The PingOne MFA IdP Adapter can create a cookie when a FIDO-based authentication is successful. The cookie supports a passwordless experience by remembering the FIDO device and auto-prompting the user for biometrics for all future logins. The passwordless capabilities of thePingOne MFA IdP Adapter are designed to be used with the Identifier First Adapter and HTML Form Adapter.
Note:

It's assumed that users are limited to FIDO biometrics and QR code as supported authentication methods.

  1. When Configuring an adapter instance, do the following:
    1. Select the Enable Cookie Based Tracking check box.
    2. Enter an attribute in the Use Password Config Attribute field.
    3. Enter an attribute in the Bypass MFA for Device Pairing Attribute
    4. Select the Enforce Device Selection check box.
  2. When Adding PingOne MFA to your authentication policy do the following:
    1. Configure the attribute you defined in the Use Password Config Attribute field with value true from IDFirst adapter.

      This policy configuration should send the value false for the last PingOne MFA IdP Adapter because the Use Password policy action is not applicable for the last adapter in the policy.

    2. Configure the attribute you defined in Bypass MFA for Device Pairing Attribute received with value true from the HTML form adapter.

      This configuration allows the second PingOne MFA IdP Adapter to bypass the authentication requirement upon new pairing.

    Screen capture of the Policy window showing the options and rule settings.

The time the user attempts to login, the cookie will be received. The PingOne MFA IdP Adapter will know the user ID to initiate authentication flow with PingOne and automatically select the device ID to trigger passwordless authentication.