The PingOne MFA IdP Adapter supports passwordless login by using a cookie to store FIDO device information for an elevated user experience.
It's assumed that users are limited to FIDO biometrics and QR code as supported authentication methods.
When Configuring an adapter instance, do the
- Select the Enable Cookie Based Tracking check box.
- Enter an attribute in the Use Password Config Attribute field.
- Enter an attribute in the Bypass MFA for Device Pairing Attribute
- Select the Enforce Device Selection check box.
When Adding PingOne MFA to your authentication policy do the following:
Configure the attribute you defined in the Use Password
Config Attribute field with value
truefrom IDFirst adapter.
This policy configuration should send the value
falsefor the last PingOne MFA IdP Adapter because the Use Password policy action is not applicable for the last adapter in the policy.
Configure the attribute you defined in Bypass MFA for Device
Pairing Attribute received with value
truefrom the HTML form adapter.
This configuration allows the second PingOne MFA IdP Adapter to bypass the authentication requirement upon new pairing.
- Configure the attribute you defined in the Use Password Config Attribute field with value
The time the user attempts to login, the cookie will be received. The PingOne MFA IdP Adapter will know the user ID to initiate authentication flow with PingOne and automatically select the device ID to trigger passwordless authentication.