• To use your security key to authenticate when you are offline, you must authenticate successfully at least once when online. For information, seeAuthenticating using a security key (Windows login) .
  • The minimum version of Windows login you need depends on the following:
    • If your organization requires you to enter a password to authenticate, you'll need PingID for Windows login 2.3 or later.
    • If your organization has eliminated passwords, you'll need PingID for Windows Passwordless login 1.2 or later.

    If you're not sure, check with your organization's administrator.

  • If your organization requires you to enter a password when you sign on, it is not possible to use a FIDO2 security key to authenticate when accessing your Windows login account through RDP. If your organization has eliminated passwords, you can do so.
  • If you are using a U2F security key, offline authentication is only supported when using PingID for Windows login 2.3 - 2.7.x.

Manual authentication with a security key is only possible if:

  • Your company policy and configuration allow the use of a security key to authenticate when offline.
  • You have already paired a security key and authenticated successfully at least once when online.
    Note:

    From PingID for Windows login 2.8 and later, you can use any security key that is paired to your account as long as you have successfully authenticated with it at least once online using the specific Windows machine that you want to sign on from. For version 2.7 and lower, you need to pair a security key specifically for manual authentication.

  1. Connect your security key either physically through a USB cable or, if applicable, ensure NFC or Bluetooth are set to ON.
  2. Sign on to your Windows machine.
    1. If you are offline and do not have an internet connection, in the Manual Authentication window, follow the prompting to authenticate manually.
      A screen capture of the Manual Authentication window requesting you to select your authentication method.
      Note:

      If you enrolled a security key for manual authentication in Windows login 2.7 or lower, and then upgraded to Windows login 2.8 or higher, you may see the same security key listed but with a different nickname. You should delete the deprecated duplicate device (deprecated devices show the Delete option). Before you delete a device, make sure you have at least one alternative device paired with your account.

    2. If you have more than one authentication method paired with your account, in the Authenticating on section, select Security Key.
    3. Click Next.
  3. Use your security key to authenticate.

    A screen capture of the Manual Authentication window prompting you to authenticate using your security key.

The green Authenticated message appears with a check mark, indicating authentication is successful. You are redirected and signed on to your account or app.


A screen capture of the green Authenticated message with a check mark, indicating successful authentication.