CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow

The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow lets users sign on, create a new account, or recover an account.

Purpose

The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow is the initial flow in the PingOne for Customers Passwordless solution. It enables existing users to sign on using a password, uses the CIAM-Passwordless-Protect-Account-Registration-Subflow flow to let new users register, uses the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow to let existing users recover their account, and uses the CIAM-Passwordless-Protect-Device-Authentication-Subflow flow to let existing users sign on using a known device.

Structure

This flow is divided into sections using teleport nodes:

Flow Configuration

Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.

Check for Session

Uses a PingOne node to determine whether the user has an existing session.

If the user has an existing session, a hidden HTML node initiates the sk-risk component, then the flow progresses to the PingOne Protect threat detection analysis section. When this section completes, the flow progresses to the Return Success section.

If the user does not have an existing session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Passwordless Sign On Page section.

Check if user is active

Uses a PingOne node to retrieve user information, then uses a series of comparison nodes to verify that the user is enabled, that the user can authenticate, and that the user’s account status is active. If the user information cannot be found or if a condition is not met, an error message is displayed. If the conditions are all met, the flow returns to the previous section.

Offer Passwordless Sign On Page

Uses a compare node to check if passwordless is required. If passwordless is not required, an HTML page is displayed with options to sign on using a password, recover from a forgotten password, or register a new account.

The sign-on option uses a PingOne to find the user, then progresses to the PingOne Protect threat detection analysis section. When that section completes, a function node checks whether the user is enabled, then the progresses to the Password Authentication section.
The forgot password option progresses to the Call Account Recovery Sub-Flow section.
The register option progresses to the Call Account Registration Sub-Flow section.

If passwordless is required, the flow progresses to the Require Passwordless Sign On Page section.

Require Passwordless Sign On Page

Presents the user with an HTML page with options to sign on, recover the account, or register a new account.

The sign-on option progresses to the Check if user is active section, then progresses to the Call Device Authentication Sub-Flow section. The forgot password option progresses to the Call Account Recovery Sub-Flow section. The register option progresses to the Call Account Registration Sub-Flow section.

Call Account Recovery Sub-Flow

Invokes the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.

Call Account Registration Sub-Flow

Invokes the CIAM-Passwordless-Protect-Account-Registration-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.

Call Device Authentication Sub-Flow

Invokes the CIAM-Passwordless-Protect-Device-Authentication-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Call Check Agreement Sub-Flow section depending on the subflow result.

Password Authentication

Uses a PingOne node to validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section.

Call Change Password Sub-Flow

Invokes the CIAM-Passwordless-Protect-Change-Password-Subflow flow, then displays a success message and progresses to the Return Success section if the subflow completes successfully.

Call Check Agreement Sub-Flow

Invokes the CIAM-Passwordless-Protect-Agreement(ToS)-Subflow flow, then checks if verification is required. If so, the flow progresses to the Call Verify Email Sub-Flow section. If not, the flow progresses to the Handle Remember Me if Applicable section.

Call Verify Email Sub-Flow

Uses a PingOne node to send a verification code to the user’s email, then invokes the CIAM-Passwordless-Protect-Verify-Email-Subflow flow. When the subflow completes the flow progresses to the Handle Remember Me if Applicable section.

Handle Remember Me if Applicable

Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.

PingOne Protect threat detection analysis

Uses a PingOne node to look up the user, then invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables. A function node then checks whether the device is known, and if not a PingOne node sends an email notification to the user.

A function node then examines the risk score.

If the risk score is low, a function node sets the isMFAAuthnRequired value to false. The flow then progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found.
If the risk score is medium, a function node sets the isMFAAuthnRequired value to true and a PingOne node retrieves the user’s MFA devices. The flow then progresses to the Start MFA Authentication section if a session was found, or returns to the Password Authentication section if no session was found.
If the risk score is high, the flow progresses to the Return Error section.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes send an email notification to the user informing them that their account is disabled and update the user’s status. The flow then progresses to the Return Error section.

Start MFA Authentication

Uses a function node to verify that MFA authentication is required. If MFA authentication is not required, the flow returns to the previous section. If MFA authentication is required, a PingOne node checks for existing devices and an HTML template checks the user’s browser for biometric and security key compatibility. Function nodes then filter the user’s usable devices and check for active devices.

If no active device is found, the flow progresses to the Register MFA Device section.
If at least one active device is found, the CIAM-Passwordless-Protect-Device-Authentication-Subflow is invoked. If the subflow completes successfully, the flow progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found. If the user canceled authentication during the subflow, the flow progresses to the Return Error section if a session was found, or to the Offer Passwordless Sign On Page section if no session was found.

Register MFA Device

Invokes the CIAM-Passwordless-Protect-Device-Registration-Subflow. If the subflow completes successfully, the flow progresses to the Return Success section if a session was found, or returns to the Password Authentication section if no session was found. If the user canceled authentication during the subflow, the flow progresses to the Return Error section if a session was found, or to the Offer Passwordless Sign On Page section if no session was found.

Return Success

Checks to see if a session should be created. If so, it creates a session with a duration specified by a variable. If not, it creates a session with a duration of 1 minute. The flow then sends a success response, indicating that the flow completed successfully.

Return Error

Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has no required or optional inputs.

Output schema

This flow has no outputs.

Variables and parameters

This flow uses the following variable or parameter values.

Variable name Parameter name Description

Variable name	Parameter name	Description
`ciam_appleEnabled`	`isAppleEnabled`	Indicates whether authentication through Apple is enabled in your environment.
`ciam_facebookEnabled`	`isFacebookEnabled`	Indicates whether authentication through Facebook is enabled in your environment.
`ciam_googleEnabled`	`isGoogleEnabled`	Indicates whether authentication through Google is enabled in your environment.
`ciam_passwordlessRequired`	`isPasswordlessRequired`	Indicates whether passwordless authentication is required for sign-on.
`ciam_magicLinkEnabled`	`isEmailMagicLinkEnabled`	Indicates whether magic link is enabled in your environment.
`ciam_sessionLengthInMinute`	None	The maximum time a user can spend in the flow before it times out.
`ciam_logoStyle`	None	The HTML style to use for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_logoUrl`	None	The URL for your company logo. This value is only used when the flow is launched with a redirect.
`ciam_companyName`	None	Displays the name of your company. This value is only used when the flow is launched with a redirect.
`ciam_accountRecoveryEnabled`	`isAccountRecoveryEnabled`	A boolean that controls whether account recovery is enabled in your environment.
`ciam_smsOtpEnabled`	`isSmsOTPEnabled`	A boolean indicating whether one-time passcode using sms is enabled in your environment.
`ciam_emailOtpEnabled`	`isEmailOTPEnabled`	A boolean indicating whether one-time passcode using email is enabled in your environment.
`ciam_fidoPasskeyEnabled`	`isFidoPasskeyEnabled`	A boolean indicating whether FIDO passkey is enabled in your environment.
`ciam_agreementEnabled`	`isTermsOfServiceEnabled`	A boolean indicating whether agreement is enabled in your environment.

ciam_appleEnabled

isAppleEnabled

Indicates whether authentication through Apple is enabled in your environment.

ciam_facebookEnabled

isFacebookEnabled

Indicates whether authentication through Facebook is enabled in your environment.

ciam_googleEnabled

isGoogleEnabled

Indicates whether authentication through Google is enabled in your environment.

ciam_passwordlessRequired

isPasswordlessRequired

Indicates whether passwordless authentication is required for sign-on.

ciam_magicLinkEnabled

isEmailMagicLinkEnabled

Indicates whether magic link is enabled in your environment.

ciam_sessionLengthInMinute

None

The maximum time a user can spend in the flow before it times out.

ciam_logoStyle

None

The HTML style to use for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_logoUrl

None

The URL for your company logo.

This value is only used when the flow is launched with a redirect.

ciam_companyName

None

Displays the name of your company.

This value is only used when the flow is launched with a redirect.

ciam_accountRecoveryEnabled

isAccountRecoveryEnabled

A boolean that controls whether account recovery is enabled in your environment.

ciam_smsOtpEnabled

isSmsOTPEnabled

A boolean indicating whether one-time passcode using sms is enabled in your environment.

ciam_emailOtpEnabled

isEmailOTPEnabled

A boolean indicating whether one-time passcode using email is enabled in your environment.

ciam_fidoPasskeyEnabled

isFidoPasskeyEnabled

A boolean indicating whether FIDO passkey is enabled in your environment.

ciam_agreementEnabled

isTermsOfServiceEnabled

A boolean indicating whether agreement is enabled in your environment.