Adding an authentication policy

You can add one or more authentication policy.

Go to Authentication > Authentication.
Click Add Policy.
Enter a policy name.

In the Step Type list, select the protocol for the first step:

Step Type	Description
Login	Requires only one piece of evidence to verify a user’s identity, such as a username and password. Learn more in Adding a login authentication step.
Identifier First	Allows you to identify users before you authenticate them. Learn more in Adding an identifier first authentication step.
Multi-Factor Authentication (Customer only) or PingID Authentication (Workforce only)	Requires two pieces of evidence to verify a user’s identity, such as a user name and password as well as a one-time passcode (OTP). You can also use multi-factor authentication (MFA) to set up passwordless authentication. Learn more in Adding a multi-factor authentication or PingID step and Setting up passwordless authentication.
External Identity Provider	Allows end users to access your applications by authenticating with the external identity provider (IdP). Learn more in Adding an external identity provider sign-on step.

Step Type

Description

Login

Requires only one piece of evidence to verify a user’s identity, such as a username and password.

Learn more in Adding a login authentication step.

Identifier First

Allows you to identify users before you authenticate them.

Learn more in Adding an identifier first authentication step.

Multi-Factor Authentication (Customer only) or PingID Authentication (Workforce only)

Requires two pieces of evidence to verify a user’s identity, such as a user name and password as well as a one-time passcode (OTP).

You can also use multi-factor authentication (MFA) to set up passwordless authentication.

Learn more in Adding a multi-factor authentication or PingID step and Setting up passwordless authentication.

External Identity Provider

Allows end users to access your applications by authenticating with the external identity provider (IdP).

Learn more in Adding an external identity provider sign-on step.

(Optional) Click Add Step to add another step to the authentication policy.

You can add any of the step types discussed previously, in addition to the following step types that can’t be used for the first step in an authentication policy:

Step Type	Description
Progressive Profiling	Allows you to prompt a user for information to be added to their profile after the initial registration step. For example, you could prompt users to add their mobile phone number the next time they sign on. Learn more in Progressive profiling and Adding a progressive profiling step.
Agreement Prompt	Requires end users to consent to a terms of service agreement as part of a sign-on policy. Learn more in Agreements.

Step Type

Description

Progressive Profiling

Allows you to prompt a user for information to be added to their profile after the initial registration step. For example, you could prompt users to add their mobile phone number the next time they sign on. Learn more in Progressive profiling and Adding a progressive profiling step.

Agreement Prompt

Requires end users to consent to a terms of service agreement as part of a sign-on policy.

Learn more in Agreements.

Continue adding steps as needed for your authentication policy.
Click Save.

The first step in a policy can’t have population or user attribute conditions. Additionally, if the second step in a two-step policy has conditions set, and you delete the first step so that the second step becomes the first, those conditions will be removed.

PingOne

Adding an authentication policy