PingID Administration Guide

Configuring passwordless authentication for passkeys

FIDO2 passwordless authentication enables you to identify and authenticate a user based on the FIDO2 protocol without requiring the user to enter their username and password.

About this task

To configure FIDO2 passwordless authentication, you must configure a PingFederate policy for a passwordless authentication flow. FIDO2 must then be enabled in the administrative console.

The process of registering a FIDO2 passkey is the same for both a passwordless and a multi-factor authentication flow. The user is directed to the relevant flow, according to your organization’s configuration. Once registered, the same FIDO2 passkey can be used to authenticate with either flow.

This feature requires PingFederate 9.3 or later. For more information, see FIDO2 authentication requirements and limitations.

Steps

  1. In the PingFederate administrative console, create a policy for passwordless authentication.

  2. Sign on to the PingID admin console and enable FIDO2 authentication.

    1. Go to Setup → PingID → Configuration.

    2. Go to the Alternate Authentication Methods section, and in the FIDO2 row, select the Enable check box. Screen Capture of the Alternate Authentication Methods section of the Configuration tab, showing the FIDO2 authentication method showing the FIDO2 authentication method

    3. Click Save.

  3. To ensure your FIDO2 policy allows the use of Discoverable Credentials. Non-discoverable credentials cannot be used for passwordless authentication flows.

    1. In the PingOne admin portal, go to Authentication → FIDO.

    2. On the FIDO Policies page, in the relevant FIDO policy, in the Discoverable Credentials field, select either Preferred or Required. For information, see Adding a FIDO policy.

Result

The changes are saved, and users can pair a passkey and use it for passwordless authentication.