---
title: FIDO2 authentication requirements and limitations
description: The following list details the requirements and limitations when using FIDO2 with PingID.
component: pingid
page_id: pingid:pingid_service_management:fido2_auth_requirements_and_limitations
canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/fido2_auth_requirements_and_limitations.html
revdate: May 28, 2024
section_ids:
  general-requirements: General requirements:
  passwordless-authentication-requirements: Passwordless authentication requirements:
  general-limitations: General limitations:
  second-factor-authentication-limitations: Second factor authentication limitations:
  windows-login-and-mac-login-limitations: Windows login and Mac login limitations:
---

# FIDO2 authentication requirements and limitations

The following list details the requirements and limitations when using FIDO2 with PingID.

FIDO2 passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see [Device support](https://passkeys.dev/device-support/).

## General requirements:

To use FIDO authentication make sure that:

* The PingID environment is integrated with PingOne. [Learn more](http://docs.pingidentity.com/pingone/strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html).

* You enable FIDO2 authentication method in the admin portal. If you have an account that was previously using the security key or FIDO2 biometrics authentication methods, see also [Updating a PingID account to use PingOne FIDO2 policy for Passkey support](pid_update_to_fido2_authentication_method.html).

* The user must perform registration and authentication with a WebAuthn supported browser (such as the latest versions of Google Chrome, Safari, or Microsoft Edge), that is running on a WebAuthn supported platform (such as Windows, MacOS, iOS, or Android).

* PingID supports FIDO2 and U2F security keys.

  |   |                                                                                                                         |
  | - | ----------------------------------------------------------------------------------------------------------------------- |
  |   | U2F security keys can only generate a single credential per domain. A device can only be paired by one user per domain. |

* YubiKeys can be paired for either:

  * Security Key FIDO2 authentication

  * YubiKey OTP authentication

  PingID YubiKeys that feature one-time passcode (OTP) support only, or for which you only want to use OTP authentication, should be paired as a YubiKey authentication method rather than as a security key. For more information, see [Configuring YubiKey authentication (Yubico OTP) for PingID](pid_configuring_yubikey_authentication_yubico_otp.html).

## Passwordless authentication requirements:

* When [configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys](../pingid_integrations/pid_configuring_pf_policy_for_passwordless_authentication_fido2_passkeys.html), you must use PingID Integration kit 2.7 or later, with PingFederate v9.3 or later.

* To enable passwordless authentication, FIDO2 requires Discoverable Credentials. Make sure that in the relevant FIDO2 policy make sure that the **Discoverable Credentials** field is set to either **Preferred** or **Required**.

## General limitations:

* FIDO2 authentication is only supported for Web authentication, and Windows and Mac login machines.

* WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.

* A user can pair more than one FIDO2 credential with their account, however, they cannot pair the same FIDO2 credentials with their account more than once.

* Some browser versions might not support FIDO2 authentication when using incognito or private mode.

* If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device's Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.

* Security keys can be used for web-based authentication through WebAuthn supporting browsers only.

## Second factor authentication limitations:

* Android devices that are paired within a workspace can only be used to authenticate in the same workspace.

For troubleshooting, see the relevant section in the PingID User Guide.

## Windows login and Mac login limitations:

Users authenticating as part of a Windows login, Windows login (passwordless), or Mac login authentication flow can only authenticate using a security key. PingID determines whether a passkey is a security key based on the [Authenticator Attachment](https://w3c.github.io/webauthn/#enum-attachment) and the [Transports](https://w3c.github.io/webauthn/#authenticatorattestationresponse) attributes that are presented in the [AuthenticatorAttestationResponse](https://w3c.github.io/webauthn/#authenticatorattestationresponse). Learn more about these authentication flows:

* [Integrating PingID with Windows login](../pingid_integrations/pid_integration_with_windows_login.html)

* [Integrating PingID with Windows login (passwordless)](../pingid_integrations/pid_integrating_with_windows_login_passwordless.html)

* [PingID integration for Mac login](../pingid_integrations/pid_integration_with_mac_login_intro.html)