FIDO devices that are paired directly using the PingOne self-service do not work with the PingFederate authentication flow unless you register the devices with either Custom Domain or Other configured as the Relying Party ID and make them visible to the PingFederate domain.

When you choose either of these options as the Relying Party ID, you can configure the PingFederate domain to run on its own subdomain of the custom domain by changing the PingFederate base URL or using a virtual host name. Configuring the PingFederate domain to run as its own subdomain enables you to use FIDO devices interchangeably.