Passkeys are FIDO credentials that are discoverable by browsers or housed within native applications or security keys for passwordless authentication. There are a wide range of devices that can be used as a passkey, including Windows Hello, iOS 14 and later, Android 7.0 and later, Apple Mac machines with fingerprint authentication capabilities, and FIDO2 security keys. PingID also supports non-discoverable credentials (FIDO2 devices that are not defined as passkeys).

To learn more about passwordless authentication using Passkeys, see Configuring passwordless authentication for passkeys.


PingID receives confirmation that a device has the relevant WebAuthn FIDO2 capabilities with the authenticating browser. If the capabilities are not sufficient, such as the browser is not supported, the OS does not support biometric authentication, or a compatible authentication method is not defined, the user will be unable to authenticate with the passkey device and might be unable to authenticate at all if that is their only authenticating device.

To enable users to authenticate using FIDO2 authentication, the high-level flow is as follows:

  1. In the Admin portal, enable FIDO2 authentication.
  2. Optional: Define a PingID policy.

    For more information, see Authentication policy.

  3. Have the user register their FIDO2 biometrics device and pair it with their PingID account to create a trust between the device and the user's account, so they can use it authenticate during the sign-on process.