(Legacy) FIDO2 biometrics authentication requirements and limitations
The following list details the requirements and limitations when using FIDO2 platform biometrics with PingID.
General requirements:
For PingID environments that are integrated with PingOne: From April 15th 2024, the FIDO2 Biometrics and Security Key authentication methods are deprecated and replaced by the more advanced FIDO2 authentication method. Learn more: Updating a PingID account to use PingOne FIDO2 policy for Passkey support. |
-
FIDO2 biometrics authentication is supported for web authentication only.
-
Define an appropriate FIDO2 platform authentication method on the accessing device to pair the device, such as fingerprint or Face ID. If no platform authentication method is defined, the user will not be able to pair the device or authenticate with PingID.
-
Perform registration and authentication with a WebAuthn supported browser, such as the latest versions of Google Chrome, Safari, or Microsoft Edge.
-
Avoid the use of the same FIDO2 biometrics device by more than one user.
-
Passwordless authentication using Mac Touch ID through a Chrome browser is only supported for devices paired after February 23, 2021. Users with devices that were paired to PingID before February 23, 2021 should unpair their device and then pair it again, in order to use passwordless authentication with a Chrome browser.
FIDO Passkey requirements:
FIDO passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see Device support.
Passwordless authentication requirements:
-
When creating a PingFederate policy for passwordless authentication with FIDO2 biometrics, you must use PingID Integration kit 2.7 or later, with PingFederate v9.3 or later.
General limitations:
-
WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
-
PingID does not support Android-key attestation.
-
A user can pair more than one FIDO2 biometrics device with their account, however, they cannot pair the same FIDO2 biometrics device with their account more than once.
-
Some older browser versions might not support FIDO2 biometrics when using incognito or private mode.
-
If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device’s Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.