(Legacy) Security key authentication requirements and limitations
When using security keys with PingID, the following requirements and limitations apply:
For PingID environments that are integrated with PingOne: From April 15th 2024, the FIDO2 Biometrics and Security Key authentication methods are deprecated and replaced by the more advanced FIDO2 authentication method. Learn more: Updating a PingID account to use PingOne FIDO2 policy for Passkey support. |
-
Security keys are supported for Web authentication only.
-
PingID supports FIDO2 and U2F security keys.
U2F security keys can only generate a single credential per domain. A device can only be paired by one user per domain.
-
Security keys can be used for web-based authentication through WebAuthn supporting browsers only.
If a browser supports the use of a security key, the browser also supports WebAuthn.
-
When authenticating with a mobile device, use of FIDO2 and U2F security keys with PingID:
-
Is supported on Android 7 and later
-
Is supported on iOS 13.3 and later
-
-
Registration and authentication must be performed with a WebAuthn supported browser, such as the latest versions of Google Chrome or Microsoft Edge.
-
The use of FIDO2 security keys for manual (offline) authentication:
-
Requires PingID Integration for Windows login 2.3 or later.
-
-
WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
-
PingID does not support security keys that require a signed attestation using ECDAA in packed attestation format.
-
A user can pair more than one security key with their account.
-
The same security key can be used by more than one user if each user is pairing the security key to a different account.
-
A user cannot pair the same security key with their account more than once.
-
YubiKeys can be paired for either:
-
Security Key FIDO2 authentication
-
YubiKey OTP authentication
PingID YubiKeys that feature one-time passcode (OTP) support only, or for which you only want to use OTP authentication, should be paired as a YubiKey authentication method rather than as a security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.
-
-
The following limitations should be considered when configuring security key authentication with PingID:
-
Some browsers do not support the use of a FIDO2 security key when User Verificationis set to Required.
-
Some browsers do not allow authentication with a security key when the security key is paired as a resident key.
-
Some browsers do not support security key registration whenResident Key is set to Required.
-
-
Windows login supports the use of FIDO2 security keys.
If user verification has been set to Required for security keys in the admin portal, this will not affect offline authentication, and users will be able to use their security key for offline authentication without user verification.
Passwordless security key
To use a security key for passwordless authentication:
-
The security key must support the use of a resident key, and be paired as a resident key.
-
When creating a PingFederate policy for passwordless authentication with a security key you must use PingID Integration kit 2.10 or later, with PingFederate v9.3 or later.
Some browsers do not support the security key passwordless authentication flow. Passwordless authentication with a security key has been successfully tested on:
-
Windows 10 machines running the latest version of Windows Edge, FireFox, Opera, and Chrome.
-
Apple Mac 10.15 (Catalina) machines running the latest versions of Windows Edge, Opera, and Chrome.
-
Testing has also been performed successfully on Apple Mac 11 (Big Sur), and Mac 12.4 (Monterey).