The PingOne MFA services provide capabilities for enabling MFA actions in authentication flows, configuring MFA settings and policies, and specifying MFA devices.
For MFA authentication:
For MFA policies and settings:
The MFA settings endpoint supports operations to read, update, and reset the PingOne MFA settings associated with a specified environment. See MFA Settings.
The Device authentication policies (identified in the PingOne UI as “MFA Policies”) enable you to configure different settings per MFA authentication method, according to your security policies. See Device Authentication Policies.
For MFA device management:
The enable user settings (MFA) control whether a user can authenticate using MFA actions. This endpoint enables or disables MFA capability. see Enable Users MFA.
The MFA devices service defines the MFA method or methods associated with a user, such as email, SMS, voice, or other MFA device types for use in an MFA flow. See MFA Devices.
To enable multi-factor authentication (MFA) via push notification on a native device, the user resource must have a native device and an application associated with its user ID. The association is implemented with a pairing key. See MFA Pairing Keys.
PingOne MFA supports the following authentication methods:
| Authentication Method Reference (amr) | Description |
|---|---|
EMAIL |
OTP through email |
MCA |
Multiple-channel authentication, indicating that an out-of-band operation through mobile push, either interactive or “silent” |
MFA |
Multi-factor authentication, indicating some MFA method, as opposed to a Bypass scenario |
OTP |
Time-based one-time passcode using an authenticator application or mobile OTP |
SMS |
OTP through SMS text message |
SWK |
Software-secured key, indicating device authorization using a trusted mobile device |
TEL |
OTP through a phone call |
USER |
User presence test, indicating an interactive push notification approved by the user, as opposed to a non-interactive “silent” push notification |