February 23, 2024

Exploring User Choice of Authentication in Workspace ONE Access

Workspace ONE Access introduced the User Choice of Authentication feature in January 2024, offering users flexibility in selecting authentication methods, and allowing administrators to customize authentication policies based on various criteria.

In the ever-evolving landscape of enterprise security, finding the right balance between user convenience and robust authentication is crucial. Workspace ONE Access offers a wide range of multi-factor authentication (MFA) options that cover the authentication needs of the customer. User Choice of Authentication, a feature that was introduced in Workspace ONE Access Cloud January 2024 release, augments the available MFA experience by enhancing convenience while enabling administrators with the flexibility to adapt to diverse security needs.

Understanding User Choice of Authentication

User Choice of Authentication is designed to enable flexibility for the user to choose from a range of authentication methods presented to them for their MFA prompt. Users can select one of the authentication methods from the list to complete the MFA challenge. 

A screenshot of a login page</p>
<p>Description automatically generated

This feature is particularly valuable in scenarios where users may not have access to their second factor authentication option, such as a smartphone for receiving push notifications. In such cases, users can seamlessly opt for an alternative method from the presented choices to complete the login sequence.

Administrators can configure policies to control the availability of various authentication choices for specific authentication requirements. Conditional access policy parameters such as network range, device specifications, device management state or user groups can be configured to secure and customize the authentication experience for different groups of end users.

Implementation and configuration

User Choice of Authentication is available with Workspace ONE Access Cloud January 2024 release and all cloud environments are enabled with this feature.

User choice of authentication can be configured in access policies in the administrator console. The Access authentication chaining option is now extended with the OR condition that requires users to satisfy ONE of the configured authentication options from the list to complete authentication.

In the above configuration, users are presented with FIDO2, Intelligent Hub Verify, and Authenticator App as the options for their MFA choice, and successfully authenticating with any one of these options will be sufficient to satisfy the MFA challenge.

 Administrators can configure multiple authentication choice blocks for different sets of users and applications.


The user can now sign in with the MFA available to them based on the situation.

The final demo shows the same situation on another device leveraging FIDO2 Passkey as an available second factor after first performing High Assurance authentication using Mobile SSO with biometrics.

For more information about User Choice of Authentication and other features of Workspace ONE Access, see Set Up Choice of Authentication Access Policy Rules in the official documentation.


Filter Tags

Workspace ONE Workspace ONE Access Blog Announcement Overview