Page created: 3 Jun 2020
|
Page updated: 13 Apr 2021
The following list details the requirements and limitations when using FIDO2 platform biometrics with PingID.
General requirements:
- FIDO2 biometrics authentication is supported for web authentication only.
- Define an appropriate FIDO2 platform authentication method on the accessing device to pair the device, such as fingerprint or Face ID. If no platform authentication method is defined, the user will not be able to pair the device or authenticate with PingID.
- Perform registration and authentication with a WebAuthn supported browser, such as the latest versions of Google Chrome, Safari, or Microsoft Edge.
- Avoid the use of the same FIDO2 biometrics device by more than one user.
-
Passwordless authentication using Mac Touch ID through a Chrome browser is only supported for devices paired after February 23, 2021. Users with devices that were paired to PingID before February 23, 2021 should unpair their device and then pair it again, in order to use passwordless authentication with a Chrome browser.
Mac Touch ID requirements:
- Mac Touch ID authentication is browser-specific. The browser that you use to set up your device must be the same browser that you use to authenticate. For example, if you set up your Mac Touch ID biometrics device using a Safari browser, you can only authenticate with that device from a Safari browser. If you want the option to authenticate using a different browser, you must pair the device through that browser separately.
- Authentication using a Safari browser requires machine running Mac OS 11 Big Sur or later that support Touch ID and FIDO2 platform biometrics.
iOS biometrics requirements:
- iOS FIDO2 biometric authentication is supported on devices running iOS 14 or later, or iPadOS 14 or later.
- Supported browsers:
- FIDO2 authentication is supported by Safari 14 or later.
- Chrome browsers are not supported on iOS.
Windows requirements:
For Windows devices, the Windows Hello device support depends on the browser used:
- Microsoft Edge browser 44.17763 or later requires Windows 10 version 1809 or later with Windows Hello enabled.
- Google Chrome browser 76 or later requires Windows 10 version 1903 or later with Windows Hello enabled.
Passwordless authentication requirements:
- When creating a PingFederate policy for passwordless authentication with FIDO2 biometrics, you must use PingID Integration kit 2.7 or later, with PingFederate v9.3 or later.
Note: Passwordless flow with PingID will be enabled on other OSs when the OSs are able to
support WebAuthn resident keys
Second factor authentication requirements:
- Authenticating with a mobile device requires Android 7 and later. iOS devices do not support FIDO2 platform biometrics.
General limitations:
- WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
- In TPM attestation, PingID supports RSA public keys only.
- PingID does not support Android-key attestation.
- A user can pair more than one FIDO2 biometrics device with their account, however, they cannot pair the same FIDO2 biometrics device with their account more than once.
- Some older browser versions might not support FIDO2 biometrics when using incognito or private mode.
- If an an iOS or Mac Touch ID device is paired with PingID, clearing history and website data from the device's Safari settings will prevent a user from using PingID to authenticate. The user must unpair their device and then pair the device again to authenticate with PingID.
Second factor authentication limitations:
- Android devices that are paired within a workspace can only be used to authenticate in the same workspace.
For troubleshooting, see the relevant section in the PingID User Guide.