Push authentication in PingAM 8.0.2 utilizes the ForgeRock/Ping Authenticator app to provide a seamless, out-of-band multi-factor authentication (MFA) experience.3 To understand the correct statements, we must look at the technical requirements and the authentication lifecycle defined in the "MFA: Push Authentication" documentation.
Statement A is correct: For the initial setup, a device with a camera is required because the registration process involves scanning a QR code generated by PingAM. Additionally, the user must install the specific Authenticator app (available for iOS and Android) to handle the cryptographic exchange and receive push notifications.4
Statement D is correct: This accurately describes the runtime flow of a push journey. When a user reaches aPush Sendernode, PingAM communicates with the Push Notification Service (Apple APNs or Google FCM).5The user's device receives the notification, and PingAM enters a "waiting" state (via thePush Result Verifiernode) until the user either approves or denies the request within the app.6
Why other statements are incorrect:
Statement Bis incorrect because registration and authentication are typically handled byseparate trees. Best practice dictates a "Device Registration" tree for the initial onboarding and a "Login/MFA" tree for day-to-day access. Forcing them into the same tree would be inefficient and create a poor user experience.
Statement Cis a common point of confusion; while the user scans a code, the documentation refers to it as aQR code, not a standardbarcode. In technical certification contexts, this distinction is often strictly enforced.
Therefore, only statementsA and Drepresent the verified facts of the Push implementation in version 8.0.2, making Option C the correct answer.
