If your organization has already invested in Single Sign-On (SSO) and federation technology with PingFederate, adding PingID as a second factor of authentication will provide you the much-needed additional layer of security.  We’ve developed a set of best practices for rolling PingID out to your organization, while minimizing the impact to users and operations.

PingID is typically deployed for all users of a designated application; however, in some cases MFA is required only for a subset of users – those with higher privileges or accessing sensitive data.  PingFederate and PingID can be configured to leverage security groups for those subsets, but regardless of your requirements, a carefully planned rollout strategy will ensure rapid adoption and user satisfaction!

As you define your rollout strategy, several key questions need to be answered, for example, will the rollout be for a specific group of users?   Will the rollout be for a specific set of applications?  Other considerations may account for network connectivity or geolocation.  Once these questions have been answered you can define your rollout phases by application and their respective user communities.

The most important step in adoption of PingID is the registration process.  For each phase, we suggest an initial registration period, which eliminates user frustration that occurs when forced through a process before gaining access to an application, especially at the start of their workday.  We have effectively implemented registration campaigns to onboard users to PingID independent of daily activities.

This registration process starts with an email to the affected users, which gives them a period of 7 to 14 days to register via a registration application. The registration application is a simple implementation that utilizes an SP-Initiated SSO request to PingFederate.  The policy configured in PingFederate requires both the corporate first-factor authentication and PingID second-factor authentication.  Upon first time registration with PingID, users need to install an app on their phone and register their device with the PingID service.  Once that process is complete and second-factor authentication successful, PingFederate will generate a SAML token to the registration application.  The registration application simply displays successful registration of PingID.  Over the registration period, administrators can monitor whether or not users are registering and continuously communicate, as needed.  Once the registration period is complete, PingID is added as a second-factor of authentication to existing corporate applications, as required.

Understanding the applications, users and access requirements is the first step in implementing and defining the rollout strategy for PingID.  Communication and a smooth registration process is the key, especially for large user populations.  Contact us if you have questions on how to develop and implement a PingID rollout plan.