Ping ID Device Binding for Mobile Apps

Device binding

Device binding is the process of associating a device as a credential to the mobile application. The authentication is considered trusted if it is initiated from the same device associated with the application.

Device binding in Ping works in 2 ways

Automatic binding

Automatic binding is the process in which user logins to the
app for the first time and Ping SDK (mobile app) asks the user to mark this as
a trusted device behind the scenes. This process behind the scene includes
mobile app communicating with Ping ID server to generate a token.

Steps:

1.    The user logins to the mobile application, usually with a username and password.

2.    Mobile application asks Ping ID for a payload from Ping ID SDK.

3.    The PingID SDK component passes a payload to the customer mobile application.

4.    The customer mobile application sends an authentication request to the PingOne SSO, with the username, password and payload.

5.    PingOne SSO performs the first factor authentication, and if it’s successful, it starts the automatic pairing flow using the PingID SDK server:

a) PingOne SSO checks if the user already exists in the PingID SDK server. If not, the user is then created in the PingID SDK server.

b) PingOne creates a registration token for the user, which contains a server payload.

6.    The PingID SDK component parses the server payload and triggers an event in the customer mobile app, with available trust levels that the user can choose for this device:    
Primary:
Pair this device as a primary device. This option is available only if the user
doesn’t already have a primary device.·        
Trusted:
Pair this device as a trusted device.      
Ignore:
Ignore this device for an interval of time. Ignoring a device means that the
device is not paired with PingID SDK, and if allowed to proceed, the user logs
in without MFA. If the user asked to ignore for a duration of time, upon their
next logins during that period they will not be asked if they wish to pair the
device, but will login without MFA.

Note: A customer can prompt the user for
a device’s trust level or determine it internally. For example the logic in an
app may determine that a user’s first device will be paired as a primary
device, and other devices will be paired as trusted devices.

7.    The customer mobile application prompts the user for the action via a dialog, and the user chooses one.

8.    Based on the user’s choice, the customer mobile application invokes a function in the PingID SDK component, with the trust level chosen by the user/app for this device: Primary, Trusted or Ignore.

9.    The PingID SDK component completes the transaction accordingly, by communicating directly with PingID SDK server.

Manual Binding

Manual pairing requires the user to perform an extra step on their first log in to an application with an embedded PingID SDK component: On their mobile device, the user should enter or scan the pairing key which was provided to them in advance. Management of the logic to determine how the user receives the pairing key (via email, on last invoice, ATM, etc.), and what the user’s pairing key should match.

Manual Flow have additional Steps:

Obtaining a pairing key

Steps:

1. The user enters their credentials in the login page of the mobile application.

2. Pingone SSO verifies the credentials.

3. The customer server checks via the PingID SDK server whether the user has any paired devices.

4. Since the user does not have any paired devices, the customer server initiates a request to the PingID SDK server to create a pairing key, and displays it to the user for the pairing process, along with instructions on how to install or upgrade the mobile application.