMetadata.protocol`	String	N/A	Read-only	The FIDO protocol family. The possible values are: `uaf`, `u2f`, and `fido2`.
`fidoDeviceMetadata.uvMethods`	Array	N/A	Read-only	The relevant user verification methods, such as `presence_internal` or `passcode_external`.
`origin`	String	Required	Read-only	The originating server (for example, `https://apps.pingone.com`). This property and the `attestation` property are used to activate FIDO2 devices that have a status of `ACTIVATION_REQUIRED`. This is a required property for FIDO2 device activation.
`publicKeyCredentialCreationOptions`	String	N/A	Read-only	A JSON serialization of the client data returned for registering a FIDO2 device with the webauthn `navigator.credentials.create` API.
`rp`	Object	Optional	Immutable	Information on the relying party. If not provided, the relying party ID is taken from the associated FIDO2 policy.
`rp.id`	String	Optional	Immutable	The ID of the relying party. The value should be a domain name, such as example.com (in lower-case characters).
`rp.name`	String	Optional	Immutable	The relying party's human-readable display name (for example, `acme`).

OATH token devices

OATH tokens can be used only in PingOne environments where a PingID account has been integrated.

Devices whose type is OATH_TOKEN also have the following properties:

Property	Type	Required?	Mutable?	Description
`oathResync`	Boolean	Optional	Immutable	When activating an OATH token device that is currently in `ACTIVATION_REQUIRED` state, you can include the `oathResync` parameter. When set to `true`, it instructs PingOne to resync the OATH token that is to be activated if a resync is required. If a resync is necessary, the response to the activation request is an error message indicating that you must provide an additional OTP to complete the process. When this message is returned, run the activate request again, this time including the next OTP for the token, without the `oathResync` parameter. This second request completes the pairing process, and the status of the device is changed to `ACTIVE`.
`serialNumber`	String	Required	Mutable	Value of `serialNumber` must be the serial number of an OATH token that has already been added to the PingOne environment.

PLATFORM and SECURITY_KEY webauthn device data model (deprecated, replaced by FIDO2 devices)

Devices whose type is PLATFORM or SECURITY_KEY also have the following properties:

Property	Type	Required?	Mutable?	Description
`platform`	String	N/A	Read-only	The type of platform associated with this MFA device. Options are `BIOMETRICS`, `WINDOWS`, `ANDROID`, `MAC`, and `IPHONE`. This property applies only to devices in which the `type` property is set to `PLATFORM`. The type of platform is based on the `User-Agent` HTTP header of the request. If it is not possible to identify the platform, the value defaults to `BIOMETRICS`.
`publicKeyCredentialCreationOptions`	String	N/A	Read-only	A JSON serialization of the client data returned for registering a FIDO2 device with the webauthn `navigator.credentials.create` API.
`rp.id`	String	Required	Immutable	The relying party identifier, which is based on a host's domain name but without a scheme or port (for example, `acme.com` or `login.acme.com`).
`rp.name`	String	Required	Immutable	The relying party's human-readable display name (for example, `acme`).

Device order properties

Property	Type	Required?	Mutable?	Description
`order`	String[]	Required	Mutable	An array of objects that determines the explicit order of a user's devices. The first device listed becomes the default device. This property is used as a body parameter to set the order of existing devices.

MFA devices events generated

Refer to Audit Reporting Events for the events generated.

Response codes

Code	Message
200	Successful operation.
400	The request was invalid.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.
500	Unexpected server error.

Filtering result data

You can filter GET {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices results by applying a SCIM filtering expression to the request URL. For large collections, a filtering expression appended to the query returns a targeted, more useful data set.

SCIM operators can be applied to the following attributes:

Collection	Attribute	Supported operators	Valid values
Devices	mobilePayload	eq (equals)	The signed JWT payload from the PingOne Mobile SDK. The payload contains information about a specific device, so the collection returned will always contain just a single device.
Devices	status	eq (equals)	"ACTIVE", "ACTIVATION_REQUIRED"
Devices	type	eq (equals)	"SMS", "VOICE", "EMAIL", "TOTP", "MOBILE", "PLATFORM", "SECURITY_KEY"

The logical operators and and or can also be used to combine filter statements.

For example, the following URL-encoded SCIM filter returns a list of SMS devices that require activation:

{{apiPath}}/environments/{{envID}}/users/{{userID}}/devices?filter=(status%20eq%20%22ACTIVATION_REQUIRED%22)%20and%20(type%20eq%20%22SMS%22)

This URL returns the device that matches the information contained in the specified payload from the PingOne Mobile SDK:

{{apiPath}}/environments/{{envID}}/users/{{userID}}/devices?filter=mobilePayload eq "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz..."

Expanding result data

You can expand GET {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices results with the expand=<value> query parameter. The following value is supported.

Value	Description
`order`	The response is expanded to contain an array of activated device IDs listed according to device order. This value is relevant only if the devices are ordered. If devices are not ordered, and empty array is returned. For more information, refer to Setting device order.

Create MFA User Device (Voice)

Create MFA User Device (Email)

Create MFA User Device (TOTP)

Create MFA User Device (FIDO2)

Create MFA User Device (SMS)

Create MFA User Device (OATH token)

Create MFA User Device (WhatsApp)

Create MFA User Device for testing

Resend Pairing Code

Set Device Order

Remove Device Order

Activate MFA User Device (OATH token)

Activate MFA User Device

Activate MFA User Device (FIDO2)

Unlock MFA User Device

Block MFA User Device

Unblock MFA User Device

Read All MFA User Devices

Read One MFA User Device

Update Device Nickname

Send MFA Device Logs

Delete MFA User Device

MFA Pairing Keys

To enable multi-factor authentication (MFA) via push notification on a native device, the user resource must have a native device and an application associated with its user ID. The association is implemented with a pairing key.

The pairing key endpoints provide operations to create, read, and remove pairing key resources associated with a specified user ID, native device and application. The examples below show common actions to manage pairing keys.

Note: By default, pairing keys are valid for 10 minutes. You can have a maximum of 20 valid pairing keys per user at any given time.

Creating a native device with a pairing key

A user cannot create a native (mobile) device with POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/devices. The user must create the device with a pairing key:

The user installs a native app with an embedded PingOne MFA Native SDK component.
The user starts an MFA authentication flow and creates a pairing key. Refer to Multi-factor MFA Action in the Developer Guide for more information.
The user scans the pairing key QR code with the native app.
The embedded PingOne MFA Native SDK starts the pairing process where the device resource is created. Refer to PingOne MFA SDK for Android or PingOne SDK for iOS.

Pairing key data model

Property	Type	Required?	Mutable?	Description
`id`	String	N/A	Read-only	The resource ID.
`environment.id`	String	N/A	Read-only	The environment ID.
`code`	String	N/A	Read-only	The pairing key that the end users should use for pairing their device.
`status`	String	N/A	Read-only	The status of the pairing key. Valid values: UNCLAIMED CLAIMED FAILED
`error.code`	String	N/A	Read-only	The code indicating the reason that `status` is FAILED.
`error.message`	String	N/A	Read-only	The message indicating the reason that `status` is FAILED.
`applications`	String[Array]	Optional	Mutable	The collection of application IDs that can be used with this pairing key.
`user.id`	String	N/A	Read-only	The user ID.
`policy.id`	String	Optional	Mutable	A string that specifies the device authentication policy ID associated with the pairing key resource. Specifying a device authentication policy ID applies that policy on the API, which determines the MFA methods and mobile applications that are allowed. This property is not returned with GET operations. Currently, if a policy ID is not specified on the request, the environment policy is used. However, this behavior is temporary; it is highly recommended that you specify a policy ID in the POST operation request body.
`createdAt`	Date	N/A	Read-only	The date this pairing key was created.
`updatedAt`	Date	N/A	Read-only	The date this pairing key was last updated.
`expiresAt`	Date	N/A	Read-only	The date this pairing key expires.

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
403	You do not have permissions or are not licensed to make this request.
404	The requested resource was not found.
500	Unexpected server error.

Create MFA Pairing Key

Read One MFA Pairing Key

Delete MFA Pairing Key

MFA Device Authentications

The /deviceAuthentications endpoint initiates and completes an MFA action without requiring a call to the PingOne authorize service. It supports actions to select a supported MFA device device type and to validate a one-time passcode (OTP).

When a device authentication MFA flow is initiated, the flow returns a status property in the response that identifies the next action in the flow. The following flow states prompt for a specific flow action:

OTP_REQUIRED

For a status value of OTP_REQUIRED, the otp.check action validates the one-time passcode.
DEVICE_SELECTION_REQUIRED

For a status value of DEVICE_SELECTION_REQUIRED, the device.select action prompts the user to select a supported device type for use in a multi-factor authentication flow.
ASSERTION_REQUIRED

For a status value of ASSERTION_REQUIRED, the assertion.check action validates the assertion.
PUSH_CONFIRMATION_REQUIRED

For a status value of PUSH_CONFIRMATION_REQUIRED, a push was sent to the specified mobile device to confirm the authentication.
PUSH_CONFIRMATION_TIMED_OUT

For a status value of PUSH_CONFIRMATION_TIMED_OUT, a push was sent to the specified mobile device, but the mobile device did not answer the push during the allowed timeframe.

Device authentications data model

Property	Type?	Required?	Mutable?	Description
`aggregateFido2Devices`	Boolean	N/A	Read-only	Indication of whether the available authentication method list should include only a single generic FIDO2 option rather than including an entry for each paired FIDO2 device. The field is included in the response to the request to initiate an MFA device authentication flow (`POST {{authPath}}/{{envID}}/deviceAuthentications`).
`application.id`	String	Optional	Mutable	The requesting application's unique identifier. This identifier is required only during device authorization flows when the `mobilePayload` value is provided.
`createdAt`	Date	N/A	Immutable	When the resource was created.
`error`	Object	N/A	Read-only	The error field indicating the reason for a device authentication failure.
`error.code`	String	N/A	Read-only	The error code.
`error.message`	String	N/A	Read-only	The error message.
`id`	String	N/A	Read-only	The resource's unique identifier.
`mobilePayload`	String	N/A	Read-only	The JSON that is the result of a `getMobilePayload` call (mobile app to mobile SDK). Both `mobilePayload` and `applicationId` values are required to invoke the device authorization flow using the API.
`notification`	Object	Optional	Immutable	Holds dynamic notification data.
`notification.clientContext`	Object	Optional	Immutable	Holds dynamic mobile push data.
`notification.policy.id`	String	Optional	Mutable	The policy ID for the notification.
`notification.template`	Object	Optional	Immutable	Holds dynamic template data.
`notification.template.name`	String	Optional	Immutable	The notification template name.
`notification.template.variant`	String	Optional	Immutable	The notification template variant.
`notification.template.locale`	String	Optional	Immutable	The notification template locale.
`notification.template.variables`	Map	Optional	Immutable	The notification template variables.
`policy.id`	String	Optional	Mutable	The device authentication policy ID.
`publicKeyCredentialRequestOptions`	String	N/A	Read-only	A string that specifies the public key credential request options object generated for the selected device that should be used to call the navigator.credentials.get() on the browser to generate the assertion. If you are using dynamic linking to attach a unique identifier to a FIDO transaction, `publicKeyCredentialRequestOptions` will include the transaction information for your records.
`reason`	String	Optional	Mutable	In situations where the user wants to authenticate from a different device, you can cancel an authentication flow that has begun. For such requests, the body consists of a single field, `reason`, and the value should be set to CHANGE_DEVICE. For details, refer to the Cancel Device Authentication example.
`rp.id`	String	Optional	Mutable	The ID of the relying party, used for logging in without having to provide a username. The value of the field should be a domain name, such as sample.com. If not provided, the relying party ID is taken from the associated FIDO2 policy.
`selectedDevice.id`	String	Optional	Mutable	The unique identifier of a user's MFA device. You can use this property to specify that authentication should be carried out with a specific device if the user has more than one. In responses, the value is the ID of the device that was in fact used for authentication.
`selectedDevice.oneTime.type`	String	Optional	Mutable	For organizations that prefer to maintain their own user device information, you can use the `oneTime` object to specify how the user should be contacted. The `type` property indicates the method that should be used for contacting the user. The value can be SMS, VOICE, or EMAIL. If you are using the `oneTime` object, you should not include the `selectedDevice.id` property.
`selectedDevice.oneTime.phone`	String	Optional	Mutable	If `selectedDevice.oneTime.type` is set to SMS or VOICE, use the `phone` property to provide the user's phone number.
`selectedDevice.oneTime.email`	String	Optional	Mutable	If `selectedDevice.oneTime.type` is set to EMAIL, use the `email` property to provide the user's email address.
`selectedDevice.oneTime.testMode`	Boolean	Optional	Mutable	To simplify automated testing of your applications, you can create dedicated testing devices. When you use the API to send authentication requests to such a device, the OTP is not sent to the actual device, but instead is returned as part of the body of the response. To specify that a one-time device should serve as a testing device, set the value of `testMode` to true. If this parameter is not provided, the default value is false. For dedicated testing devices, the response includes the OTP value in the field `test.otp`. Note that the `test.otp` field is included in the response for authentication requests only when using the API directly or via DaVinci. The field is not included in the API response that is sent to the PingOne user interface.
`selectedDevice.otp`	String	Optional	Mutable	Enables the user to enter their OTP when triggering MFA.
`status`	String	N/A	Read-only	The flow status. Options are `DEVICE_SELECTION_REQUIRED`, `PUSH_CONFIRMATION_REQUIRED`, `PUSH_CONFIRMATION_TIMED_OUT`, `OTP_REQUIRED`, `ASSERTION_REQUIRED`, `COMPLETED`, and `FAILED`.
`test.otp`	String	N/A	Read-only	If you are using a test device or you used the `testMode` parameter to specify that a one-time device should serve as a testing device, the response includes the OTP value in the field `test.otp`. Note that the `test.otp` field is included in the response for authentication requests only when using the API directly or via DaVinci. The field is not included in the API response that is sent to the PingOne user interface.
`updatedAt`	Date	N/A	Immutable	When the resource was last updated.
`user.id`	String	Required	Mutable	The requesting user's unique identifier.
`webAuthn.challenge`	String	Optional	Immutable	If you want to use dynamic linking to attach a unique identifier to a FIDO transaction, provide a value for the `webAuthn.challenge` parameter. The value should be a custom challenge to replace the automatically-generated challenge sent with the authentication request. Must be a valid and unique Base64URL string that decodes to a data array of at least 32 bytes. You can generate a challenge that meets these criteria by adding a random nonce to the transaction details to ensure uniqueness and then using SHA-256 to hash the information.
`_embedded.devices`	Array	N/A	Read-only	The list of authenticating devices.
`_embedded.devices[].otpStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`_embedded.devices[].otpStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where `type` is MOBILE.
`_embedded.devices[].pushStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`_embedded.devices[].pushStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where `type` is MOBILE.
`_embedded.devices[].usableStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED.
`_embedded.devices[].usableStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached.

Device authentication events generated

Refer to Audit Reporting Events for the events generated.

Initialize Device Authentication

Device Authentication (Custom Notification)

Device Authentication (No User Name)

Device Authentication (One-time SMS)

Device Authentication (One-time Voice)

Device Authentication (One-time Email)

Select Device for Authentication

Validate OTP for Device

Check Assertion (FIDO Device)

Cancel Device Authentication

Read Device Authentication

MFA Authentication Code

The /authenticationCodes endpoint provides operations to create, read, and delete an authentication code. The authentication code (which can be a QR code) enables users to sign on without any data entry, such as providing a username, password, or entering a one-time passcode. The user scans the code, and if successful, gains access to an application's services.

Authentication codes request data model

Property	Type	Required?	Mutable?	Description
`application.id`	String	Required	Mutable	The ID of a mobile application for which the code is valid; only the specified mobile application can scan the QR code.
`clientContext`	String	Optional	Mutable	An ObjectNode that provides relevant information to the mobile application that can be shown to application users. For example, `Do you want to approve this transaction?`. For more information, refer to Create Authentication Code.
`lifeTime.duration`	Integer	Optional	Mutable	The length of time for this authentication code to be valid. The minimum value is 10 seconds; the maximum value is 30 minutes; the default is 1 minute. If the `lifeTime.duration` property is set, a value for `lifeTime.timeUnit` is required.
`lifeTime.timeUnit`	String	Optional	Mutable	The time unit for the `lifeTime.duration` property. Options are `SECONDS` and `MINUTES`. If the `lifeTime.timeUnit` property is set, a value for `lifeTime.duration` is required.
`userApproval`	String	Optional	Mutable	Whether the mobile device must verify that the user approves the authentication with the scanned code. Options are `REQUIRED` and `NOT_REQUIRED`.

Authentication codes response data model

Property	Type	Required?	Mutable?	Description
`code`	String	N/A	Read-only	The authentication code. The code is eight characters in length, and it can include numbers and uppercase letters.
`createdAt`	Date	N/A	Read-only	When the resource was created.
`environment.id`	String	N/A	Read-only	The environment's unique identifier.
`expiresAt`	Date	N/A	Read-only	The expiration time of authentication code.
`id`	String	N/A	Read-only	The resource's unique identifier.
`status`	String	N/A	Read-only	The status of the authentication code. Options are `UNCLAIMED`, `CLAIMED`, `EXPIRED`, `DENIED`, and `COMPLETED`. The `EXPIRED` status is active for 5 minutes after the code is no longer valid.
`updatedAt`	Date	N/A	Read-only	When the resource was last updated.
`uri`	String	N/A	Read-only	A universal link (for example, `https://www.example.com/pingonesdk?authentication_code={{generated token}}`). This property can also set a link to a schema application (for example, `pingoneapp://pingonesdk?authentication_code={{generated token}}`). If a universal link or schema application link is not set, the response does not include the `pingonesdk?authentication_code={{generated token}}` portion of the URL.
`user.id`	UUID	N/A	Read-only	The unique identifier of the authenticated user.
`_embedded.device.otpStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`_embedded.device.otpStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where `type` is MOBILE.
`_embedded.device.pushStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE.
`_embedded.device.pushStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where `type` is MOBILE.
`_embedded.device.usableStatus.status`	String	N/A	Read-only	Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED.
`_embedded.device.usableStatus.reason`	String	N/A	Read-only	If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached.

For descriptions of other fields under _embedded.device, refer to MFA Devices.

For descriptions of fields under _embedded.user, refer to Users data model.

Create Authentication Code

Read Authentication Code

Delete Authentication Code

Device Authentication Policies

Device authentication policies (identified in the PingOne UI as "MFA Policies") enable you to configure different settings per MFA authentication method, according to your security policies.

Device authentication policy data model

Property	Type	Required?	Mutable?	Description
`authentication.deviceSelection`	String	Optional	Mutable	The default method that should be used for authentication. Can take one of the following values: DEFAULT_TO_FIRST - use the method that the user set as their default PROMPT_TO_SELECT - always have the user select the method to use if there is more than one method available ALWAYS_DISPLAY_DEVICES - always have the user select the method to use even if there is only one method available If this parameter is not provided, the DEFAULT_TO_FIRST option is used.
`default`	Boolean	Required	Mutable	Whether this is the default policy for Flow Manager.
`email`	Object	Required	Mutable	Email device authentication policy settings. Offline device (SMS, voice, email, WhatsApp) authentication policy data model
`environment`	String	N/A	Read-only	The environment ID.
`fido2`	Object	Required	Mutable	FIDO device authentication policy settings. FIDO device authentication policy data model
`forSignOnPolicy`	Boolean	N/A	Read-only	Deprecated. Can still appear in responses.
`id`	String	N/A	Read-only	The ID of the device authentication policy.
`ignoreUserLock`	Boolean	Optional	Mutable	When applying an MFA policy, PingOne ordinarily checks if a user account is locked, and if so, prevents the user from authenticating. Set `ignoreUserLock` to `true` if you want PingOne to skip this account lock check.
`mobile`	Object	Required	Mutable	Mobile device authentication policy settings. Mobile authentication policy data model
`name`	String	Required	Immutable	The device authentication policy's name.
`newDeviceNotification`	String	Optional	Mutable	Use `newDeviceNotification` to control whether a user should be notified if a new authentication method has been added to their account. Can take one of the following values: NONE - don't notify the user when a new authentication method is added. EMAIL_THEN_SMS - notify the user by email. If there is no email address in the user profile, notify the user by SMS. If there is no phone number either, don't notify the user. SMS_THEN_EMAIL - notify the user by SMS. If there is no phone number in the user profile, notify the user by email. If there is no email address either, don't notify the user. If the parameter is not provided, the default value is EMAIL_THEN_SMS.
`notificationsPolicy.id`	String	Optional	Mutable	If you want the MFA policy to use a specific notification policy rather than just using the default notification policy, use `notificationsPolicy.id` to specify the ID of the notification policy that should be used.
`rememberMe`	Object	Optional	Mutable	Object used to specify that the MFA policy should include a "remember me" option so that users do not have to authenticate when accessing applications from a device they have used already.
`rememberMe.web`	Object	Optional	Mutable	Contains the "remember me" settings for accessing applications from a browser.
`rememberMe.web.enabled`	Boolean	Optional	Mutable	Set to `true` if you want the MFA policy to include a "remember me" option.
`rememberMe.web.lifeTime`	Object	Optional	Mutable	Used to define the period during which users will not have to authenticate if they are accessing applications from a device they have used before. The "remember me" period can be anywhere from 1 hour to 90 days.
`rememberMe.web.lifeTime.timeUnit`	String	Optional	Mutable	The time unit to use for the "remember me" period. Can be `HOURS` or `DAYS`.
`rememberMe.web.lifeTime.duration`	Integer	Optional	Mutable	Used in conjunction with `lifeTime.timeUnit` to define the "remember me" period.
`sms`	Object	Required	Mutable	SMS device authentication policy settings. Offline device (SMS, voice, email, WhatsApp) authentication policy data model
`totp`	Object	Required	Mutable	TOTP device authentication policy settings. TOTP authentication policy data model
`updatedAt`	Date	N/A	Read-only	When the resource was last updated.
`voice`	Object	Required	Mutable	Voice device authentication policy settings. Offline device (SMS, voice, email, WhatsApp) authentication policy data model
`whatsApp`	Object	Optional	Mutable	Contains the settings for using WhatsApp as an authentication method. Offline device (SMS, voice, email, WhatsApp) authentication policy data model

FIDO device authentication policy data model

All of the fields in the table below should be enclosed in the fido2 object, for example:

"fido2" : {
    "enabled" : true,
    "pairingDisabled" : false
}

Property	Type	Required?	Mutable?	Description
`enabled`	Boolean	Required	Mutable	Whether the authentication method is enabled or disabled in the policy.
`failure`	Object	Optional	Mutable	Contains the definitions for the maximum number of times authentication can fail before user is blocked temporarily, and how long the user should be blocked.
`failure.coolDown.duration`	Integer	Optional	Mutable	Used in conjunction with `failure.coolDown.timeUnit` to specify how long the user should be blocked after reaching the maximum number of failures, before they can try authenticating again. Minimum period is two minutes, maximum is 30 minutes.
`failure.coolDown.timeUnit`	String	Optional	Mutable	The units to use for `failure.coolDown.duration`. Can be `SECONDS` or `MINUTES`.
`failure.count`	Integer	Optional	Mutable	The maximum number of times that authentication can fail before user is blocked for the specified period. Minimum is 1, maximum is 7.
`fido2PolicyId`	String	Optional	Mutable	The ID of the specific FIDO policy that should be used. If this parameter is not provided, the default FIDO policy is used.
`pairingDisabled`	Boolean	Optional	Mutable	You can set `pairingDisabled` to `true` to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.

Offline device (SMS, voice, email, WhatsApp) authentication policy data model

Property	Type	Required?	Mutable?	Description
`enabled`	Boolean	Required	Mutable	Whether the device is enabled or disabled in the policy.
`otp.failure.coolDown.duration`	Integer	Required	Mutable	The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures. The minimum value is 0, maximum is 30, and the default is 0. Note that when using the "onetime authentication" feature, the user is not blocked after the maximum number of failures even if you specified a block duration.
`otp.failure.coolDown.timeUnit`	String	Required	Mutable	The type of time unit for `otp.failure.coolDown.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.failure.count`	Integer	Required	Mutable	The maximum number of times that the OTP entry can fail for a user, before they are blocked. The minimum value is 1, maximum is 7, and the default is 3.
`otp.lifetime.duration`	Integer	Required	Mutable	The duration (number of time units) that the passcode is valid before it expires. The minimum value is 1, maximum is 7, and the default is 3.
`otp.lifetime.timeUnit`	String	Required	Mutable	The type of time unit for `otp.lifetime.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.otpLength`	Integer	Optional	Mutable	Used to specify the length of the OTP that is shown to users. Minimum length is 6 digits and maximum is 10 digits. If the parameter is not provided, the default is 6 digits.
`pairingDisabled`	Boolean	Optional	Mutable	You can set `pairingDisabled` to `true` to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.

Mobile device authentication policy data model

All of the fields in the table below should be enclosed in the mobile object, for example:

"mobile": {
    "enabled": true,
    "otp": {
        "failure": {
            "count": 3,
            "coolDown": {
                "duration": 2,
                "timeUnit": "MINUTES"
            }
        }
    },
    "applications": [
        {
            "id": "{{appID}}",
            "push": {
                "enabled": true,
                "numberMatching": {
                    "enabled": true
                }
            },
            "otp": {
                "enabled": true
            },
            "pushTimeout": {
                "duration" : 120,
                "timeUnit" : "SECONDS"
            },
            "pushLimit": {
                "count": 4,
                "timePeriod": {
                    "duration": 10,
                    "timeUnit": "MINUTES"
                },
                "lockDuration": {
                    "duration": 30,
                    "timeUnit": "MINUTES"
                }
            },
            "deviceAuthorization": {
                "enabled": true,
                "extraVerification": "permissive"
            },
            "autoEnrollment": {
                "enabled": true
            },
            "pairingKeyLifetime": {
                "duration": 40,
                "timeUnit": "HOURS"
            },
            "integrityDetection": "permissive"
        }
    ]
}

Property	Type	Required?	Mutable?	Description
`applications[].autoEnrollment.enabled`	Boolean	Required	Mutable	Set to `true` if you want the application to allow Auto Enrollment. Auto Enrollment means that the user can authenticate for the first time from an unpaired device, and the successful authentication will result in the pairing of the device for MFA.
`applications[].deviceAuthorization.enabled`	Boolean	Required	Mutable	Specifies the enabled or disabled state of automatic MFA for native devices paired with the user, for the specified application.
`applications[].deviceAuthorization.extraVerification`	String	Required	Mutable	Specifies the level of further verification when `deviceAuthorization` is `enabled`. The PingOne platform performs an extra verification check by sending a "silent" push notification to the customer native application, and receives a confirmation in return. `extraVerification` can be one of the following levels: `disabled` (default): The PingOne platform does not perform the extra verification check. `permissive`: The PingOne platform performs the extra verification check. Upon timeout or failure to get a response from the native app, the MFA step is treated as successfully completed. `restrictive`: The PingOne platform performs the extra verification check.The PingOne platform performs the extra verification check. Upon timeout or failure to get a response from the native app, the MFA step is treated as failed.
`applications[].id`	String	Required	Immutable	The application's UUID.
`applications[].integrityDetection`	String	Required	Mutable	Controls how authentication or registration attempts should proceed if a device integrity check does not receive a response. Set the value to `permissive` if you want to allow the process to continue. Set the value to `restrictive` if you want to block the user in such situations.
`applications[].otp.enabled`	Boolean	Required	Mutable	Specifies whether OTP authentication is enabled or disabled for the policy.
`applications[].pairingDisabled`	Boolean	Optional	Mutable	You can set `pairingDisabled` to `true` to prevent users from pairing new devices with the relevant application. You can use this option if you want to phase out an existing mobile application but want to allow users to continue using the application for authentication for existing devices.
`applications[].pairingKeyLifetime.duration`	Integer	Optional	Mutable	The amount of time an issued pairing key can be used until it expires. Minimum is 1 minute and maximum is 48 hours. If this parameter is not provided, the duration is set to 10 minutes.
`applications[].pairingKeyLifetime.timeUnit`	String	Optional	Mutable	The time unit for the `pairingKeyLifetime.duration` parameter. The possible values are `MINUTES` and `HOURS`.
`applications[].push.enabled`	Boolean	Required	Mutable	Specifies whether push notification is enabled or disabled for the policy.
`applications[].push.numberMatching.enabled`	Boolean	Optional	Mutable	Set to `true` if you want the mobile push to require the user to match a number that they were shown when requesting access. To specify how the matching should be carried out, refer to the `numberMatching.type` parameter in the Applications OIDC settings data model.
`applications[].pushLimit.count`	Integer	Optional	Mutable	The number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for the application. The minimum value is 1 and the maximum value is 50. If this parameter is not provided, the default value is 5.
`applications[].pushLimit.lockDuration.duration`	Integer	Optional	Mutable	The length of time that push notifications should be blocked for the application if the defined limit has been reached. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, the default value is 30 minutes.
`applications[].pushLimit.lockDuration.timeUnit`	String	Optional	Mutable	The time unit for the `pushLimit.lockDuration.duration` parameter. The valid values are `MINUTES` and `SECONDS`.
`applications[].pushLimit.timePeriod.duration`	Integer	Optional	Mutable	The time period in which the push notifications are counted towards the defined limit. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, the default value is 10 minutes.
`applications[].pushLimit.timePeriod.timeUnit`	String	Optional	Mutable	The time unit for the `pushLimit.timePeriod.duration` parameter. The valid values are `MINUTES` and `SECONDS`.
`applications[].pushTimeout.duration`	Integer	Optional	Mutable	The amount of time a user has to respond to a push notification before it expires. Minimum is 40 seconds and maximum is 150 seconds. If this parameter is not provided, the duration is set to 40 seconds.
`applications[].pushTimeout.timeUnit`	String	Optional	Mutable	The time unit for the `pushTimeout.duration` parameter. Currently, the only permitted value is `SECONDS`.
`enabled`	Boolean	Required	Mutable	Whether the device is enabled or disabled in the policy.
`otp.failure.coolDown.duration`	Integer	Required	Mutable	The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures. The minimum value is 2, maximum is 30, and the default is 2. Note that when using the "onetime authentication" feature, the user is not blocked after the maximum number of failures even if you specified a block duration.
`otp.failure.coolDown.timeUnit`	String	Required	Mutable	The type of time unit for `otp.failure.coolDown.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.failure.count`	Integer	Required	Mutable	The maximum number of times that the OTP entry can fail for a user, before they are blocked. The minimum value is 1, maximum is 7.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.

TOTP device authentication policy data model

Property	Type	Required?	Mutable?	Description
`enabled`	Boolean	Required	Mutable	Whether the device is enabled or disabled in the policy.
`otp.failure.coolDown.duration`	Integer	Required	Mutable	The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures. The minimum value is 2, maximum is 30, and the default is 2.
`otp.failure.coolDown.timeUnit`	String	Required	Mutable	The type of time unit for `otp.failure.coolDown.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.failure.count`	Integer	Required	Mutable	The maximum number of times that the OTP entry can fail for a user, before they are blocked. The minimum value is 1, maximum is 7, and the default is 3.
`pairingDisabled`	Boolean	Optional	Mutable	You can set `pairingDisabled` to `true` to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.
`uriParameters`	Object	Optional	Mutable	Object that you can use to provide key:value pairs for `otpauth` URI parameters. For example, if you provide a value for the `issuer` parameter, then authenticators that support that parameter will display the text you specify together with the OTP (in addition to the username). This can help users recognize which application the OTP is for. If you intend on using the same MFA policy for multiple applications, choose a name that reflects the group of applications.

PingID method data model (for PingOne environments where PingID accounts have been integrated)

These fields are used for the PingID-specific authentication methods - desktop, Yubikey, and OATH token.

Property	Type	Required?	Mutable?	Description
`enabled`	Boolean	Required	Mutable	Whether the device is enabled or disabled in the policy.
`otp.failure.coolDown.duration`	Integer	Required	Mutable	The amount of time the user is blocked after reaching the maximum number of passcode failures. The minimum is one second and the maximum is 30 minutes. Note that when using the "onetime authentication" feature, the user is not blocked after the maximum number of failures even if you specified a block duration.
`otp.failure.coolDown.timeUnit`	String	Required	Mutable	The time unit for `otp.failure.coolDown.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.failure.count`	Integer	Required	Mutable	The maximum number of times that OTP entry can fail for a user, before they are blocked. The minimum value is 1, maximum is 7.
`pairingDisabled`	Boolean	Optional	Mutable	You can set `pairingDisabled` to `true` to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
`pairingKeyLifetime.duration`	integer	Optional	Mutable	For "desktop" only. The amount of time the pairing key is valid. Can be expressed in minutes or hours. Minimum is one minute, maximum is 48 hours. If the `pairingKeyLifetime` object is not provided, then 48 hours is used.
`pairingKeyLifetime.timeUnit`	String	Optional	Mutable	The time unit for `pairingKeyLifetime.duration`. Can be `MINUTES` or `HOURS`.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.

PingID app data model (for PingOne environments where PingID accounts have been integrated)

This table includes the properties that are used for the PingID mobile app. All of the fields in the table below should be enclosed in the mobile object, as in the example in Mobile device authentication policy data model.

Property	Type	Required?	Mutable?	Description
`applications[].autoEnrollment.enabled`	Boolean	N/A	Read-only	Not relevant for PingOne environments where PingID accounts have been integrated. Will always be returned as `false`.
`applications[].biometricsEnabled`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to authenticate with the biometric methods supported by the PingID app.
`applications[].id`	String	Required	Immutable	The application's UUID.
`applications[].otp.enabled`	Boolean	Optional	Mutable	Specifies whether the user can authenticate with a one-time passcode generated by the PingID app when push notifications are not available. If the parameter is not included, the option is disabled.
`applications[].pairingKeyLifetime.duration`	Integer	Optional	Mutable	The amount of time an issued pairing key can be used until it expires. Can be expressed in minutes or hours. Minimum is one minute, maximum is 48 hours. If the `pairingKeyLifetime` object is not provided, then 48 hours is used.
`applications[].pairingKeyLifetime.timeUnit`	String	Optional	Mutable	The time unit for `pairingKeyLifetime.duration`. Can be `MINUTES` or `HOURS`.
`applications[].pushLimit.count`	Integer	Optional	Mutable	The number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for the application. The minimum value is 1 and the maximum value is 50. If this parameter is not provided, the default value is 5.
`applications[].pushLimit.lockDuration.duration`	Integer	Optional	Mutable	The length of time that push notifications should be blocked for the application if the defined limit has been reached. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, the default value is 30 minutes.
`applications[].pushLimit.lockDuration.timeUnit`	String	Optional	Mutable	The time unit for `pushLimit.lockDuration.duration`. The valid values are `MINUTES` and `SECONDS`.
`applications[].pushLimit.timePeriod.duration`	Integer	Optional	Mutable	The time period in which the push notifications are counted towards the defined limit. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, 10 minutes is used.
`applications[].pushLimit.timePeriod.timeUnit`	String	Optional	Mutable	The time unit for `pushLimit.timePeriod.duration`. The valid values are `MINUTES` and `SECONDS`.
`applications[].newRequestDurationConfiguration.deviceTimeout.duration`	Integer	Required	Mutable	The amount of time an authentication request notification has to reach the device before timing out. Minimum is 15 seconds, maximum is 75 seconds.
`applications[].newRequestDurationConfiguration.deviceTimeout.timeUnit`	String	Required	Immutable	The time unit to use for `deviceTimeout.duration`. Only valid value is `SECONDS`.
`applications[].newRequestDurationConfiguration.totalTimeout.duration`	Integer	Required	Mutable	The total amount of time an authentication request notification has to be handled by the user before timing out. This includes both the time until the notification is displayed to the user and the time the user takes to respond. Minimum is 30 seconds, maximum is 90 seconds. `totalTimeout.duration`must exceed `deviceTimeout.duration` by at least 15 seconds.
`applications[].newRequestDurationConfiguration.totalTimeout.timeUnit`	String	Required	Immutable	The time unit to use for `totalTimeout.duration`. Only valid value is `SECONDS`.
`applications[].push.enabled`	Boolean	Required	Mutable	Specifies whether push notification is enabled or disabled for the policy.
`applications[].push.numberMatching`	Boolean	Optional	Mutable	Set to `true` if you want to require the authenticating user to select a number that was displayed to them on the accessing device.
`applications[].type`	String	Required	Immutable	Value must be set to `pingIdAppConfig`.
`enabled`	Boolean	Required	Mutable	Whether the device is enabled or disabled in the policy.
`ipPairingConfiguration.anyIPAdress`	Boolean	Optional	Mutable	If you want to limit users to specific IP addresses when pairing their device, set `anyIPAdress` to `false`, and use `ipPairingConfiguration.onlyTheseIpAddresses` to specify the valid IP addresses.
`ipPairingConfiguration.onlyTheseIpAddresses`	Array	Optional	Mutable	If you set `ipPairingConfiguration.anyIPAdress` to `false`, use `onlyTheseIpAddresses` to specify the IP addresses from which users can pair their devices. Each item in the array should be an IP address or an address range using CIDR notation, for example, 192.168.0.1/24
`otp.failure.coolDown.duration`	Integer	Required	Mutable	The amount of time the user is blocked after reaching the maximum number of passcode failures. Can be expressed in seconds or minutes. The minimum is two minutes, and the maximum is 30 minutes. Note that when using the "onetime authentication" feature, the user is not blocked after the maximum number of failures even if you specified a block duration.
`otp.failure.coolDown.timeUnit`	String	Required	Mutable	The time unit to use for `otp.failure.coolDown.duration`. Valid values are `MINUTES` and `SECONDS`.
`otp.failure.count`	Integer	Required	Mutable	The maximum number of times that the OTP entry can fail for a user before they are blocked. The minimum value is 1, maximum is 7.
`promptForNicknameOnPairing`	Boolean	Optional	Mutable	Set to `true` if you want to allow users to provide nicknames for devices during pairing.

PLATFORM and SECURITY_KEY device authentication policy data model (deprecated, replaced by FIDO device)

Property	Type	Required?	Mutable?	Description
`enabled`	Boolean	N/A	Read-only	Whether the device is enabled or disabled in the policy.
`fidoPolicyId`	String	N/A	Read-only	The FIDO policy UUID. This property can be null. When null, the environment's default FIDO Policy is used.

Policy migration data model

Used with the deviceAuthenticationPolicies endpoint and content type: application/vnd.pingidentity.deviceAuthenticationPolicy.fido2.migrate+json for batch conversion of device authentication policies associated with the previous FIDO policy format (device authentication policies that have FIDO Biometrics or Security Key enabled).

Property	Type	Required?	Mutable?	Description
`migrationData`	Array	Optional	Immutable	List of the objects that must be migrated.
`migrationData[].deviceAuthenticationPolicyId`	String	Required	Immutable	The UUID of the device authentication policy to migrate. Required if you are providing the `migrationData` object.
`migrationData[].fido2PolicyId`	String	Optional	Immutable	The UUID of the enhanced FIDO policy to associate with the device authentication policy. If this parameter is not provided, the default FIDO policy is used.

Device authentication policy events generated

Refer to Audit Reporting Events for the events generated.

Create Device Authentication Policy

Read Device Authentication Policies

Read One Device Authentication Policy

Update Device Authentication Policy

Update Device Authentication Policy (env with PingID integration)

Delete Device Authentication Policy

Migrate Device Authentication Policies

Reporting

You can use the reporting capability to generate reports containing user and MFA device details, using a number of device-related filters.

For example, you can generate a report listing all email devices or a report containing all of the devices whose phone number starts with a certain country code.

You can use synchronous requests to get back the matching data as entries in the JSON response or use asynchronous requests to have the data provided in a CSV or JSON file. Note that when using the synchronous approach, you may have to make multiple requests if there is a large amount of data.

The request for generating reports uses the dataExplorations endpoint:

https://{{apiPath}}/v1/environments/{{envId}}/dataExplorations

Note:

The data exploration objects created with the dataExplorations endpoint are saved only for a short time so you must send a POST request each time you want to generate a report.
You cannot call the dataExplorations endpoint more than once per 5 seconds for the same environment.
The database that serves as the source of the reports is updated once every fifteen minutes. So the content of a report may not reflect the exact device data at the time of generation.
When results are returned in files, the generated files are cached for two hours. During this period, if the results are requested again, the cached file is returned, rather than generating the report again. This applies both to the results for an existing dataExploration object and the results for any additional dataExploration object created with the exact same settings within this period.

MFA reports data model

Property	Type	Required?	Mutable?	Description
`dataExplorationTemplate.id`	String	Required	Immutable	The ID of the report template that should serve as the base for the report. Currently, the only supported value is db632bfd-7054-4bde-b108-a384aac2d513
`deliverAs`	String	Optional	Immutable	How the results should be returned. The valid values are ENTRIES (get the results as a collection of entries in the response) and ASYNC_FILE (get the results in a CSV or JSON file). If the parameter is not included, ENTRIES is used.
`fields[]`	Array	Optional	Immutable	The fields you want to include in the report. Array of name-value objects, where the name is always `"name"`, for example, `"fields":[{"name":"username"},{"name":"phone"}]`. The values that can be included are: `userId`, `environmentId`, `populationId`, `username`, `givenName`, `familyName`, `mfaEnabled`, `userCreatedAt`, `userUpdatedAt`, `deviceId`, `deviceOrder`, `deviceNickname`, `deviceType`, `deviceStatus`, `deviceIntegrityStateCompromised`, `deviceIntegrityStateReason`, `deviceIntegrityStateTimestamp`, `deviceIntegrityStateAdvice`, `phone`, `extension`, `email`, `deviceBlocked`, `blockedAt`, `deviceLocked`, `lockExpiration`, `fidoBackupEligibility`, `fidoBackupState`, `fidoUserVerification`, `sdkVersion`, `manufacturer`, `deviceName`, `modelName`, `osType`, `osVersion`, `appId`, `appVersion`, `mobileUnitId`, `installedApplicationId`, `rpId`, `deviceCreatedAt`, `deviceUpdatedAt`, `lastDeviceTrxTime`, `serialNumber` Note that if you do not include the `fields` parameter, the report will include all of the fields available.
`filter`	String	Optional	Immutable	You can filter the results by: `email`, `phone`, `deviceType`, `userId`, or `mfaEnabled`. The filters are used with the operators `eq` and `sw`. `eq` requires an exact match (including case-sensitivity). `sw` ("starts with") provides greater flexibility by matching only part of the string and performing a check that is not case-sensitive. The `sw` option can ony be used with the filters `email` and `phone`. When using the `deviceType` filter, you can use any of the values listed for `type` in the "Device properties" table under MFA devices. Examples: `"filter": "(deviceType eq \"EMAIL\")"`, `"filter": "(phone sw \"+972\")"`, `"filter": "(mfaEnabled eq \"true\")"` If you do not include the `filter` parameter, the report will include all users and their devices.
`sync`	String	Optional	Immutable	Set to "true" if you are using the `expand` query parameter.

Getting the report results

You can receive the report data as entries in the JSON response or as a file (CSV or JSON).

There are a number of ways you can get the report results. The recommended approaches for the most common scenarios are as follows:

For cases where you anticipate a fairly small number of records in the results:
- Run a POST request using the expand query parameter. This will create the dataExplorations object and also return the results as entries in the response. {{apiPath}}/environments/{{envID}}/dataExplorations?expand=entries
  
  For more information on the use of the expand query parameter, refer to "Link expansion" under Conventions.
For cases where you expect a large number of records, but would like to receive them as entries in the body of the response:
1. Run a POST request to create the dataExplorations object.
2. Run a GET request with /entries in the URL: {{apiPath}}/environments/{{envID}}/dataExplorations/{{dataExplorationID}}/entries
3. If there are too many results to include in one response, the _links section in the response will include a next object. Follow the next link, then using the same access token, run another GET request using the the next link as the URL.
4. Continue until the response no longer includes a next object.
  
  For more information on pagination, refer to Paging, ordering, and filtering collections.
For cases where you want to receive the results as a file:
1. Run the request to create a report and get the results as a file: POST {{apiPath}}/environments/{{envID}}/dataExplorations. In the body of the request, make sure that deliverAs is set to ASYNC_FILE.
2. The response to the report creation request will include a status field whose value is IN_PROGRESS.
3. Run the polling request GET {{apiPath}}/environments/{{envID}}/dataExplorations/{{dataExplorationID}}, using the ID that was returned when you created the report, until the status field in the response equals SUCCESS.
4. When the response contains the status SUCCESS, it will also include a link for downloading a zipped csv file, a link for downloading a zipped JSON file, and a password for opening the zip files. Use this information to download and unzip the report.
5. The report itself is cached for two hours, but the links are good for only five minutes.
6. If more than five minutes has elapsed from the time of the request that returned the links, get updated links by again running the request GET {{apiPath}}/environments/{{envID}}/dataExplorations/{{dataExplorationID}} using the ID that was returned when you created the report.
7. If more than two hours has elapsed since the report was created, run the report creation request again.

Create report of SMS devices - entries in response

Get report results - entries in response

Create report of MFA-enabled devices - results in file

Get report results - results in file - polling

MFA Settings

The MFA settings endpoint supports operations to read, update, and reset the PingOne MFA settings associated with a specified environment. A PUT request lets you manage the maximum number of allowed devices for pairing, and it lets you set the device selection option. A successful DELETE operation resets the MFA settings to the default.

Note: For API operations on a PingID workforce implementation hosted via a PingOne environment, use the PingID APIs instead. Refer to PingID API overview in the PingID API documentation. For more information about using PingID out of PingOne SSO platform, refer to Configuring a multifactor authentication experience using PingOne and PingID.

Maximum allowed devices

The MFA settings property pairing.maxAllowedDevices defines the maximum number of paired MFA devices each user within an environment can have. This can be any number up to 15. The default value is 5. You can update the setting with GET {{apiPath}}/environments/{{envID}}/mfaSettings and reset the setting to its default with PUT {{apiPath}}/environments/{{envID}}/mfaSettings.

If the maxAllowedDevices value is decreased below the number of paired devices a user currently has, the user's existing paired devices remain. After a paired device is deleted though, the user cannot replace it with a new one. This remains true until the number of existing paired devices is below the current value for maxAllowedDevices.

If the maxAllowedDevices limit is reached and the user attempts to create a new device, an error similar to the following is returned.

400 BAD REQUEST
{
  "id": "<errorId>",
  "code": "REQUEST_FAILED",
  "message": "The request could not be completed. There was an issue processing the request.",
  "details": [
    {
      "code": "LIMIT_EXCEEDED",
      "message": "Maximum allowed devices has been reached",
      "innerError": {
        "maximumAllowed": 5
      }
    }
  ]
}

Account lockout

The MFA settings property lockout.failureCount and lockout.durationSeconds defines the maximum number of incorrect MFA authorization actions a user can attempt (such as entering an incorrect OTP or denying a push confirmation on a native device) before the account is locked. The lockout.durationSeconds defines the amount of time after the lockout.failureCount value is exceeded to keep the account in a locked state. You can update the setting with PUT {{apiPath}}/environments/{{envID}}/mfaSettings.

For more information about account lockout, refer to User Accounts.

MFA settings data model

Property	Type	Required?	Mutable?	Description
`lockout`	Object	Optional	Mutable	Contains information about the MFA policy lockout settings.
`lockout.failureCount`	Integer	Optional	Mutable	The maximum number of incorrect authentication attempts before the account is locked.
`lockout.durationSeconds`	Integer	Optional	Mutable	The number of seconds to keep the account in a locked state.
`pairing`	Object	Optional	Mutable	Contains information about the MFA policy device pairing settings.
`pairing.maxAllowedDevices`	Integer	Optional	Mutable	The maximum number of MFA devices each user can have. This can be any number up to 15. The default value is 5. All devices that are Active or Blocked are subject to this limit.
`pairing.pairingKeyFormat`	String	Optional	Mutable	The type of pairing key issued. The valid values are NUMERIC (12-digit key) and ALPHANUMERIC (16-character alphanumeric key).
`phoneExtensions`	Object	Optional	Mutable	Contains settings for phone extension support.
`phoneExtensions.enabled`	Boolean	Optional	Mutable	Set to `true` to allow one-time passwords to be delivered via voice to phone numbers that include extensions. Set to `false` to disable support for phone numbers with extensions. By default, support for extensions is disabled.
`updatedAt`	Date	N/A	Read-only	When the resource was last updated.
`users`	Object	Optional	Mutable	Contains information about the default settings for new users.
`users.mfaEnabled`	Boolean	Optional	Mutable	Set `mfaEnabled` to `true` if you want MFA to be enabled by default for new users.

Note: The default method to use for MFA is now set at the MFA policy level rather than at the environment level. For backward compatibility reasons, authentication.deviceSelection is still included in the responses when reading, updating, or resetting the MFA settings for the environment. However, if you want to modify this setting, you must use the deviceAuthenticationPolicies endpoint.

Response codes

Code	Message
200	Successful operation.
400	The request could not be completed.
401	You do not have access to this resource.
404	The requested resource was not found.

Note: You need the Environment Admin role to read MFA settings resources.

Read MFA Settings

Update MFA Settings

Reset MFA Settings

OATH Tokens

You can use the PingOne API for various oath token management actions, including creating tokens, revoking tokens, and resyncing tokens.

Note: The maximum number of OATH tokens you can have in a PingOne environment is 100,000.

OATH token data model

Property	Type	Required?	Mutable?	Description
`createdAt`	Date	N/A	Read-only	The date the token was added to the environment.
`environment.id`	String	N/A	Read-only	The ID of the environment the token is associated with.
`hashAlgorithm`	String	Optional	Immutable	The algorithm used by the cryptographic hash function to generate OTPs. Can be any of the following values: `HmacSHA1`, `HmacSHA256`, `HmacSHA512`. If not provided, `HmacSHA1` is used as the default value. Currently for HOTP tokens, only `HmacSHA1` is supported, so this parameter is really only relevant for TOTP tokens.
`hotp`	Object	Optional	Immutable	Object containing fields that are relevant only for HOTP tokens.
`hotp.counter`	Integer	Optional	Immutable	The counter used by the HOTP token to generate OTPs. If not provided, 0 is used as the default value.
`id`	String	N/A	Read-only	The OATH token's unique identifier.
`otpLength`	Integer	Required	Immutable	Length of the OTPs generated - can be 6 or 8
`rowNumber`	Integer	Optional	Immutable	When creating OATH tokens with data that originated in a seed file, `rowNumber` can be used to indicate the row where the data for the token was located in the file.
`secret`	String	Required	Immutable	The OATH token's secret key. Can be up to 200 characters and must be a hexadecimal value. Used only as an input parameter, does not appear in any responses.
`serialNumber`	String	Required	Immutable	The OATH token's serial number. Can be up to 50 characters and all characters must be alphanumeric.
`totp`	Object	Required	Immutable	Object containing fields that are relevant only for TOTP tokens.
`totp.drift`	Integer	N/A	Read-only	Difference between the token's time and the server's time, expressed in time steps. A positive value indicates that the token's time is ahead.
`totp.timeStep`	Integer	Required	Immutable	Interval at which the OTP is refreshed - PingOne supports 30 seconds and 60 seconds.
`type`	String	Required	Immutable	Possible values are `HOTP` and `TOTP`.
`updatedAt`	Date	N/A	Read-only	The date the token was last updated.
`_embedded.devices`	Array	N/A	Read-only	Array of devices associated with an OATH token.
`_embedded.devices.id`	String	N/A	Read-only	ID of device associated with an OATH token.
`_embedded.devices.userId`	String	N/A	Read-only	ID of user for a device associated with an OATH token.
`_embedded.oathTokens`	Array	N/A	Read-only	Name of the array of tokens returned when all tokens are requested.

OATH token batch creation data model

These properties are relevant only for batch creation of tokens.

Property	Type	Required?	Mutable?	Description
`reason`	String	N/A	Read-only	If the job status is `FAILED`, provides the reason for the failure.
`result.created`	Integer	N/A	Read-only	The number of tokens created.
`result.duplicates`	Object	N/A	Read-only	Contains information about tokens whose creation was requested but were skipped because they already exist in the environment.
`result.duplicates.maskedSecret`	String	N/A	Read-only	The secret for the OATH token, partially-hidden.
`result.duplicates.rowNumber`	Integer	N/A	Read-only	The number of the row where the duplicate token was in the file whose content was imported.
`result.duplicates.serialNumber`	String	N/A	Read-only	The serial number of the duplicate token.
`status`	String	N/A	Read-only	The status of the job. Can be `PENDING`, `IN_PROGRESS`, `FAILED`, or `DONE`.
`tokens`	Array	Required	Immutable	Name of the array of tokens provided for creation. Each item in the array should include the same information you would include to create a single token, for example, serial number, as described in the OATH token data model table.
`type`	String	Required	Immutable	The type of job to run. For creation of tokens, set to 'CREATE_OATH_TOKENS'. Should not be confused with the `type` parameter used within each token in the array provided to indicate the type of token to create - TOTP or HOTP.

OATH token batch revoking data model

These properties are relevant only for batch revoking of tokens.

Property	Type	Required?	Mutable?	Description
`forceUnpair`	Boolean	Optional	Immutable	By default, revoke jobs revoke only unassigned tokens. Set `forceUnpair` to `true` if you want tokens to be revoked even if they are currently associated with a user. The association (device) will be removed before the token is revoked. When `forceUnpair` is not used, the response includes an array of tokens that were not revoked due to their association with a user.
`reason`	String	N/A	Read-only	If the job status is `FAILED`, provides the reason for the failure.
`result.revoked`	Integer	N/A	Read-only	The number of tokens revoked.
`result.unrevoked`	Array	N/A	Read-only	Array of objects that contain information about the tokens that were not revoked because they are associated with a user.
`result.unrevoked[].devices[].id`	String	N/A	Read-only	ID of device associated with the token that was not revoked.
`result.unrevoked[].devices[].user.id`	String	N/A	Read-only	ID of user whose device is associated with the token that was not revoked.
`result.unrevoked[].devices`	Array	N/A	Read-only	Array of devices associated with the token that was not revoked.
`result.unrevoked[].id`	String	N/A	Read-only	ID of the token that was not revoked.
`status`	String	N/A	Read-only	The status of the job. Can be `PENDING`, `IN_PROGRESS`, `FAILED`, or `DONE`.
`tokenIds`	Array	Required	Immutable	Name of the array of tokens provided for revoking. Each element in the array should be the ID of the token to revoke. The maximum number of token IDs you can include in a batch revoke is 1000.
`type`	String	Required	Immutable	The type of job to run. For revoking of tokens, set to 'REVOKE_OATH_TOKENS'.

OATH token resync data model

These properties are relevant only for resyncing tokens.

Property	Type	Required?	Mutable?	Description
`otps`	Array	Required	Immutable	Required for resync requests. array of two OTPs for the token, used to calculate the resync. The two OTPs can be provided in a single request or in two separate requests.

Create OATH token (TOTP)

Create OATH token (HOTP)

Create multiple OATH tokens

Check status of OATH token creation job

Retrieve all OATH tokens

Retrieve OATH token by ID

Retrieve OATH token by serial number

Revoke OATH token

Revoke multiple OATH tokens

Check status of OATH token revoke job

Resync OATH token

Resync OATH token paired with user

FIDO Policies

FIDO policies allow you to fine-tune the use of FIDO2 authentication in authentication flows, for example, by limiting authentication to specific types of FIDO2 devices.

An endpoint (fidoDevicesMetadata) is also provided for reading information from the device metadata table stored by PingOne, and for adding or removing custom devices.

FIDO policies data model

Property	Type	Required?	Mutable?	Description
`aggregateDevices`	Boolean	Optional	Mutable	By default, when the user is presented with a list of available authentication methods, each paired FIDO2 device is displayed separately. If you prefer to have only one generic FIDO2 option displayed in the list, set `aggregateDevices` to `true`. The text displayed for the single option will be the value of the parameter `deviceDisplayName`.
`attestationRequirements`	String	Required	Mutable	Set to DIRECT if you want to require some sort of attestation. Set to NONE if you don't want to require attestation. If you set `attestationRequirements` to NONE, you should also set `mdsAuthenticatorsRequirements.option` to NONE. Set the value to ENTERPRISE if you want to require enterprise attestation to verify that the authenticator being used was provided by the organization.
`authenticatorAttachment`	String	Required	Mutable	Used to control the type of authenticators that are allowed. Can be one of the following values: PLATFORM - only allow the use of FIDO device authenticators that contain an internal authenticator (such as a face or fingerprint scanner) CROSS_PLATFORM - allow use of cross-platform authenticators, which are external to the accessing device (such as a security key) BOTH - allow both categories of authenticators
`backupEligibility`	Object	Required	Mutable	Used to control whether users should be allowed to register and authenticate with a device that uses cloud-synced credentials, such as a passkey.
`backupEligibility.allow`	Boolean	Required	Mutable	Set to true if you want to let users register and authenticate with a device that uses cloud-synced credentials. Set to false if you don't want to allow this.
`backupEligibility.enforceDuringAuthentication`	Boolean	Required	Mutable	Set to true if you want the backup eligibility of the device to be checked again at each authentication attempt and not just once during registration. Set to false to have it checked only at registration.
`default`	Boolean	Optional	Mutable	Whether this policy should serve as the default FIDO policy.
`description`	String	Optional	Mutable	Description of the FIDO policy.
`deviceAuthenticationPolicies`	Array	N/A	Read-only	The device authentication policies that use the relevant FIDO policy. If you include the parameter `expand=deviceAuthenticationPolicies` in the URL of the request, this array is included in the response when reading FIDO policies. Each object in the array contains the ID and the name of the device authentication policy.
`deviceDisplayName`	String	Required	Mutable	The name to display for FIDO2 devices in registration and authentication windows. Can be up to 100 characters. If you want to use translatable text, you can use any of the keys listed on the FIDO Policy page of the Self-Service module and the Sign On Policy module. The value of the parameter should include only the part of the key name that comes after the module name, for example, `fidoPolicy.deviceDisplayName01` or `fidoPolicy.deviceDisplayName07`. Refer to the pages in the UI for the full list of keys. For more information on translatable keys, refer to Modifying translatable keys in the PingOne documentation. If users have more than one paired FIDO2 device, they can differentiate between them by setting a nickname for each one.
`discoverableCredentials`	String	Required	Mutable	Use this field to specify when registered users can authenticate without providing credentials. The possible values are: DISCOURAGED - discoverable credentials are not used, even when supported by the FIDO device. In cases where use of discoverable credentials is required by the FIDO device itself, this setting does not override the device setting. REQUIRED - require the use of discoverable credentials. This option is required for usernameless authentication. PREFERRED - use discoverable credentials where possible.
`eaUniqueIdentifierAttribute.name`	String	Optional	Mutable	When defining a FIDO policy that requires enterprise attestation, you can add an additional layer of security by using `eaUniqueIdentifierAttribute.name` to specify the name of a PingOne custom attribute that represents the unique identifier for the authenticator. If you include this field when creating the FIDO policy, a user's authenticator will be registered only if its identifier matches the value of the custom attribute. The value of this parameter must be the name of a single-value string custom attribute that already exists in the PingOne environment.
`mdsAuthenticatorsRequirements`	Object	Required	Mutable	Used to specify whether attestation is requested from the authenticator, and whether this information is used to restrict authenticator usage.
`mdsAuthenticatorsRequirements.allowedAuthenticators`	Array	Required	Mutable	If you set `mdsAuthenticatorsRequirements.option` to SPECIFIC, use this array to specify the authenticators that you want to allow.
`mdsAuthenticatorsRequirements.allowedAuthenticators.id`	String	Required	Mutable	The mdsIdentitfer of the authenticator to allow.
`mdsAuthenticatorsRequirements.enforceDuringAuthentication`	Boolean	Required	Mutable	Set to true if you want the device characteristics related to attestation to be checked again at each authentication attempt and not just once during registration. Set to false to have them checked only at registration.
`mdsAuthenticatorsRequirements.option`	String	Required	Mutable	Use `option` to specify the types of devices you want to allow on the basis of the attestation provided. Can be one of the following values: NONE - do not request attestation, allow all FIDO devices AUDIT_ONLY - attestation is requested and the information is used for logging purposes, but the information is not used for filtering authenticators GLOBAL - allow use of all FIDO authenticators listed in the Global Authenticators table. CERTIFIED - allow only FIDO Certified authenticators SPECIFIC - allow only the authenticators specified with the `mdsAuthenticatorsRequirements.allowedAuthenticators` parameter.
`name`	String	Required	Mutable	The name to use for the FIDO policy. Can be up to 256 characters.
`publicKeyCredentialHints`	Array	Optional	Mutable	The `publicKeyCredentialHints` array is used to indicate that you want to provide public key credential hints to the browser to help give priority to the authentication method that the user is most likely to use. You can include in the array one or more of the following values: `SECURITY_KEY`, `CLIENT_DEVICE`, `HYBRID`.
`relyingPartyId`	String	Required	Mutable	The ID of the relying party. The value should be a domain name, such as example.com (in lower-case characters). For Sandbox environments in PingOne, you can also use the value `localhost`.
`userDisplayNameAttributes`	Object	Required	Mutable	Used to specify the string associated with the users's account that is displayed during registration and authentication.
`userDisplayNameAttributes.attributes`	Array	Required	Mutable	List of strings associated with the users's account that can be displayed during registration and authentication. Each object in the array is a name:value pair where the first part is "name" and the second is the name of the user attribute, for example, `{"name": "username"}, {"name": "email"}`. If you want to use the "name" attribute for the user, you must also specify the "subAttributes", which can be either the "given" and "family" user attributes or the "formatted" user attribute. For example, `{"name": "name", "subAttributes":[{"name": "given"}, {"name": "family"}]}, {"name": "email"}` or `{"name": "name", "subAttributes":[{"name": "formatted"}]}, {"name": "email"}`. The content of the list should reflect the preferred order. If the first attribute is empty for the user, PingOne will continue through the list until a non-empty attribute is found. You can specify any user attribute (including custom attributes) that meet the following criteria: attribute type must be String, validation cannot be set to enumerated values. The array must contain the user attribute "username" - to ensure that there is at least one non-empty attribute. You can have a maximum of six user attributes in the list.
`userDisplayNameAttributes.suffix`	String	Optional	Mutable	Include `userDisplayNameAttributes.suffix` in the request if you would like to include the PingOne environment name and/or the PingOne organization name in the popup window that is displayed when a user adds a passkey as an authentication method. The possible values are ENV_NAME, ORG_NAME, ORG_NAME_AND_ENV_NAME.
`userPresenceTimeout`	Object	Optional	Mutable	Used to specify the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires. The defined timeout applies also to the pairing of the device. Note that the information is provided as a hint to the authenticator so the actual time given may differ from what you defined.
`userPresenceTimeout.duration`	Integer	Optional	Mutable	The amount of time a user presence gesture will be accepted for the authentication request. Minimum is one minute, maximum is ten minutes. Can be set in minutes or seconds.
`userPresenceTimeout.timeUnit`	String	Optional	Mutable	The units to use for specifying the amount of time a user presence gesture will be accepted for the authentication request. Can be set to `MINUTES` or `SECONDS`.
`userVerification`	Object	Required	Mutable	Used to control whether the user must perform a gesture (such as a public key credential, fingerprint scan, or a PIN code) when registering or authenticating with their FIDO device.
`userVerification.enforceDuringAuthentication`	Boolean	Required	Mutable	Set to true if you want the device characteristics related to user verification to be checked again at each authentication attempt and not just once during registration. Set to false to have them checked only at registration.
`userVerification.option`	String	Required	Mutable	Can be one of the following values: REQUIRED - only FIDO devices supporting user verification can be used DISCOURAGED - user verification is not required, even when supported by the FIDO device. In cases where user verification is required by the FIDO device itself, this setting does not override the device setting. PREFERRED - user verification is required if the user's FIDO device supports it, but is not required if the user's device does not support it. For usernameless flows, only FIDO devices supporting user verification can be used, regardless of the value you set for `userVerification.option`.

Additional information returned in responses

id - the ID assigned to the policy
createdAt
updatedAt
_embedded.deviceAuthenticationPolicies - array of the device authentication polices that the FIDO policy is used by. Each object in the array consists of the ID of the device authentication policy and the name of the device authentication policy. Returned only if the query includes the parameter expand=deviceAuthenticationPolicies.

FIDO policies events generated

Refer to Audit Reporting Events for the events generated.

FIDO device metadata

PingOne maintains a global authenticator table, which presents metadata for indvidual authenticators. This includes both authenticators that are represented in the FIDO Alliance Metadata Service (MDS), and custom authenticator data that you add to the table via the UI or the API.

The endpoints provided for FIDO device metadata allow you to:

Retrieve the basic metadata for all of the authenticators in the table
Retrieve detailed metadata for a specific authenticator from the table
Add metadata for custom authenticators
Delete from the table a custom authenticator that you added

Adding a custom authenticator

When you use the fidoDevicesMetadata endpoint to add a custom authenticator to the global authenticator table, the data included in the request should comform with the Metadata Statement Format provided by the FIDO Alliance.

Before adding an authenticator, using JSON data provided by a manufacturer, verify that it conforms to the following details expected by the PingOne API:

The metadata outlined in the standard should be enclosed in an object called metadataStatement.
The metadataStatement should be enclosed in an object that also includes the relevant key identifier: the attestationCertificateKeyIdentifiers array for devices conforming with the U2F protocol, and the aaguid field for devices conforming with the FIDO2 protocol.

Sample body for request - U2F device

{
    "attestationCertificateKeyIdentifiers": [
        "31116a647069d1493f58fc5b54e5449e2a52d43e"
    ],
    "metadataStatement": {
        "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/",
        "attestationCertificateKeyIdentifiers": [
            "31116a647069d1493f58fc5b54e5449e2a52d43e"
        ],
        "description": "Yubikey Edge",
        "authenticatorVersion": 1,
        "protocolFamily": "u2f",
        "schema": 3,
        "upv": [
            {
                "major": 1,
                "minor": 1
            }
        ],
        "authenticationAlgorithms": [
            "secp256r1_ecdsa_sha256_raw"
        ],
        "publicKeyAlgAndEncodings": [
            "ecc_x962_raw"
        ],
        "attestationTypes": [
            "basic_full"
        ],
        "userVerificationDetails": [
            [
                {
                    "userVerificationMethod": "presence_internal"
                }
            ]
        ],
        "keyProtection": [
            "hardware",
            "secure_element",
            "remote_handle"
        ],
        "isKeyRestricted": false,
        "isFreshUserVerificationRequired": false,
        "matcherProtection": [
            "on_chip"
        ],
        "cryptoStrength": 128,
        "attachmentHint": [
            "external",
            "wired"
        ],
        "attestationRootCertificates": [
            "MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbwnebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXwLvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJhjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kthX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2kLVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1UsG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqcU9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw=="
        ],
        "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAfCAYAAACGVs+MAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAHYYAAB2GAV2iE4EAAAbNSURBVFhHpVd7TNV1FD/3d59weQSIgS9AQAXcFLAQZi9fpeVz1tY/WTZr5Wxpc7W5knLa5jI3Z85srS2nM2sjtWwZS7IUH4H4xCnEQx4DAZF74V7us885v9/lInBvVJ/B4Pv9nu/5nu/5nvM556fzA/Qv0Hb/IrX3VFKPo45cnm4inUIWYwLFRmZQUuwjFG/N1iRHh1EZ0NRVRudqt1Bd+2nSKyS/Ohys0+lk3e/3kQ9qvD4ZUta4VVSUuY0eipyiThAfocoORVgDuuw3qKRiAd3rbcEtjTjYIof6WaHsCmzVPWCMx+cgh8tLqWMKaMWsUjLqo2RtJIQ0oOzmerpQu4esZgsONkGxH7d0kdvTT17s4OMU7VI8ZhjgGaM+Aq9iENu8Pif1udz07MwvKWf8GlVoCEY04PC5WdTaXYFbR8vNvL5+3Kgfb5xNMya9RamJiynaMlGTVtFlr6ba9u+pqnEX4uMuRRgjSYEhrN7utFFe6lqal7Nfkw5imAGHynPpbk8VmY0xstnptlFCVCYtzTuBN83QpMLjTtevdPzSUnJ7e8mkjxZ39fXbKDfldZqbvU+TUgGnBVF6fQ2iPHg4W16UWUwvzbk16sMZE+Pn0pvz7JSeuAyes8lcpCmaKuo/p+qWr2UcwIAHWrvP0YEzhXAtLAbssHhp7iGamvyijP8ryqrXUWX9XoowxyAufNBrp43POBFXZlkf8MDRiqcpyowAwpuz2x+fWvz/Dtde9smszygtcR6C1wbdzBl6Olq5WNYY4oGathJMrkTEx0jARSHAVs+5rYkQNXb+QgfPLsQ6gXyInsreQfmpm7RVFYfL86n1fiUOkYvShkUPxvbukzoy6K1ihM1ho3XzW6EvSfXA+dpiWGaWd+doXzLzmGwKYFLCAsRAlPBAhMlCFXU7tBUVPr8HgVcJHWq+F00plr+DMTdrP4zvxY11kNMhxT+SeTGg+d4V5LQJityUGJNB8VFZsjgYBZM/II/XCTkj0qyDOpF2AVQ17CIjUp/DnT1UkL5F5gdj+sS1wg1gE3gigm60fCXzSnPXbyAPbIXv+IDpE16ThaHIS9skyhlmME5F3cfqAKhq2C0E5PH1gYaXaLPDkZG0HDJOnKWHp51I0z5SOux8e1WAuZzdHQrTkp8TmjXoI+la0wGZszubqbO3ifQ6A/W7vVSYsV3mR0JKwkKc4WHiBkmR8I3CCgI87oOL4qzT5P+RUJBejEOgAPK8hYPzatM+eITp2IO9yTQmeromPRxx1qxAcsile/ubSeEbcWQGYECghcLY2HyKjogjH25hMpjpUv1Ougli4eh2eRw0O32bJjkyuCgNzg0vzlYMSiSs0uoo4MG7hMOjCEaX1yFE0nSvjBzuTnEpK86Z8IoqFAIubw8kg9ArEaREWSZI+jH4Xbp6g9E9EnJT3oaRzDN+MUJBQDHn56a8oUmEBusOxBs/N5+tJEbPkAFDj8UGvOs/IWvcSglGBhvS7/FTYfpWGYdDY8fPAxWSA35sTC4p4+Lm4AaqIoPeQtfufK6Jh0ZhxlbsUXOSmXNifD5ZTAkyDofbbcclxnA8WNAqxCbRNykhXxQpaDw67fXUYbsiG0Khtv2oeIvh8rhQMYOcEAqXG/eI+zngOc5yxr8q82IAM1c/FLFOplqu5eFQXrMZzGcVCjYbLWG5I4BT1euRrlbxtNOtMitDDEhLXIIynAAvuOEWE3X3NdAft94VgaG42XIQt0ZX6PeCE/qQFe9rK6Hx7YU50KvH7fW4fS+q7KKBJxsggBX5pSAGh1jIrVh5zQ6w3RfaahBXm/aCbCZTjCUFUTyWZqW9p62MjJPXVqOrPgMO4Nv74Gkf+owftNVBDQnjFJqHSw17pXvhWW5KZqe/Q49N/USTCAVWoQXFIHBHXXe3FPrUDsuGDmtF/hHKTHpekxhiAOPI+SJq6S6HF4I9YWzkBJTo46iUMzWp8Pir/RiduLxKYsSksV8vLlOQvhGX2YlR0OBhBjC+u/gEcvY0ApK7Yk41NxjPSQnWFHTF66UrjgevB8Cu5a+l2vYSRPtuVDo73hhdMSHnUX7tTjsVZGxAl/WptiOIEQ1gnL29mX6/tR1tmlkYj8W4X+CSjWcUDGY1NpS/C7hSKqiMLM/l2QmSWZ73Ddz+gio8BCENYPQ46qnkzwXUbqvBkxjUQsWfZFgbuo3rAf+wN7jOO90+ynx4Pi3L+0nYL1SchDUgAP4gPV/7Id1q+1HShmuGkIqWRPgyxMFqP8HfjTnjXwY5bQfbJct6OIzKgMHotF/He1egsaxHSqG6wfdmQ5x8NyTFFqBcp2iSowHR3yk5+36hF7vXAAAAAElFTkSuQmCC"
    }
}

Sample body for request - FIDO2 device

{
    "aaguid": "e1a96183-5016-4f24-b55b-e3ae23614cc6",
    "metadataStatement": {
        "legalHeader": "https://fidoalliance.org/metadata/metadata-statement-legal-header/",
        "aaguid": "e1a96183-5016-4f24-b55b-e3ae23614cc6",
        "description": "ATKey.Pro CTAP2.0",
        "authenticatorVersion": 2,
        "protocolFamily": "fido2",
        "schema": 3,
        "upv": [
            {
                "major": 1,
                "minor": 0
            }
        ],
        "authenticationAlgorithms": [
            "secp256r1_ecdsa_sha256_raw"
        ],
        "publicKeyAlgAndEncodings": [
            "cose"
        ],
        "attestationTypes": [
            "basic_full"
        ],
        "userVerificationDetails": [
            [
                {
                    "userVerificationMethod": "fingerprint_internal",
                    "baDesc": {
                        "selfAttestedFRR": 0,
                        "selfAttestedFAR": 0,
                        "maxTemplates": 0,
                        "maxRetries": 0,
                        "blockSlowdown": 0
                    }
                },
                {
                    "userVerificationMethod": "presence_internal"
                },
                {
                    "userVerificationMethod": "passcode_internal"
                }
            ]
        ],
        "keyProtection": [
            "hardware"
        ],
        "isKeyRestricted": false,
        "isFreshUserVerificationRequired": true,
        "matcherProtection": [
            "on_chip"
        ],
        "attachmentHint": [
            "external"
        ],
        "attestationRootCertificates": [
            "MIIBzDCCAXGgAwIBAgIBATAKBggqhkjOPQQDAjBiMQswCQYDVQQGEwJTRTESMBAGA1UECgwJQVRLZXlDQTAwMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRswGQYDVQQDExJBdXRoZW50cmVuZCBDQSAwMDAwIBcNMTYwMjI2MDgxMTA2WhgPMjA1MDAyMjUwODExMDZaMGIxCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlBVEtleUNBMDAxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xGzAZBgNVBAMTEkF1dGhlbnRyZW5kIENBIDAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJcWqeCxga9KJbFO2TZdjcgrtZAgfi8TXKu+v5lcR5ceb5GJYxyoCjhueESL3ddmMIkpGyhsEEtfFUyBwsyFVCjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwIDSQAwRgIhAPuVS4Pm2KFXdUMi5Pb/Xy+gCROOuRPZ6I57vWc0EvkBAiEA8aRCnXppAffCEOQBJ7vlgwiiHMXA2tpWX+ObvVKxXbM=",
            "MIIBzDCCAXGgAwIBAgIBATAKBggqhkjOPQQDAjBiMQswCQYDVQQGEwJTRTESMBAGA1UECgwJQVRLZXlDQTAwMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRswGQYDVQQDExJBdXRoZW50cmVuZCBDQSAwMDAwIBcNMTYwMjI2MDgxMTA2WhgPMjA1MDAyMjUwODExMDZaMGIxCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlBVEtleUNBMDAxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xGzAZBgNVBAMTEkF1dGhlbnRyZW5kIENBIDAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJcWqeCxga9KJbFO2TZdjcgrtZAgfi8TXKu+v5lcR5ceb5GJYxyoCjhueESL3ddmMIkpGyhsEEtfFUyBwsyFVCjFjAUMBIGA1UdEwEB/wQIMAYBAQECAQAwCgYIKoZIzj0EAwIDSQAwRgIhAMqIc/Qtr+jZbnrJB7g7W8r/DHmDe+IyFvzwpzdSrxEXAiEAtXcixZznhcDzlnIqFqkIJRGmvL9Yr6lVoP1ZkDeqmjk="
        ],
        "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAA9CAIAAADAuAeYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAABGuSURBVHhe7ZwJfBPV9sczS/Y03Rco3XcKBVwRBHkiT58LqxvCE3AtoIICBQTZ2gItUigtVGihKPoXAR+yyPLhARZZ1EdVoPoQpKW0BVq6Zc9klvxPMrfQliZNl7QPP/l+LnTmnDuTyfzuvefcm0kws9kscHEvg6O/Lu5ZUC/8z4BnNL8WYYSIt3Y7HGsIeH5M/M4stO/CNkjCswPHan/5HRf/r0jI6gz+45/t/fkatO/CNmggxXhwHLbMNGM20d1TaEaAWy4DwzG4Ev7aXNgH9cLCR8ZBL8TEIjPHyWLCcYLo+jQHpDPTtO7iFUxIcnqD38vP9t6WgXwubNNUQpFQQDODq88Schnv7mKoylunAu4nlZ4uCR2neUYKirJaPdrpcjidAW25cJgWJxVdPYQ2ohtf+l7FNS+85+lMCVmDkTOZOBPF0TSHbC6cTqdJqP/vle9k0af8Hjrp++BJZT+mph45XDiZTpPwYuICAhebWVbAmVmjoWSxa1beRXSOhPristoTx3GFDCMIjMAJhdv1TdtpjRa5XTiTzpHw8rSFBOmBYRirN3IUIyAwAU2XLs5EbhfOpBMkNJTdqD58hJBKYELpN/455cN9zRRNKOTlG75g9K55ntPpBAkvTV9MkAoBJmBYTVTWorDUObSxDoZTjjJeS3Z91OB0OiQhzMMN16uq9x3CZVJOb/AZMUKodPMYfL8iKp6jaFIuL1+/jaNMqLYL59AhCTGB4MrMFIIQwzbNqGJyV/D2yDULGGM9dETIaErTN/JGF06iQxJSlbeqdu63dEGD0XvIMGlIIG/3eeZvssgYmOALZfKyNfkczfB2F86gQxJeSUrDcEIAiSitjtmYiqxWIlfOZQxqgZBg62rL1my22lzrn06h/RJS1bVVn+8l5FLOSHkMHCSPi0QOK77jnpKFRppNDC5TlGVsZs2cddx10fm0X8KShRlmM2vpgib17SjYmLC0JMagwUjCVHmrYt1nyOqis2mnhHS96mb+LkIuMzOMcsADsqhQqqoaQuPtYrpV6/X4I9KgYAHLEVJZ+apc1zDqJNopYcmSdWYTDTknRpLG4rKTnv1/CB7yQ8jQ2+VM0OAzIY8yKq2AwHEhaaiouL7pS3Swi06lPRIyWv3N3O3WhzMsz0yZIc6RJCYSNi8EASkMVIBapFR+bcUn6HgXnUrzZ2egbz1SekLk78u7W+TSe0uvZX1Ckm5oH4HhMgnIBVsgKmegmqWgNFPXOyczMPEVtN8ShuLSMxFD7n52JjdvS0HBCYlYrKeopYsWRkU1SZ2akZyS+uefxUJSCNdSr6p/8IEH5ibNrqmpfStxuqe7u9FkHDjw4XemTd29Z++Or3bI5Qo7mbKJNvVLSJg1a2ZxcfGsOfO8Pb04M0eQRO7GHFTDNnq94d0ZM+FO4BheW1+/MSfb19feXW03JPrrMGaW5erUPV56wdrJGoC+JiKrvtwvEAlBQFws9h33pOWJwkZ3hzPRhj+uoJ02cuHChf3fHpDL5VqdbuZ77yBrSyTNnb8pb7NcJocrUqnU8fFxu3ZsBztFGffs3Rvg76/T6iRiCVj+vHxl7/4Dnh4eZtsaGg1GygRtURAeHn6hqEij1pAkWa9SjRk9+ul/PMnXscXWrZ/u3Pm1m9LNaKDuG9DfSfoBbZYQlIvdthrtNOVG/g5S5G5mWDLQIy5/FbJ2BiKxWCqXQWEFHMRWZL2LufPm5+bn+/j6gn5wo/sPSPj+u2O8C7qCVGo5A2c2w9nAIhTC6G6x2JEQw3GRxKI3kJaaMuXtRH8Pd5wkl6eltSohtCRPH2+RUKjRaFNSliCrE2hbLKQp09Xl60tXbLianFX+yd3pScO9YFm0YQWspatyr6Zml8KxGVts3rCOMW/+wo15+d5e3tb+p4qLir6tX4vo9LqayltVllJtp6jrVXz9cc+PVcjkLMeKxaLffv+9sLCQt7fI9q92lJVXCIVCiqL6D+j38EMPIYcTaJuEFRn5lxYsvvLhqouL5pEyS1t2BAiPdFXNHws/urJg1aVZc27tOYIcnceChR/lbMr18bHqp1ZHhoefKDiKfDaY9f7M2pqbZSWXym2XqhulX2zbig6AV5k3R1WngpdQSGXJKSuRtSXWZa9XKOTwxuvqVR8mzUFW59AGCSEKlmfkSWQBhETqHv5gwKtjkcMBwlLel7gFEQo3kcjvqvWj4E7si/MXfJSVs9HX1wdurlqtjouOPn2yAPlsI5FIPD09le7udoqHh4dCoUAHCATTp0/DMYzjOJFEeurMqeLiEuRoysFDhy/+cVkoEtE0HR0R8dRTrQy5HaQNEpZnfWaqrhIICcaoDkttU8syE2Jx0MwprFaNSUTac+dqDp3orNW2JUuTczZu8rPGP7VaA8lqwfF/I1+LYB1qPW++8ZpGq8NxTCgUp6V/jKxNWbs2SyaXwfVAPJ71wQxkdRoOS8iZyz7OJaQKs4mRBocFvPwMsjuERa+g2a8TCqWA4wiRvLMejlqyNGVt9nofH0v/02g08bGxJ+3GPwtm69W0l6SkOSajEWZikBvtP3CgtrYGORo4feaHs7/+AvMfhmEC/QNeGf8ycjgNRyUsz/vSWFGOCUnaoA5b0p6WJVQqA6e+wmo1mESs+qmw9vgZ5Ggvy9PSIeT4eFviH6T70VFRR44cRD7bgH4dkdDDXTl2zCiY8+E4TjPsuqwNyNHA2rWZoB8/JCQmvoWszsQhCSG/LFu50dIFaUYaGNRjyvPI0UaCkt7GYSoNHVEo4yNiO8AJyzUvX5m+Kn21l7cXTEmh//WOiz125JCd+cZtYBTlB9Kqqqpfz50v+u13O+X8+aKSq80D3sL583RaLXRESFi2/d+XEPCQQyAoKvr9u+9PSqVSlmXdPZSvTZmMHM7EIQmrtn6tLymB4Z81aEI+nIasbUfs49VzygssxBKpuP770/WnLXl5myITZBNKN7fs9TnpqzO8fX1APxNFxcfFHT64HybdqJJj5OZtGTDggUFDhw0aYrPcP3DQjPdnowMaCI8If2zoECNF4QShUqnzNm9BDoEgMysLjPyo/uqECfIu+YKYQ822dHmOUCI3M4w4oGfPt+2tkLVK0PxEHCbLHIeT0pJFa5HVYWRSacrytOQVK72t46fAbGYoU+7GHJiBoRqt0jCMKuQKH39/fz8/+GerBPj7QVaKDmjEgg/nqVUqzCyQK2Sb8pCEpdeuHThwSC6TQcoqkYindckoCrQuYeX2/frLlwUiEavXBs15gx/H2ge0BklPf/+JY1itHpdJ6o6eUJ0tcjwyWTTD8CPHjrkpFNAdeQtGEnOS5vMVHKKh1xuNhrq6OlV9fX1dnZ2i17XwQPPDDz2Y0LcPRZuEpLC8vGL3N9+AEcYGmmUgRmp1urGjR/n5+fGVnU3ry9w/9n3K+Oc1DOKMTDqw7CRpXZ1qkWNYCKn0gHgp7uU/8JLNzNBQWvFj9HBcJOSMlOcTg/sdzEcO28vcs5PmffHl9sZTNJPJRJtoyN1Bxprq6pRlS6ZPTUS+lrh542ZUXN+AHv56rW7UqJEbsjNPnjp17Ph3MDtENVqCppnIiPCXXnwB7Tdiz779r05+3c/P12g0xsXE7Nvzr9j4BMtXzDFMr9OdPHEsIjwCVXUyrcSP6/m76otOkQIvRqCOmZ9sRz/ALGAt39NnoDRZYGuGNCTQ78Wnb37+L0Iqu3XosOb8RbeEWORzDK1W2yc+ftjQIZmZ2UovD08vr2Upy0cMHx4dHYVq2OZ26H108GAoaKftjHru2eBegRqdXiwWXy4uHj9xEs0wkMjAtT054gk7+jEMu/2rrwICAmBI0Wg1JpoOCw3pl9BPJHI4FjTF3qgI7xb6ZUxKWlT6gtjlK3rOfB05bCD08hX6+wgDfElfL2SyQcjiGeLAQKG/r8SvV1nGnXTAEeAeBQf12v/N1xCQ+t3Xz6DXwwAhEgqnvN5Fsec2774zXaW2rLcROFb488+gHwxpDM3MnPEuqtESJGn5HYORY55/dvSYc+fOUxQ1aswLUbG9YUhANdoKnA44O3Dsd+LYAre+8D91s4o3QljmNxyhWVXHj4RXuV1Zf+XqUUFQgTLhOBn128T3kdVsnjVnbkCvkMjY+KCwyEGPPgZvm7eXlpUFBoeFRcZExMZ7+/VY8NFi3n43N67fULj7wBl69AqdOv09ZO0Y0IFCw6PComIjY3tHxMTDyQNDwkeNGYfcdomK66P08r106RJsnzx1WqrwCI+MNRgsiwZtxV4vtKQPDtOsapuSFAcrw+VC/FuXmSESod/HCe7VKzV5aX29Cnwenp7Z2Rt++s9Z3tUFCEnytSmTNCoNbFuzYzNo8MFMx9c9MMpo+TAyNjbGTeEGg2p5RTnvqKyqgv9rqmsqypEFKDz787Lk1G2ffwF5ADJZaUnC2+Gi62n1pTEzhjW55kmv/nPE8L/pNFpoCR5enhP+OQk5bNGxNdJmvPfuOxKZGMYR2IY727dvn6FDh/Au+6BrsLZevV5nNBkJgoQZTlb2+lDo1PH9Pv1sG/xNGPAQTDGhDnTuF1+Z8NLLL3762RdePgGNW2oLElp+tqe7aO2l4Z3DyIt2Gsjfslkmk9E0DbNDlUrTSlDs2BppM9zd3UNDQlnWEgogSM98dzpytAZcA8jHT2cXLlisrq2bNHGCm5sbxNeQ4F6EULh9567nnntu0KCHwThn3od7v9m7Oj0tJipqS94nQrF45Og7HxM1l9AMN9Fu2ulUMMsI2eY7LJNJczZkq1QquI/u7sodu3btP2BzsdRy79BmJ3D06PFz5y+AEtCAIsMjRo8aiRwOIJfLZ8+bHx0bf/HS5d27v165Ej0Ob2mOFJW1ZvVn+Xn79uxmaPrbAweU3l49A3uCNzg42MfbS6XWnDmDFpmbTipgkCLIH8MfE9zV0rsCGOLg9d2U/DNUbeLvI4ZPGP/Sjl27QULI1ye/9sa1kssyaQvrW5Z+bN1Yty47dWU61LfutYyRMj4+bNjWLXlo/y5WpKd7KJVmgaULLl20EFkdQ6fVZa/JCAkNQfsNQEOE9w9hld/V6Q0URYMFJqC8BaYxkARTDRGxSS+0JBY4xplojmG7odCs5QF+jGhfN8lelxkY4A/JKg5zDLF47LhWPuVhOY6GGQDL2ingpps+RNKYwsKff/zprEgqgXo9/QNenTgROVri0OHDGzbc+ZIXNFNoSTp9C7/SxLfg20keNLIe8L5MpqtXr/IWPajLsv0T+vO7SEKYj1uUo0yW37Jj2O4rcBkmuAyOsVwGf20AwzCQLJggiwev7R+Hy9+SB00bWivkiscLCrLX33lUEJq2CQ62nMMEZ7NYODPrAHyq0iIr0lYplW5wp7V63eTJk+wsPUIfhSY1fXpiQcEJZNGooYlUVlbyu43R6XQmFhrXna+DLVu8iMDwzMxs2D59+oeSPy/PTZrt4enOe9EC24WxibqiyzCR562OA2/A5h1tzWsHzkD5jBwetQYNTanLV36zd59UKoHhZfOmjQkJfXj73axavWbnrq8lUgm8r5qa2u+PHfX2sawzVFZVPv7EP7y9vYwGw99HjEhJXrJly9bsnE8UbncW7e4G+vSgRx5Z83E62m9EcXHJfQ8O9PH1AY2hw5wvPCtXyJGvJd6b8UHRb7/t27tbr9O++ea0G7cqhYQQJ7DRI0d+8P6decjSZckHDh3GCcLT3X3a1MRnn3mat//yy6/LV6ykGAYXYONffrHxmp9FQhCxodf+1YD7C+Mq2ulU3nhr6rcHDyoUCrVa/cZrk1OTlyFHl2OV0Npd2of9Yzty5v9lbt2qjo1PgGkoDNAmiir86UyXfS5xN5YW2pG7bP/Yv6R+wKqMNaSQxDEM8hEY67pRPwDFQheOYzAawyOiZdZPviD1OH3ieHh4OO/qFpwSJ/7awIQSkkkIsaDlsKFDulc/wNUL20yv0AiRSAQSqupVRw7t699/AHJ0E65e2DbSV62uKC2rq62/XnGjT5/4btcPcPXCtnHu3HmaoaELMgwbFhrivK+cOY5Lwnse10B6jyMQ/D/exLg8R/4sQAAAAABJRU5ErkJggg==",
        "authenticatorGetInfo": {
            "versions": [
                "U2F_V2",
                "FIDO_2_0",
                "FIDO_2_1_PRE"
            ],
            "extensions": [
                "credBlob",
                "credProtect",
                "hmac-secret"
            ],
            "aaguid": "e1a9618350164f24b55be3ae23614cc6",
            "options": {
                "uv": true,
                "userVerificationMgmtPreview": true,
                "credMgmt": true,
                "uvBioEnroll": true,
                "rk": true,
                "plat": false,
                "clientPin": false,
                "up": true,
                "bioEnroll": true,
                "credentialMgmtPreview": true
            },
            "maxMsgSize": 2048,
            "pinUvAuthProtocols": [
                1
            ],
            "maxCredentialCountInList": 20,
            "maxCredentialIdLength": 128,
            "transports": [
                "usb"
            ],
            "algorithms": [
                {
                    "type": "public-key",
                    "alg": -7
                },
                {
                    "type": "public-key",
                    "alg": -8
                }
            ],
            "firmwareVersion": 10013
        }
    }
}

Create FIDO Policy - all FIDO-certified authenticators

Create FIDO Policy - FIDO-certified and enterprise

Create FIDO Policy - specific authenticators

Add Custom FIDO Device - u2f

Add Custom FIDO Device - fido2

Read All FIDO Policies

Read All FIDO Device Metadata

Read Single FIDO Policy

Read FIDO Device Metadata - single u2f device

Read FIDO Device Metadata - single fido2 device

Update FIDO Policy

Delete Single FIDO Policy

Remove Custom FIDO Device

Remembered Devices

To reduce the friction of frequent authentication requests, your MFA policies can allow the use of a "remember me" option. When you enable this option, you specify the maximum time a device can be remembered. During this period, if a user tries to access applications from the same computer and browser, they will not be asked for further authentication.

The use of this feature requires the following elements:

Embedding the Signals SDK in the UI of your application.
Adding a "remember me" option to the UI of your application.
Enabling the "remember me" option in the MFA policies that you plan on using.
Sending an API request with the relevant information so that the user's browser is recorded as a remembered device.
When the user subsequently tries to access an application, sending the API request that compares the current browser information with the information that was recorded previously.

Note: To use the remembered device mechanism, the Signals SDK must have the universalDeviceIdentification option enabled. If the option is not enabled, you will get an error regarding the SDK payload when you try to create the remembered device.

Creating a remembered device

To create a remembered device:

Get the ID of the MFA policy that is being used.
Get the details of the MFA policy.
Check the content of the rememberMe object in the MFA policy to see if the "remember me" option can be used with this policy (rememberMe.web.enabled).
If "remember me" is enabled, send a request using the devices endpoint, as shown in the Create Remember Me Device example.
The response to the request will include a cookie in the set-cookie header. When it comes time to check if a device is remembered, you will have to include this cookie in the headers for the request.

Checking if device is recognized

To check if a user is using a remembered device:

Get the ID of the MFA policy that is being used.
Get the details of the MFA policy.
Check the content of the rememberMe object in the MFA policy to see if the "remember me" option can be used with this policy (ememberMe.web.enabled).
If "remember me" is enabled, send a request using the deviceAuthentications endpoint and the application/vnd.pingidentity.payload.check+json header, as shown in the Check if Device Remembered example. The headers must also include the cookie that was returned when the remembered device was created. Note that if you included the PingOne session ID by using the optional session.id parameter when creating the remembered device, you must include the deviceSession.id parameter when checking if the device is remembered.

Create Remembered Device data model

Property	Type	Required?	Mutable?	Description
`cookiesEnabled`	Boolean	N/A	Read-only	Whether cookies are enabled for the browser.
`createdAt`	Date	N/A	Read-only	The date and time the remembered device was created.
`environment.id`	String	N/A	Read-only	The ID of the PingOne environment.
`id`	String	N/A	Read-only	The ID of the remembered device.
`jsFingerprint`	String	N/A	Read-only	The fingerprint of the browser.
`lastAuthenticationMethod`	String	Optional	Immutable	To cover situations where certain applications require a more secure authentication method, you can use this field to provide the authentication method that was used when the remembered device was created. In subsequent access requests, when PingOne checks if a remembered device is being used, it will also verify that the method used during creation is an allowed authentication method for the current MFA policy. If the method used during creation is not allowed by the current MFA policy, the status `FAILED` is returned. The response to the `deviceAuthentications` request that completed the authentication process can be used to identify the authentication method that was used: The value of `selectedDevice.id` is the ID of the device that was used, and the `_embedded.devices` array contains the details of the user's paired devices, including ID and device type.
`lastRememberedAt`	Date	N/A	Read-only	The date and time that the create remember me request was last sent for this device.
`locale`	String	N/A	Read-only	The locale set on the device.
`name`	String	N/A	Read-only	The name of the browser.
`nickname`	String	N/A	Read-only	The browser nickname.
`operatingSystem.name`	String	N/A	Read-only	The operating system installed on the device.
`operatingSystem.version`	String	N/A	Read-only	The version of the operating system installed on the device.
`payload`	String	Required	Mutable	The payload from the Signals SDK .
`policy.id`	String	Required	Mutable	The ID of the relevant MFA policy. For creating a remembered device, you must use an MFA policy that has been enabled for the "remember me" feature.
`pushNotificationSupport`	Boolean	N/A	Read-only	Whether push notifications are enabled for the browser.
`screenResolution.height`	Integer	N/A	Read-only	The screen resolution height.
`screenResolution.width`	Integer	N/A	Read-only	The screen resolution width.
`session.id`	String	Optional	Mutable	For an added layer of security, you can also include the ID for a user's PingOne session. This parameter is optional, however, if you include it when creating the remembered device, you must also include the session ID (`deviceSession.id`) when you try checking if the device is remembered.
`status`	String	N/A	Read-only	The status of the device, for example, `ACTIVE`.
`type`	String	Required	Immutable	Must be set to `BROWSER`.
`updatedAt`	Date	N/A	Read-only	The date and time the remembered device was last updated.
`userAgent`	String	N/A	Read-only	User agent string for the browser.
`version`	String	N/A	Read-only	The version of the browser.

Check Remembered Device data model

Property	Type	Required?	Mutable?	Description
`authenticators`	Array	N/A	Read-only	Included in response when checking if device is a remembered device. If the device was recognized as a remembered device, the array will contain the values `rm`, `mfa`, and `swk`.
`bypassAllowed`	Boolean	N/A	Read-only	Indicates whether the authentication policy allows users to bypass MFA if they do not have a compatible authentication method.
`createdAt`	Date	N/A	Read-only	The date and time the remembered device was created.
`deviceSession.id`	String	Optional	Mutable	If you included the ID for a PingOne user session when creating the remembered device, you must also include the session ID when checking if the device is a remembered device. When creating the remembered device the parameter to use is `session.id`. When checking if the device is a remembered device, the parameter to use is `deviceSession.id`.
`environment.id`	String	N/A	Read-only	The ID of the PingOne environment.
`id`	String	N/A	Read-only	The ID of the flow.
`payload.type`	String	Required	Immutable	Value must be set to `BROWSER`.
`payload.value`	String	Required	Mutable	The payload from the Signals SDK.
`policy.id`	String	Required	Mutable	The ID of the relevant MFA policy.
`selectedDevice.id`	String	N/A	Read-only	The ID of the remembered device.
`status`	String	N/A	Read-only	The status of the check - `COMPLETED` if the device was recognized as a remembered device, `FAILED` if not.
`updatedAt`	Date	N/A	Read-only	The date and time the remembered device was last updated.
`user.id`	String	Required	Mutable	The ID of the user. Required when checking if the device is a remembered device.
`userBypassEnabled`	Boolean	N/A	Read-only	Indication of whether the specific user is currently permitted to bypass MFA.
`_embedded.blockedDevices`	Array	N/A	Read-only	Lists any of the users's authentication methods that are currently blocked.
`_embedded.devices`	Array	N/A	Read-only	Information on all of the authentication methods registered for the user.

Create Device Authentication Policy (with Remember Me enabled)

Create Remember Me Device

Check Remember Me Device

Working with PingOne APIs

If you want to start building your own workflows with PingOne APIs, the Workflow Library provides step-by-step workflows with linked Postman collections to help you start using the PingOne APIs in your Postman environment. For information about how PingOne secures APIs, resources, and data, and what you can do to implement security measures for your PingOne deployment and applications, refer to Platform security.

PingOne API domains

This section discusses how PingOne API regional endpoints are entered in the domain name system (DNS). In DNS, and in our endpoints, the domain part of the uniform resource locator (URL) comprises three parts separated by periods, such as api.pingone.com: one of our service-specific subdomains, our PingOne domain name of pingone, and one of our top level domains.

We use Postman variables to manage this variety of domain parts in PingOne API endpoints. The later discussion is correct regarding the domain part that the variables evaluate to. However, to ease maintenance, the Postman environment template you get when you download a collection uses variables to isolate the TLD from the rest of the domain part and to isolate the domain part from the rest of the endpoint.

The environment template has a path variable for each subdomain. Each path variable uses another variable, {{tld}}, for the top level domain (TLD). Such as https://api.pingone.com/v1 for {{apiPath}}. The tld variable is first in the environment template that you downloaded.

The table below shows the top level domain value for each region. To change your region, simply change the default {{tld}} value from com to your region's TLD.

Region	Code	Top level domain
North America region (excluding Canada)	NA	`com` (default)
Canada region	CA	`ca`
European Union region	EU	`eu`
Australia region	AU	`com.au`
Singapore region	SG	`sg`
Asia-Pacific region	AP	`asia`

The PingOne API includes the following domains:

Domain	Postman path variable	Description
`api.pingone.{{tld}}/v1`	`{{apiPath}}`	The primary domain for calling PingOne Management API resource server. Note: `/v1` is required for `{{apiPath}}`.
`auth.pingone.{{tld}}`	`{{authPath}}`	The authorization and authentication server domain called to request the access token required to authenticate PingOne API requests. Note: do not include `/v1` for `{{authPath}}`.
`orchestrate-api.pingone.{{tld}}/v1`	`{{orchestratePath}}`	The primary domain for calling the PingOne DaVinci Management API resource server. Note: `/v1` is required for `{{orchestratePath}}`.
`scim-api.pingone.{{tld}}/v1`	`{{scimPath}}`	PingOne API service for Cross-domain Identity Management (SCIM). Note: `/v1` is required for `{{scimPath}}`.

The {{...Path}} variable in the sample requests stand for the PingOne service endpoint. Refer to Public endpoints in the PingOne for Developers Foundations guide for more information.

The Try a Request feature

Our documentation for the PingOne APIs includes an interactive Try a Request feature. Try a Request enables you to configure and send a PingOne API request and get a response from within the documentation. This is a quick way to interactively test a PingOne API request without needing to use either Postman or the command line.

Requests in Authentication and Authorization APIs do not have the Try a Request feature due to a Cross-Origin Resource Sharing (CORS) constraint.

When copying values to populate the fields for a call, the Postman variable ({{apiPath}}, {{orchestratePath}}, {{scimPath}}) cannot contain the https:// prefix. The Try a Request feature for the call (such as, POST) prepopulates a Protocol field with the https:// protocol of the URL. Including https:// in the Postman variable duplicates the protocol and generates an error.

Calling the PingOne APIs from the command line

Each PingOne API request in the documentation includes an example request and response. By default, the example request is displayed using cURL. However, a number of coding languages are available in the associated drop-down list. If you want to run a request from the command line, you can select the coding language and copy the displayed request. You'll need to replace any variables in the request with the appropriate values before running the request.

Using Postman collection-level authorization

Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the Authorization tab on requests, folders, and collections.

In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. Refer to Postman Collection-Level Authorization for more information.

Postman and the PingOne APIs

We use Postman to create our PingOne DaVinci Admin API docs, and have supplied our Postman collections for you to download. There's also an accompanying Postman Environment template already populated with the variables used in the collections.

If you aren't currently using Postman, you can install the free version. Refer to Download Postman to install Postman, either locally, or in your browser.

Refer to The PingOne MFA API Postman collections for the collections you can download or fork.

For more information about our Postman environment variables, refer to The PingOne Postman environment template.

You'll also find all of the Postman collections for our documented PingOne use cases in our Workflow Library.

The PingOne Postman collections

You can get the PingOne MFA Postman collection by following either of these methods for retrieving a Postman collection into your workspace:

Fork the collection into your workspace. Postman retains an association between the source and your fork. If we update the source collection, you can pull those changes into the fork in your workspace.
Import the collection into your workspace. This is a one-time transfer and retains no association to the source collection.

To retrieve a collection

Refer to The PingOne MFA collections on this page.

Click the collection's Run In Postman button.
At the prompt, click Fork Collection at the bottom of the dialog or click import a copy near the bottom of the dialog.

Note: You need to be logged in to your Postman account to retrieve the collection.
Follow the on-screen instructions to fork or import the collection. You're prompted to select a Postman workspace for the retrieved collection.

When you fork a Postman collection, you create a copy of it in a selected workspace. Forking a collection creates a linked version that synchronizes with its source collection. This synchronization is apparent when you click the three dots icon on the forked collection - you'll see Pull changes on the context menu. When you click Pull changes, Postman compares the fork to the source collection. If changes are available, you can pull those changes into your fork. If you also elect to watch the collection, you'll receive notifications when the source changes.

If you import a collection, a copy is created in the selected workspace with no link back to the source. The collection is static. This may be desirable for some use cases. For example, if you intend to keep and use only some requests in a collection, a link back to the source is not needed.

You're not limited to choosing one method or the other. You can fork a copy to track the source and import a copy for experimentation, if you like.

The PingOne MFA collections

These Postman collections include requests for all create, read, update, and delete (CRUD) operations for the PingOne MFA APIs.

Collection	Description	Retrieve
PingOne MFA	Postman requests for the PingOne MFA API. Includes all environment variables. No example responses to make it easy to get started.
PingOne MFA	Postman requests for the PingOne MFA API. Includes all PingOne Platform API Reference documentation and example responses. No environment variables are included.

For more information about the Postman environment variables included when you download or fork one of our Postman collections, refer to The PingOne Postman environment template.

The PingOne Postman environment template

Our Postman collections use variables in the request URLs to specify the UUIDs for PingOne resources. When you click the Run in Postman button for a collection, these environment variables are included in your download or fork. Use these environment variables as a template to assign your PingOne resource UUIDs with the common variables used in many of the requests.

For more information about using Postman environments, refer to the following topic in the Postman documentation: Environments in Postman.

POST requests in the PingOne MFA API Postman collections that create a resource and return a resource ID include a Postman script. This script automatically adds a resource variable to your active Postman environment, and uses the newly created ID as the value.

For example, the following request creates a new MFA variable. This request URL contains variables for the API path and environment ID:

POST {{apiPath}}/environments/{{envID}}/variables

To run this request, you must ensure the {{apiPath}} in the Postman environment template has the regional top-level domain (TLD) associated with your organization. Refer to Variables you must value for more information.

Note: The Postman environment template has initial values for the path variables: {{apiPath}}, {{authPath}}, {{orchestratePath}}, and {{scimPath}} that rely on the {{tld}} variable. This {{tld}} variable has an initial value of com as the TLD. If you are outside the United States, refer to PingOne API domains for the TLD to use for your region.

Almost every request in PingOne requires an environment ID. If you are working primarily in one environment for testing purposes, you'll want to add your environment's UUID to your active Postman environment as the value for the {{envID}} variable.

Requests to PingOne Management API endpoints require a valid access token to authenticate the request. In the PingOne Postman collections, the token value is represented in the Postman environment template as the variable {{accessToken}}.

With the {{tld}} and {{envID}} variables defined in your Postman template, and with a valid token value defined in the {{accessToken}} variable, you can run the request shown above:

POST {{apiPath}}/environments/{{envID}}/variables

If the request is successful, Postman adds a {{variableID}} variable to the current Postman environment automatically, and associates the new user's id property value (the UUID of the new user) with this variable.

Notes about environment variables and security

It's important to understand how Postman allows you to Store and reuse values using variables. Postman has two values for each environment variable: an Initial value and a Current value. You'll want to pay particular attention to differences between Initial and current values. Initial values are saved to Postman's cloud, and available to anyone who has access to the environment. Current values are saved only locally and available only to you. Postman uses only the current value in requests. If an environment variable has an initial value but no current value, Postman doesn't copy it to the current value or use the initial value in the request, the request simply fails. In this case, you need to manually copy the initial value to the current value.

When you create a new variable with an initial value and save the environment, Postman autofills the current value. However, that is the only time that Postman autofills the current value. If you subsequently delete the current value, the variable is no longer valued in a request.

Saving initial values to the Postman cloud impacts security. These initial values are available to anyone who has access to the workspace. If a workspace is public, you have a security issue.

Postman's recommended solution to exposing secrets is to Store secrets in your Postman Vault. Remember that Postman uses only current values in requests.

Variables you must value

When you download or fork a PingOne Postman collection, your workspace receives a set of Postman environment variables for you to use as a template. The variables that represent a resource in PingOne automatically receive a value when you create a new PingOne resource using Postman. Our script associated with the request (shown on the request's Scripts tab) inserts the identifier of the resource it creates as the value of the variable associated with that resource. However, some variables essential to using Postman with PingOne do not have their values inserted automatically. You must manually add the correct value to these variables before making any requests in Postman:

Postman variable	PingOne resource
`adminAppID`	The Client ID of the Worker app you created Create an admin Worker app connection.
`adminAppSecret`	The Client Secret of the Worker app created.
`adminEnvID`	The ID for the environment in which your Worker app resides.
`envID`	The ID for the environment in which you are running your Postman API requests.
`orgID`	The ID for your organization. In the PingOne admin console, select Environment and click Properties to view your organization ID.
`tld`	The top-level domain to use for your environment. This is used in URLs containing `apiPath`, `authPath`, `orchestratePath`, and `scimPath`.
`apiPath`	The regional domain for the PingOne management server (`https://api.pingone.{{tld}}/v1`).
`authPath`	The regional domain for the PingOne authorization and authentication server (`https://auth.pingone.{{tld}}`).
`orchestratePath`	The regional domain for the PingOne DaVinci management server (`https://orchestrate-api.pingone.{{tld}}/v1`).
`scimPath`	The regional domain for the PingOne SCIM management server (`https://scim-api.pingone.{{tld}}`).

PingOne MFA

PingOne MFA

Authentication methods

Use Cases

Enable Users MFA

MFA settings data model

Response codes

Read User MFA Enabled

Update User MFA Enabled

MFA Bypass for User

Allow MFA Bypass for User

Check MFA Bypass Status for User

MFA Devices

Device order

Cases where the default device is not used for authentication

Setting device order

Retrieving an ordered list of devices

Deleting a default device

Removing device order

Custom device pairing notification with device creation

Device failure in flows

Device properties

EMAIL device properties

SMS/Voice device properties

Native device properties

Time-based One-time Password (TOTP) authenticator application device properties

FIDO2 devices

OATH token devices

PLATFORM and SECURITY_KEY webauthn device data model (deprecated, replaced by FIDO2 devices)

Device order properties

MFA devices events generated

Response codes

Filtering result data

Expanding result data

Related topics

Create MFA User Device (Voice)

Create MFA User Device (Email)

Create MFA User Device (TOTP)

Create MFA User Device (FIDO2)

Create MFA User Device (SMS)

Create MFA User Device (OATH token)

Create MFA User Device (WhatsApp)

Create MFA User Device for testing

Resend Pairing Code

Set Device Order

Remove Device Order

Activate MFA User Device (OATH token)

Activate MFA User Device

Activate MFA User Device (FIDO2)

Unlock MFA User Device

Block MFA User Device

Unblock MFA User Device

Read All MFA User Devices

Read One MFA User Device

Update Device Nickname

Send MFA Device Logs

Delete MFA User Device

MFA Pairing Keys

Creating a native device with a pairing key

Pairing key data model

Response codes

Create MFA Pairing Key

Read One MFA Pairing Key

Delete MFA Pairing Key

MFA Device Authentications

Device authentications data model

Device authentication events generated

Initialize Device Authentication

Device Authentication (Custom Notification)

Device Authentication (No User Name)

Device Authentication (One-time SMS)

Device Authentication (One-time Voice)

Device Authentication (One-time Email)

Select Device for Authentication

Validate OTP for Device

Check Assertion (FIDO Device)

Cancel Device Authentication

Read Device Authentication

MFA Authentication Code

Authentication codes request data model