PingOne

Adding a FIDO policy

To enable authentication with FIDO2 devices, first create one or more FIDO policies.

About this task

A small number of the options listed are not available for use with PingID accounts that are integrated with PingOne. Learn more about updating a PingID account to use a PingOne FIDO2 policy.

To enable authentication with FIDO2 devices:

  1. Create a FIDO policy defining which FIDO devices are permitted and the desired behavior when registering and authenticating your users. This task is described in detail in this topic.

  2. Include the FIDO policy in the relevant MFA policy (see MFA policies).

  3. Ensure the MFA policy is included in the MFA step of the relevant Authentication policy (see Adding a multi-factor authentication step).

When creating an environment, the following out-of-the-box (OOTB) FIDO policies are created by default:

  • Passkeys (default)

  • Security key

These policies represent best practice configurations for registration and authentication of the relevant devices. You can change the default policy if required.

Steps

  1. Go to Authentication > FIDO.

  2. On the FIDO Policies page, click the icon.

  3. In the Name field, enter a meaningful name for the policy.

    There is a 256 character maximum.

  4. In the Device Display Name, select the format in which you want the device to be displayed on self-service registration and authentication windows.

    Choose from:

    • Label: Free text field. The device name that is not translated.

    • Translatable Keys: Select an option from the list of translatable keys. The key is translated into the relevant language.

      The list of translatable keys can be modified on the FIDO policy page for the relevant language. The FIDO policy page should be updated in the Self-Service module and the Sign On Policy module. For information, see Languages.

  5. In the FIDO Device Aggregation field, select either:

    Choose from:

    • Yes: During authentication, aggregate all FIDO devices paired with a user’s account and present them to the user as a single authentication method. The user’s OS selects the most appropriate FIDO device with which to authenticate.

    • No: Present each FIDO device to the user as a separate device during authentication.

  6. In the Relying Party field, select the relevant Relying Party ID (RPID):

    • PingOne (default): Use the PingOne RPID (such as pingone.com).

    • Custom Domain: Use the active custom domain for the selected environment. For information about custom domains, see Domains.

      This option is not currently available for PingID.

    • Other: Enter a valid domain.

      For Sandbox environments in PingOne, you can also use the value localhost.

  7. In the Discoverable Credentials field, select one.

    Discoverable credentials make it possible for registered users to authenticate without providing credentials.

    Choose from:

    • Discouraged: Discoverable credentials are not used, even when supported by the FIDO device. In cases where use of discoverable credentials is required by the FIDO device itself, this setting does not override the device setting.

    • Required: Require the use of discoverable credentials. This option is required for usernameless authentication.

    • Preferred (default): Use discoverable credentials where possible.

  8. In the Authenticator Attachment field, select the type of authenticator that can be used to register.

    Choose from:

    • Platform: Only allow the use of FIDO device authenticators that contain an internal authenticator (such as a face or fingerprint scanner).

    • Cross-platform: Allow use of cross-platform authenticators , that are external to the accessing device (such as a security key).

    • Both (default).

  9. In the User Verification field, select one.

    User verification requires the user to perform a gesture (such as a public key credential, fingerprint scan, or a PIN code) when using their FIDO device.

    1. In the User Verification field, select either:

      • Discouraged: User verification is not performed, even when supported by the FIDO device. In cases where user verification is required by the FIDO device itself, this setting does not override the device setting.

      • Required: Only FIDO devices supporting user verification can be used.

      • Preferred (default): User Verification is performed if the user’s FIDO device supports it, and is skipped if not supported.

      For usernameless flows, User Verification must be set to Required.

    2. To apply user verification to authentication as well as registration, select the Enforce during authentication checkbox.

  10. In the Backup Eligibility field, indicate whether you allow users to authenticate with a device that uses cloud-synced credentials, such as a passkey.

    Options are Allow or Disallow.

  11. Select up to six attributes that can be used to populate the User Display Name and place them in order of preference.

    The User Display Name is a human-readable name associated with the user’s account.

    You can select any OOTB user profile attributes. The first attribute that contains valid data is used to populate the User Display Name. It is displayed to the user during registration and authentication.

  12. In the Direct Attestation Request area:

    1. In the Attestation Requirements field, select one of the following.

      Choose from:

      • None: Allow all FIDO devices, and do not request attestation.

      • Audit only: Request attestation for auditing purposes only.

      • Allow All Global: Allow use of all FIDO devices listed in the Global Authenticators table and request attestation.

      • Allow FIDO Certified Authenticators: Only allow use of FIDO Certified devices, and request attestation.

        To add a FIDO device to the Global Authenticators Table, see Managing the Global Authenticators Table.

      • Allow Specific Authenticators: Allow use of only the devices specified. Select this option and then select the devices you want to use in the Allowed Authenticators table below the list.

    2. To prevent users from authenticating with other devices that are already registered with their account, but are not included in the Allow Specific Authenticators list, select the Enforce during authentication check box.

      This option can be applied only to devices that included a FIDO resident key during the registration process.

  13. In the User Presence Timeout field, define the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires (the default is 2 mins). The value is considered a hint, as the browser’s FIDO authenticator defines the actual timeout value.

  14. Click Save.

    Result:

    The policy is added to the Policy list.

    In the Policy list, click a policy to see a summary of the policy details in the right pane or edit an existing policy.

Next steps

Add the FIDO policy to the MFA step in the relevant Authentication policy. For information, see Adding a multi-factor authentication step.