PingID Administration Guide

(Legacy) Configuring FIDO2 biometrics for PingID

PingID supports FIDO2 platform biometrics. Users can authenticate on their FIDO2-compatible accessing device using a gesture that is enabled by the device’s built-in biometrics.

About this task

Supported devices include Windows Hello, iOS and iPadOS devices 14 and later, Android devices 7.0 and later, and Apple Mac machines with fingerprint authentication capabilities.

If a passwordless flow is configured, the passwordless flow is enabled by FIDO2 platform biometrics. For more information, see (Legacy) Configuring FIDO2 passwordless authentication.

PingID receives confirmation that a device has the relevant WebAuthn FIDO2 capabilities with the authenticating browser. If the capabilities are not sufficient, such as the browser is not supported, the OS does not support biometric authentication, or a compatible authentication method is not defined, the user will be unable to authenticate with the FIDO2 biometrics device and might be unable to authenticate at all if that is their only authenticating device.
To enable users to authenticate using FIDO2 platform biometrics, the high-level flow is as follows

Steps

  1. In the Admin portal, enable FIDO2 platform biometrics.

    For more information, see (Legacy) Configuring FIDO2 passwordless authentication or (Legacy) Configuring FIDO2 biometrics for MFA authentication.

  2. Optional: If required, define a PingID policy.

    For more information, see Authentication policy.

  3. Have the user register their FIDO2 biometrics device and pair it with their PingID account to create a trust between the device and the user’s account, so they can use it authenticate during the sign-on process.

    For more information, see the following sections in the PingID User Guide:

(Legacy) FIDO2 biometrics authentication requirements and limitations

The following list details the requirements and limitations when using FIDO2 platform biometrics with PingID.

General requirements:

For PingID environments that are integrated with PingOne: From April 15th 2024, the FIDO2 Biometrics and Security Key authentication methods are deprecated and replaced by the more advanced FIDO2 authentication method. Learn more: Updating a PingID account to use PingOne FIDO2 policy for Passkey support.

  • FIDO2 biometrics authentication is supported for web authentication only.

  • Define an appropriate FIDO2 platform authentication method on the accessing device to pair the device, such as fingerprint or Face ID. If no platform authentication method is defined, the user will not be able to pair the device or authenticate with PingID.

  • Perform registration and authentication with a WebAuthn supported browser, such as the latest versions of Google Chrome, Safari, or Microsoft Edge.

  • Avoid the use of the same FIDO2 biometrics device by more than one user.

  • Passwordless authentication using Mac Touch ID through a Chrome browser is only supported for devices paired after February 23, 2021. Users with devices that were paired to PingID before February 23, 2021 should unpair their device and then pair it again, in order to use passwordless authentication with a Chrome browser.

FIDO Passkey requirements:

FIDO passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see Device support.

Passwordless authentication requirements:

General limitations:

  • WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.

  • PingID does not support Android-key attestation.

  • A user can pair more than one FIDO2 biometrics device with their account, however, they cannot pair the same FIDO2 biometrics device with their account more than once.

  • Some older browser versions might not support FIDO2 biometrics when using incognito or private mode.

  • If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device’s Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.

Second factor authentication limitations:

  • Android devices that are paired within a workspace can only be used to authenticate in the same workspace.

For troubleshooting, see the relevant section in the PingID User Guide.

(Legacy) Configuring FIDO2 passwordless authentication

FIDO2 passwordless authentication enables you to identify and authenticate a user based on the FIDO2 protocol without requiring the user to enter their username and password.

About this task

This topic is for passwordless authentication using legacy FIDO2 biometrics. For FIDO2 authentication method, see Configuring passwordless authentication for passkeys.

To configure FIDO2 passwordless authentication, you must configure a PingFederate policy for a passwordless authentication flow. FIDO2 biometrics must then be enabled in the administrative console.

The process of registering a FIDO2 device is the same for both passwordless and secondary authentication flows. The user is directed to the relevant flow, according to your organization’s configuration. Once registered, the same FIDO2-compliant device can be used to authenticate with either flow. For more information, see Setting up Windows Hello authentication.

This feature requires PingFederate 9.3 or later. For more information, see (Legacy) FIDO2 biometrics authentication requirements and limitations.

Steps

  1. In the PingFederate administrative console, create a policy for passwordless authentication.

    For more information, see (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics.

  2. Sign on to the PingOne for Enterprise admin console and enable FIDO2 biometrics.

    1. Go to Setup → PingID → Configuration.

    2. Go to the Alternate Authentication Methods section, and in the FIDO2 Biometrics row, select the Enable check box.

      A screen capture of the Alternate Authentication Methods section.

    3. Click Save.

Result

The changes are saved, and users can pair and authenticate with gestures defined on their FIDO2 biometrics accessing device. For more information, see Using Windows Hello for authentication.

(Legacy) Configuring FIDO2 biometrics for MFA authentication

To allow users to pair and authenticate using the built-in biometrics on their device for MFA (Multi-factor authentication), enable FIDO2 biometrics in the admin portal.

About this task

Users must enter their username (and password, if required), and are then prompted to authenticate with their device biometrics.

This topic is for authentication using legacy FIDO2 biometrics. To configure passwordless authentication for passkeys using the FIDO2 authentication method, see Configuring passwordless authentication for passkeys.

Steps

  1. Sign on to the admin portal.

  2. Go to Setup → PingID → Configuration.

  3. Go to the Alternate Authentication Methods section, and in the FIDO2 Biometrics row, select the Enable check box. A screen capture of the Alternate Authentication Methods section.

  4. Click Save.

Result

Users can pair and authenticate with gestures defined on their FIDO2 biometrics accessing device. For more information, see Using Windows Hello for authentication, Using Apple Mac Touch ID for authentication, and Using Android biometrics for authentication in the PingID End User Guide.

(Legacy) FIDO2 biometrics use cases

The following table outlines several common use cases and their expected behaviors when using FIDO2 biometrics authentication.

If policy rules are configured, the results might vary from those described in the table. For more information, see PingID authentication policy.
Paired devices Browser Results Reason

FIDO2 biometrics device only

WebAuthn Platform compliant

The browser prompts the user to authenticate using their FIDO2 biometrics device.

FIDO2 biometrics is the only authentication method, and the browser supports WebAuthn platform, so the user can authenticate using their FIDO2 biometrics device.

  • FIDO2 biometrics (primary)

  • Email

  • SMS

WebAuthn platform compliant

The browser prompts the user to authenticate using their FIDO2 biometrics device. If the Prompt to Select setting is enabled, FIDO2 Biometrics appears in the list of authentication options.

The browser supports FIDO2 biometrics, which is the user’s primary device.

  • FIDO2 biometrics - Windows Hello (primary)

  • FIDO2 biometrics - Android device

  • Email

  • SMS

WebAuthn platform complaint

If the user tries to access their account with their Android device, they are prompted to authenticate using that device, even though it is not their primary device.

If more than one FIDO2 biometrics device is paired with a user’s account, when accessing with a FIDO2 device, the browser prompts the user to authenticate with the current accessing device, regardless of which FIDO2 device is the primary device.

FIDO2 biometrics only

Not WebAuthn Platform compliant

The browser displays the following message: This browser doesn’t support your current authentication method. Try a different browser or contact your administrator.

The browser doesn’t support the user’s current authentication method. The user must either use a different browser that is WebAuthn compliant, such as the latest version of Chrome or Microsoft Edge, or use a FIDO2 biometrics device that is paired with their account.

  • FIDO2 biometrics (primary)

  • Email

  • SMS

Not WebAuthn platform compliant

The browser prompts the user to authenticate using the next paired device. In this example, the user must authenticate using email or SMS. If the Prompt to Select setting is enabled, FIDO2 biometrics does not appear in the list of authentication options.

The browser is not Webauthn platform compliant and does not support the user of a FIDO2 biometrics device. The FIDO2 biometrics option is not shown and only the secondary authentication methods are presented to the user.