--- title: FIDO policies description: FIDO policies define which FIDO devices and authenticators can be used for registration and authentication purposes. FIDO allows you to authenticate users using public key-based credentials. component: pingone page_id: pingone:authentication:p1_fido_policies canonical_url: https://docs.pingidentity.com/pingone/authentication/p1_fido_policies.html revdate: August 6, 2024 section_ids: fido2-integration-modes: FIDO2 integration modes related-links: Related links --- # FIDO policies FIDO policies define which FIDO devices and authenticators can be used for registration and authentication purposes. FIDO allows you to authenticate users using public key-based credentials. PingOne supports the use of the WebAuthn standard, and the PingOne FIDO2 server is a FIDO2-certified product. ![FIDO alliance FIDO certified icon](_images/nvt1619329318642.png) FIDO2 with PingOne provides many security benefits, such as protection against phishing and replay attacks. PingOne includes the following security measures from the FIDO2 specification: * Based on public key cryptography * Does not employ server-side shared secrets that could otherwise be compromised * Isolates services from accounts FIDO2 devices can include: * FIDO2 biometrics and security keys. * Passkeys. Passkeys allow cloud-synched credentials so that users can access their FIDO sign-in credentials on many of their accessing devices, even new ones, without having to re-enroll every device on every account. FIDO2 devices and authenticators can be used for registration and authentication purposes and to enable usernameless and passwordless authentication. You can also view, search, add, or delete FIDO devices in the **Global Authenticators Table**. Learn more in [Managing the Global Authenticators Table](p1_add_device_to_global_authenticators_table.html). ## FIDO2 integration modes PingID supports the following FIDO2 integration modes: * PingID's out of the box solution, using the PingID UI and the pingone.com domain. Learn more in: * [Using Windows Hello for authentication](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_windows_hello_auth.html) * [Using Apple Mac Touch ID for authentication](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_mac_touchid_auth.html) * [Using a security key (FIDO2) for authentication](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_security_key_auth.html) * [Using Android biometrics for authentication](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_using_android_biometrics_auth.html) * API-based, using a custom UI that is not hosted by PingID, and a custom domain. Learn more in: * [FIDO pairing workflow](https://developer.pingidentity.com/pingid-api/pid_c_PingIDapiUserManagement.html#fido-pairing-workflow) * [FIDO authentication workflow](https://developer.pingidentity.com/pingid-api/pid_c_PingIDapiAuthentication.html#fido-authentication-workflow) * [FIDO passwordless authentication workflow](https://developer.pingidentity.com/pingid-api/pid_c_PingIDapiAuthentication.html#fido-passwordless-authentication-workflow) * Hybrid mode, also API-based using a custom UI for registration that is not hosted by PingID, and PingID's default UI for authentication. This mode leverages the pingone.com domain. Learn more in [PPM request for FIDO authentication with a hybrid UI](https://developer.pingidentity.com/pingid-api/pid_c_PingIDapiPpmrequest.html#ppm-request-for-fido-authentication-with-a-hybrid-ui). ## Related links * [Adding a FIDO policy](p1_creating_a_fido_policy.html)