Gift Card Redemption Authentication

Gift Card Redemption - Device Authentication - Subflow

The Gift Card Redemption - Device Authentication - Subflow lets users authenticate using a known device.

Purpose

The Gift Card Redemption - Device Authentication - Subflow enables users to authenticate using a known device. The flow evaluates the devices associated with the user account, invoking the Gift Card Redemption - Magic Link Authentication - Subflow flow if necessary. It then enables the user to select an authentication method and authenticates the user with the selected method.

Structure

This flow is divided into sections using teleport nodes:

Gather Browser And Devices Data

Uses a PingOne node to gather the user’s existing devices. Next, an HTML node evaluates the user’s browser to determine if biometrics are available. The flow then progresses to the Filter and Mask Devices section.

Filter and Mask Devices

Filters the list of available devices to create a list of usable devices, then masks the device information so that the devices can be identified without displaying the full device information. The flow then progresses to the Check If MFA Enabled And Any Device Active section.

Check If MFA Enabled And Any Device Active

Uses a PingOne node to check the user’s MFA status. If MFA is enabled and the user has active devices, the flow progresses to the Decide Authentication Path Based On MFA Policy section. If MFA is not enabled or the user has no active devices, the flow progresses to the Call Magic Link Authentication section.

Decide Authentication Path Based On MFA Policy

Uses a PingOne node to begin MFA authentication. If an assertion or an OTP is required, the flow progresses to the Default Device Enrichment section. If the user has multiple devices, or if the user has only one usable device and magic link is enabled, the flow progresses to the Device Selection section. If the user has one usable device and magic link is not enabled, the flow progresses to the Default Device Enrichment section.

Call Magic Link Authentication

Invokes the Gift Card Redemption - Magic Link Authentication - Subflow flow if magic link authentication is enabled. The flow then progresses to the Return Success section.

Device Selection

Presents the user with an HTML page on which they can select a device.

  • If the user selected magic link, the Gift Card Redemption - Magic Link Authentication - Subflow flow is invoked, and the flow then progresses to the Return Success section or to the Device Selection section depending on the subflow results.

  • If the user selected another authentication method, a PingOne records their selection and the flow progresses to the Default Device Enrichment section.

Default Device Enrichment

Uses a function node to enrich the device details, then the flow progresses to the Handle TOTP, SMS, Voice, Mobile and Email OTP Authentication section if an OTP is required, to the Handle FIDO2 Authentication section if assertion is required, or to the Start Mobile Push section if push confirmation is required.

Handle TOTP, SMS, Voice, Mobile and Email OTP Authentication

Uses function nodes to begin tracking the number of attempts and check the device type, then presents the user with an HTML page with options to enter the passcode, change devices, or resend the OTP.

  • If the user selects resend, the number of resend attempts is incremented and compared to the maximum. If the maximum has not yet been reached, a PingOne node resends the OTP and a confirmation message is displayed.

  • If the user selects a different method, the flow progresses to the Device Selection section.

  • If the user enters a passcode, a function node converts the value to lowercase, then a PingOne MFA node evaluates the passcode. If the passcode is validated successfully, the authentication method is saved as a variable and the flow progresses to the Return Success section.

Handle FIDO2 Authentication

Presents users with the option to select a different device or continue with the current device. If the user selects a different device, it progresses to the Device Selection section. If the user continues, it uses a PingOne MFA node with FIDO assertion to authenticate the user. If the authentication succeeds, the flow progresses to the Return Success section.

Mobile Push Flow

Displays a polling page, then branches based on the user’s selection.

  • If the user chooses to use a passcode, the flow progresses to the Mobile Passcode Flow section.

  • If the user chooses to use a different device, the flow progresses to the Device Selection section.

  • If the user attempts to authenticate using the current device, a PingOne MFA node reads the device authentication.

The flow branches again based on the authentication status.

  • If the status is complete, a function node saves the authentication method as a variable and the flow progresses to the Return Success section.

  • If the status is failed, a function node checks whether the attempt timed out. If so, the flow progresses to the Mobile App Timed Out section.

  • If the status is push configuration required, polling continues.

  • If the status is push configuration timed out, a function node checks if OTP fallback is allowed. If so, the flow progresses to the Mobile Passcode Flow section.

Mobile Passcode Flow

Presents users with an HTML form, with options for retrying, cancelling, or submitting an OTP.

  • If the user retries, a PingOne MFA node performs device selection and the flow returns to the Mobile Push Flow section.

  • If the user cancels, the flow progresses to the Device Selection section.

  • If the user submits an OTP, a PingOne MFA node checks the device passcode. A function node then saves the authentication method as a variable and the flow progresses to the Return Success section.

Mobile App Timed Out

Displays an error screen which presents the user with multiple options.

  • If the user retries, a PingOne MFA node performs device selection and the flow returns to the Mobile Push Flow section.

  • If the user selects Change Device, the flow progresses to the Device Selection section.

Return Success

Sends a success JSON response, indicating that the flow has completed successfully.

Return Error

Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.

Input name Required Description

p1UserId

Yes

The current user’s PingOne user ID.

resendOtpLimit

Yes

The maximum number of times a new OTP can be sent to the user.

email

No

The user’s email address.

p1MFAPolicyId

No

The PingOne MFA policy to apply.

allowedDeviceTypes

No

A string containing any or all of SMS, EMAIL, FIDO2, TOTP, VOICE, MOBILE indicating the allowed device types.

otpFallbackAllowed

No

A boolean indicating whether a user can fall back to an OTP after an authentication failure.

magicLinkEnabled

No

A boolean indicating whether magic link is enabled.

companyLogo

No

The company logo.

Used only when the main flow was launched using a redirect.

cancelEnabled

No

A boolean indicating whether the user can cancel an authentication method selection.

Output schema

This flow has the following outputs.

Output Name Description

subflowResult

The result status of the flow.

authMethod

The authentication method used, if the user successfully authenticated.

errorMessage

The error message to pass to the parent flow.

errorDetails

The details of the error that occurred.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

resendOtpAttempts

None

The number of times the user has resent an OTP.