Known issues and limitations

The PingOne MFA IdP Adapter only supports automatic device enrollment for SMS, voice, and email authentication methods. Users can add other authentication methods directly through the PingOne MFA self-service URL. Learn more in Self service and Managing authentication methods in the PingOne MFA documentation.

To use a localized version of the adapter messages file, a copy of the core PingFederate messages file must exist with the same language tag. For example, to allow pingone-mfa-messages_fr.properties to work, create pingfederate-messages_fr.properties.

As a security measure, if the user initiates a password reset flow and multi-factor authentication (MFA) is not satisfied, the PingOne MFA IdP Adapter fails. For example, this applies when the user clicks the password reset link on the HTML Form Adapter and the PingOne authentication policy dictates that MFA is bypassed for the user.

If a user has existing authentication methods, but no default is set, the adapter doesn’t set a default authentication method. This scenario can occur if the user was created before PingOne supported default authentication methods.

The PingOne MFA IdP Adapter only adds authentication methods to PingOne. If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.

Setting the OTP Lifetime higher than 15 minutes in the PingOne MFA policy has no effect because PingOne flows expire after 15 minutes of inactivity, making the OTP unusable.