PingOne MFA is a multi-factor authentication solution that provides additional security layers to verify user identities. It supports various methods such as push notifications, Time-based One-Time Passwords (TOTP), and FIDO2, ensuring robust protection against unauthorized access.

What is PingOne MFA?

PingOne MFA enhances security by requiring more than one form of verification for user authentication. This can include something the user knows (password), something they have (smartphone), and something they are (biometric data).

How do I configure MFA in PingOne?

Configuring MFA in PingOne involves setting up authentication policies that specify which MFA methods users must use. Below, we’ll walk through setting up push notifications, TOTP, and FIDO2.

Setting Up Push Notifications

Push notifications are a convenient and secure method for MFA. They require users to approve login attempts directly from their mobile devices.

Step-by-Step Guide

Create an Authentication Policy

Navigate to the PingOne console, go to Applications, select your application, and create a new authentication policy.

Add Push Notification Factor

In the policy editor, add a new factor and select "Push Notification."

Configure Push Notification Settings

Set up the push notification settings, including the message template and timeout period.

Save and Test

Save the policy and test it by attempting to log in to your application.

Quick Reference

📋 Quick Reference

- Navigate to Applications > Select Application > Authentication Policies - Add "Push Notification" as a factor - Configure message and timeout settings - Save and test the policy

Common Issues

⚠️ Warning: Ensure the mobile app is installed and configured correctly on the user's device.

🎯 Key Takeaways

  • Push notifications provide a secure and user-friendly MFA method.
  • Configure message templates and timeout settings carefully.
  • Test the policy thoroughly before going live.

Setting Up TOTP

Time-based One-Time Passwords (TOTP) are another popular MFA method. They generate a unique code that changes every 30 seconds.

Step-by-Step Guide

Create an Authentication Policy

Navigate to the PingOne console, go to Applications, select your application, and create a new authentication policy.

Add TOTP Factor

In the policy editor, add a new factor and select "TOTP."

Configure TOTP Settings

Set up the TOTP settings, including the QR code generation and backup codes.

Save and Test

Save the policy and test it by attempting to log in to your application.

Quick Reference

📋 Quick Reference

- Navigate to Applications > Select Application > Authentication Policies - Add "TOTP" as a factor - Generate QR code and configure backup codes - Save and test the policy

Common Issues

⚠️ Warning: Ensure the user's device time is synchronized with an NTP server.

🎯 Key Takeaways

  • TOTP is widely supported and easy to implement.
  • Generate QR codes and distribute backup codes securely.
  • Test the policy thoroughly before going live.

Setting Up FIDO2

FIDO2 (Fast IDentity Online 2) is a modern, secure, and user-friendly authentication standard. It supports public key cryptography and can use biometric data.

Step-by-Step Guide

Create an Authentication Policy

Navigate to the PingOne console, go to Applications, select your application, and create a new authentication policy.

Add FIDO2 Factor

In the policy editor, add a new factor and select "FIDO2."

Configure FIDO2 Settings

Set up the FIDO2 settings, including the attestation level and relying party information.

Save and Test

Save the policy and test it by attempting to log in to your application.

Quick Reference

📋 Quick Reference

- Navigate to Applications > Select Application > Authentication Policies - Add "FIDO2" as a factor - Configure attestation level and relying party information - Save and test the policy

Common Issues

⚠️ Warning: Ensure the browser supports WebAuthn and the device has a compatible security key or biometric sensor.

🎯 Key Takeaways

  • FIDO2 offers strong security and a seamless user experience.
  • Configure attestation levels and relying party information carefully.
  • Test the policy thoroughly before going live.

Comparing MFA Methods

MethodProsConsUse When
Push NotificationsUser-friendly, secureRequires mobile appMobile-first applications
TOTPWidely supported, easy to implementDevice time must be synchronizedTraditional web applications
FIDO2Strong security, seamless user experienceBrowser and device compatibility requiredModern web and desktop applications

Security Considerations

Protect Secret Keys

🚨 Security Alert: Never expose secret keys or configuration details in your code or logs.

Regular Audits

Regularly audit authentication logs for suspicious activity and ensure all MFA methods are functioning correctly.

Strong Encryption

Ensure all data transmitted during the authentication process is encrypted using strong protocols like TLS.

User Education

Educate users on the importance of MFA and how to properly use each method.

Troubleshooting Common Errors

Error: “Invalid TOTP Code”

⚠️ Warning: Ensure the device time is synchronized with an NTP server.

Error: “FIDO2 Not Supported”

⚠️ Warning: Verify browser and device compatibility with WebAuthn.

Error: “Push Notification Failed”

⚠️ Warning: Check that the mobile app is installed and configured correctly.

Conclusion

Implementing MFA in PingOne using push notifications, TOTP, and FIDO2 provides robust security for your applications. Follow the steps outlined above to configure each method and ensure a seamless user experience. Remember to test thoroughly and follow best practices for security.

That’s it. Simple, secure, works. Go ahead and set up MFA today.