Process flow

  1. The PingOne MFA adapter invokes FIDO usernameless authentication flow if the adapter is invoked using a policy.action attribute containing the keyword biometrics.
    Screen capture showing the Authentication Sources tab with the QR Cord and biometrics key word listed under Authentication Source.
    Screen capture of the Rules window showing the policy.action attribute mapped to the biometrics keyword.
    Screen capture of the sign on window showing QR code and biometrics as options under Sign On With.
  2. Configure the appropriate policy action for biometrics to the PingOne MFA adapter. When the flow is invoked with this policy action, the adapter invokes FIDO usernameless authentication flow.
  3. Other policy action names that trigger this flow are:
    1. TouchID
    2. FaceID
    3. FIDO

Authentication API flow

When authN API flow is invoked for the useAlternativeAuthenticationSource action for biometrics, the adapter responds with the BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED state.

The application must provide its host name through origin to continue with biometric device authentication. This invokes biometric authentication flow transitioning to the ASSERTION_REQUIRED state requiring data from client to complete biometric authentication.

{
  "id": "NqMl7",
  "pluginTypeId": "j_AGR1E__nc2USbRhZPMQQ",
  "status": "ASSERTION_REQUIRED",
  "devices": [],
  "publicKeyCredentialRequestOptions": {
    "challenge": [
      69,
      43,
      -101,
      -53,
      -9,
      63,
      115,
      -91,
      -128,
      -112,
      53,
      -68,
      -95,
      -69,
      -10,
      -41,
      -33,
      -24,
      -91,
      -21,
      -70,
      2,
      -17,
      54,
      86,
      92,
      14,
      110,
      59,
      -122,
      -45,
      -61
    ],
    "timeout": 120000,
    "rpId": "localhost.ping-eng.com",
    "userVerification": "required",
    "allowCredentials": []
  },
  "manualPairingPermitted": false,
  "manualPairing": false,
  "userSelectedDefault": false,
  "changeDevicePermitted": false,
  "_links": {
    "cancelAuthentication": {
      "href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
    },
    "self": {
      "href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
    },
    "checkAssertion": {
      "href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
    }
  }
}

Core contract attributes

At the end of successful authentication flow, the following core attributes are filled based on information found in a successful PingOne check assertion API response:

username
(existing core attribute) - username
usernameless.flow.platform
(new core attribute) - platform information
usernameless.flow.userid
(new core attribute) - user ID

For example, for response below, the username, usernameless.flow.platform and usernameless.flow.userid attribute values are demouser, MAC, and 78fe678a-5ec0-49b3-bcd7-742523cb216a, respectively.

{
  "_links" : {
    "self" : {
      "href" : "https://auth.pingone.com/23c17a79-4972-4a46-871e-9b1121823917/deviceAuthentications/0326f203-950e-418c-9cdb-829c5a4a2586"
    }
  },
  "_embedded" : {
    "devices" : [ {
      "id" : "00528f83-ae17-459a-838e-3f1226705a3a",
      "type" : "PLATFORM",
      "status" : "ACTIVE",
      "rp" : {
        "id" : "localhost.ping-eng.com",
        "name" : "PingFederate"
      },
      "fidoRegistrationArtifacts" : {
        "attestationType" : "SELF"
      },
      "platform" : "MAC",
      "_embedded" : {
        "webAuthnCredentials" : {
          "credentialId" : "3mP-Uv1u_9i9cM025m9SKIqfMIz-TcDgRBJR_BP8xA2BxeN6Hmgzs-s8DKYZIXbDgioqrfoLCftUp0kzeFrvHT6hAGHoe2OFoLsrx_vuLsmmREyHqoZGWVsUxFEjNqo1eEhSpsTx5YnO54GQ4H6hMRAuutyWNnlj",
          "userHandle" : "plAY2tGM7kS7coi2+0DPU6xk1A63DDr2TUuYBGVfCRE=",
          "credentialPublicKey" : "pQECAyYgASFYIBI_xOdmnL_OEcewdD2abF30WCmt8KJlix_8WNPIuysPIlggNxYEbOiR8NlgIEkKvrbSaJKsokXmKxS_Nl3JwT_ctfE=",
          "signCount" : 0
        },
        "user" : {
          "id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a",
          "environment" : {
            "id" : "23c17a79-4972-4a46-871e-9b1121823917"
          },
          "username" : "demouser",
          "email" : "demouser@pingidentity.com",
          "population" : {
            "id" : "50756a1a-1b5d-49e2-b316-b3511fdc7a9f"
          },
          "name" : {
            "given" : "demouser"
          }
        }
      }
    } ]
  },
  "id" : "0326f203-950e-418c-9cdb-829c5a4a2586",
  "environment" : {
    "id" : "23c17a79-4972-4a46-871e-9b1121823917"
  },
  "status" : "COMPLETED",
  "policy" : {
    "id" : "bc8d02b5-ba91-0fe1-195c-4cc8ea5a77a3"
  },
  "selectedDevice" : {
    "id" : "00528f83-ae17-459a-838e-3f1226705a3a"
  },
  "user" : {
    "id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a"
  },
  "rp" : {
    "id" : "localhost.ping-eng.com"
  },
  "publicKeyCredentialRequestOptions" : "{\"challenge\":[119,-85,-127,71,6,46,47,8,-58,-9,95,-94,77,-82,103,-98,87,11,-90,1,-69,-59,-33,78,-39,63,-55,-10,-101,77,-84,-126],\"timeout\":120000,\"rpId\":\"localhost.ping-eng.com\",\"allowCredentials\":[],\"userVerification\":\"required\"}",
  "authenticators" : [ "mfa", "user" ],
  "createdAt" : "2022-09-10T00:12:57.489Z",
  "updatedAt" : "2022-09-10T00:13:02.418Z"
}