FIDO2 passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see Device support.

General requirements:

To use FIDO authentication make sure that:

  • The PingID environment is integrated with PingOne. Learn more.
  • You enable FIDO2 authentication method in the admin portal. If you have an account that was previously using the security key or FIDO2 biometrics authentication methods, see also Updating a PingID account to use PingOne FIDO2 policy for Passkey support.
  • The user must perform registration and authentication with a WebAuthn supported browser (such as the latest versions of Google Chrome, Safari, or Microsoft Edge), that is running on a WebAuthn supported platform (such as Windows, MacOS, iOS, or Android).
  • PingID supports FIDO2 and U2F security keys.
    Note:

    U2F security keys can only generate a single credential per domain. A device can only be paired by one user per domain.

  • YubiKeys can be paired for either:
    • Security Key FIDO2 authentication
    • YubiKey OTP authentication

    PingID YubiKeys that feature one-time passcode (OTP) support only, or for which you only want to use OTP authentication, should be paired as a YubiKey authentication method rather than as a security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.

Passwordless authentication requirements:

General limitations:

  • FIDO2 authentication is only supported for Web authentication, and Windows and Mac login machines.
  • WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
  • A user can pair more than one FIDO2 credential with their account, however, they cannot pair the same FIDO2 credentials with their account more than once.
  • Some browser versions might not support FIDO2 authentication when using incognito or private mode. 
  • If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device's Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.
  • Security keys can be used for web-based authentication through WebAuthn supporting browsers only.

Second factor authentication limitations:

  • Android devices that are paired within a workspace can only be used to authenticate in the same workspace.

For troubleshooting, see the relevant section in the PingID User Guide.

Windows login and Mac login limitations:

Users authenticating as part of a Windows login, Windows login (passwordless), or Mac login authentication flow can only authenticate using a security key. PingID determines whether a passkey is a security key based on the Authenticator Attachment and the Transports attributes that are presented in the AuthenticatorAttestationResponse. Learn more about these authentication flows: