The /deviceAuthentications endpoint initiates and completes an MFA action without requiring a call to the PingOne authorize service. It supports actions to select a supported MFA device device type and to validate a one-time passcode (OTP).
When a device authentication MFA flow is initiated, the flow returns a status property in the response that identifies the next action in the flow. The following flow states prompt for a specific flow action:
OTP_REQUIRED
For a status value of OTP_REQUIRED, the otp.check action validates the one-time passcode.
DEVICE_SELECTION_REQUIRED
For a status value of DEVICE_SELECTION_REQUIRED, the device.select action prompts the user to select a supported device type for use in a multi-factor authentication flow.
ASSERTION_REQUIRED
For a status value of ASSERTION_REQUIRED, the assertion.check action validates the assertion.
PUSH_CONFIRMATION_REQUIRED
For a status value of PUSH_CONFIRMATION_REQUIRED, a push was sent to the specified mobile device to confirm the authentication.
PUSH_CONFIRMATION_TIMED_OUT
For a status value of PUSH_CONFIRMATION_TIMED_OUT, a push was sent to the specified mobile device, but the mobile device did not answer the push during the allowed timeframe.
| Property | Type? | Required? | Mutable? | Description |
|---|---|---|---|---|
user.id |
UUID | Required | Mutable | A string that specifies the requesting user’s unique identifier. |
createdAt |
Date | Immutable | A date that specifies when the resource was created. | |
updatedAt |
Date | Immutable | A date that specifies when the resource was last updated. | |
_embedded.devices |
Array | Read-only | An array that specifies the list of authenticating devices. | |
error |
Object | Read-only | An object that specifies the error field indicating the reason for a device authentication failure. | |
error.code |
String | Read-only | A string that specifies the error code. | |
error.message |
String | Read-only | A string that specifies the error message. | |
id |
UUID | Read-only | Immutable | A string that specifies the resource’s unique identifier. |
mobilePayload |
String | Immutable | A string that specifies the JSON that is the result of a getMobilePayload call (mobile app to mobile SDK). |
|
application.id |
UUID | Optional | Mutable | A string that specifies the requesting application’s unique identifier. This identifier is required only during device authorization flows when the mobilePayload value is provided. |
notification |
Object | Optional | Immutable | An object that holds dynamic notification data. |
notification.template |
Object | Optional | Immutable | An object that holds dynamic template data. |
notification.template.name |
String | Optional | Immutable | A string that specifies the notification template name. |
notification.template.variant |
String | Optional | Immutable | A string that specifies the notification template variant. |
notification.template.locale |
String | Optional | Immutable | A string that specifies the notification template locale. |
notification.template.variables |
Map | Optional | Immutable | A map that specifies the notification template variables. |
notification.clientContext |
Object | Optional | Immutable | An object that holds dynamic mobile push data. |
policy.id |
UUID | Optional | Immutable | A string that specifies the device authentication policy ID. |
publicKeyCredentialRequestOptions |
String | Read-only | A string that specifies a JSON serialization of the client data passed on registration only. | |
selectedDevice.id |
UUID | Optional | Mutable | A string that specifies the unique identifier of the user’s selected MFA device. |
status |
String | Read-only | A string that specifies the flow status. Options are DEVICE_SELECTION_REQUIRED, PUSH_CONFIRMATION_REQUIRED, PUSH_CONFIRMATION_TIMED_OUT, OTP_REQUIRED, ASSERTION_REQUIRED, COMPLETED, and FAILED. |