The following list details the requirements and limitations when using FIDO2 platform biometrics with PingID.
- FIDO2 biometrics authentication is supported for web authentication only.
- Define an appropriate FIDO2 platform authentication method on the accessing device to pair the device, such as fingerprint or Face ID. If no platform authentication method is defined, the user will not be able to pair the device or authenticate with PingID.
- Perform registration and authentication with a WebAuthn supported browser, such as the latest versions of Google Chrome, Safari, or Microsoft Edge.
- Avoid the use of the same FIDO2 biometrics device by more than one user.
Passwordless authentication using Mac Touch ID through a Chrome browser is only supported for devices paired after February 23, 2021. Users with devices that were paired to PingID before February 23, 2021 should unpair their device and then pair it again, in order to use passwordless authentication with a Chrome browser.
FIDO Passkey requirements:
FIDO passkey requirements and limitations are constantly evolving. For a list of the most up-to-date operating systems and browsers supported, see Device support.
Passwordless authentication requirements:
- When creating a PingFederate policy for passwordless authentication with FIDO2 biometrics, you must use PingID Integration kit 2.7 or later, with PingFederate v9.3 or later.
- WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
- PingID does not support Android-key attestation.
- A user can pair more than one FIDO2 biometrics device with their account, however, they cannot pair the same FIDO2 biometrics device with their account more than once.
- Some older browser versions might not support FIDO2 biometrics when using incognito or private mode.
- If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device's Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.
Second factor authentication limitations:
- Android devices that are paired within a workspace can only be used to authenticate in the same workspace.
For troubleshooting, see the relevant section in the PingID User Guide.