You can use a security key hardware authenticator to cover many use cases, including those of sensitive environments or users working in environment with limited device or phone access, such as hospitals, financial institutions, or federal buildings.

FIDO2 security keys are fully backward compatible with U2F, enabling PingID to support both FIDO2 and U2F security keys.

When security key authentication is enabled, the user registers the security key and pairs it with their PingID account. This creates a trust between the security key and the user's account, so they can use the security key to authenticate during the sign-on process.


Use security keys for web-based authentication through WebAuthn supporting browsers only.

Passwordless security key

You can configure a PingFederate policy to allow users to authenticate with their security key as a first factor authentication, eliminating the need to enter a users name or password, and providing a frictionless and secure sign on experience.
To configure passwordless authentication using a security key:
  1. (Legacy) Configuring security key authentication with Resident Key set to Required.
  2. Configure a PingFederate policy for passwordless authentication with a security key (see (Legacy) Configuring a PingFederate policy for passwordless authentication with a security key).

For information about security key requirements and limitations, see (Legacy) Security key authentication requirements and limitations.

The process of registering a security key is the same for both passwordless and secondary authentication flows. The user is directed to the relevant flow, according to your organization’s configuration. Once registered, the same security key can be used to authenticate via either flow (see Setting up your security key in the PingID User Guide).

Manual authentication with a FIDO2 security key

PingID integration with Windows login supports the use of FIDO2 security keys for manual authentication, such as if a user does not have an internet or network connection when signing on.
  • FIDO2 security key for manual authentication is supported by PingID Integration for Windows login 2.3 or later.
  • U2F security key for manual authentication is only supported by PingID Integration for Windows login 2.3 - 2.7.x.
Users must pair a security key and authenticate successfully at least once online, to use it when offline. For more information, see the PingID End User Guide.