---
title: (Legacy) Configuring FIDO2 passwordless authentication
description: FIDO2 passwordless authentication enables you to identify and authenticate a user based on the FIDO2 protocol without requiring the user to enter their username and password.
component: pingid
page_id: pingid:pingid_service_management:pid_configuring_fido2_passwordless_auth
canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_fido2_passwordless_auth.html
revdate: April 18, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result
---

# (Legacy) Configuring FIDO2 passwordless authentication

FIDO2 passwordless authentication enables you to identify and authenticate a user based on the FIDO2 protocol without requiring the user to enter their username and password.

## About this task

|   |                                                                                                                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | This topic is for passwordless authentication using legacy FIDO2 biometrics. For FIDO2 authentication method, see [Configuring passwordless authentication for passkeys](pid_configuring_fido2_passwordless_auth_passkeys.html). |

To configure FIDO2 passwordless authentication, you must configure a PingFederate policy for a passwordless authentication flow. FIDO2 biometrics must then be enabled in the administrative console.

The process of registering a FIDO2 device is the same for both passwordless and secondary authentication flows. The user is directed to the relevant flow, according to your organization's configuration. Once registered, the same FIDO2-compliant device can be used to authenticate with either flow. For more information, see [Setting up Windows Hello authentication](http://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_windows_hello_auth.html).

|   |                                                                                                                                                                                                              |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | This feature requires PingFederate 9.3 or later. For more information, see [(Legacy) FIDO2 biometrics authentication requirements and limitations](fido2_biometrics_auth_requirements_and_limitations.html). |

## Steps

1. In the PingFederate administrative console, create a policy for passwordless authentication.

   For more information, see [(Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics](../pingid_integrations/pid_configuring_pf_policy_for_passwordless_authentication_fido_biometrics.html).

2. Sign on to the PingOne for Enterprise admin console and enable FIDO2 biometrics.

   1. Go to **Setup → PingID → Configuration**.

   2. Go to the **Alternate Authentication Methods** section, and in the **FIDO2 Biometrics** row, select the **Enable** check box.

      ![A screen capture of the Alternate Authentication Methods section.](_images/vkb1564020562147.png)

   3. Click **Save**.

## Result

The changes are saved, and users can pair and authenticate with gestures defined on their FIDO2 biometrics accessing device. For more information, see [Using Windows Hello for authentication](http://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_windows_hello_auth.html).