FIDO2 authentication requirements and limitations
The following list details the requirements and limitations when using FIDO2 with PingID.
FIDO2 passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see Device support.
General requirements:
To use FIDO authentication make sure that:
-
The PingID environment is integrated with PingOne. Learn more.
-
You enable FIDO2 authentication method in the admin portal. If you have an account that was previously using the security key or FIDO2 biometrics authentication methods, see also Updating a PingID account to use PingOne FIDO2 policy for Passkey support.
-
The user must perform registration and authentication with a WebAuthn supported browser (such as the latest versions of Google Chrome, Safari, or Microsoft Edge), that is running on a WebAuthn supported platform (such as Windows, MacOS, iOS, or Android).
-
PingID supports FIDO2 and U2F security keys.
U2F security keys can only generate a single credential per domain. A device can only be paired by one user per domain.
-
YubiKeys can be paired for either:
-
Security Key FIDO2 authentication
-
YubiKey OTP authentication
PingID YubiKeys that feature one-time passcode (OTP) support only, or for which you only want to use OTP authentication, should be paired as a YubiKey authentication method rather than as a security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.
-
Passwordless authentication requirements:
-
When configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys, you must use PingID Integration kit 2.7 or later, with PingFederate v9.3 or later.
-
To enable passwordless authentication, FIDO2 requires Discoverable Credentials. Make sure that in the relevant FIDO2 policy make sure that the Discoverable Credentials field is set to either Preferred or Required.
General limitations:
-
FIDO2 authentication is only supported for Web authentication, and Windows and Mac login machines.
-
WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
-
A user can pair more than one FIDO2 credential with their account, however, they cannot pair the same FIDO2 credentials with their account more than once.
-
Some browser versions might not support FIDO2 authentication when using incognito or private mode.
-
If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device’s Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.
-
Security keys can be used for web-based authentication through WebAuthn supporting browsers only.
Second factor authentication limitations:
-
Android devices that are paired within a workspace can only be used to authenticate in the same workspace.
For troubleshooting, see the relevant section in the PingID User Guide.
Windows login and Mac login limitations:
Users authenticating as part of a Windows login, Windows login (passwordless), or Mac login authentication flow can only authenticate using a security key. PingID determines whether a passkey is a security key based on the Authenticator Attachment and the Transports attributes that are presented in the AuthenticatorAttestationResponse. Learn more about these authentication flows: