After defining user groups and end user accounts in your organization, determine which authentication method they will use.
PingID supports several types of authentication for users:
- PingID Mobile App. This includes the fingerprint biometrics, facial recognition, swipe, mobile soft token, and Apple Watch authentication methods.
- FIDO2 biometrics
- Security key
- Desktop Soft Token
- Authentication app
- OATH token
- YubiKey - Yubico OTP
- Email OTP
- SMS and Voice
As an administrator, you determine which authentication methods the users in your organization use. For example, you can use a lenient method such as SMS and move to stricter methods at a later stage, such as biometrics authentication.
The only authentication method enabled by default is the swipe method. You must manually enable any other authentication method. For more information, see Configuring authentication for the PingID mobile app.
PingID Mobile App
The fingerprint authentication uses a device's native capability to scan and authenticate the user’s fingerprint.
Fingerprint authentication is supported on devices that support biometrics and is included in the PingID mobile app Supported operating systems.
You can set the fingerprint authentication rollout mode with the following settings:
- Disable fingerprint authentication.
- Enable for iOS, Android, or both, in one of the following modes:
- Enable: If the user has a supporting device and has enabled the fingerprint scan option, they are authenticated by fingerprint.
- Require: Users with supporting devices are required to set up their fingerprint scan option and authenticate with it.
- Enforce: Fingerprint scanning by the PingID app is required on every authentication, even if the user unlocked the device using their fingerprint.
For more information, see Configuring biometrics authentication for the PingID mobile app and Troubleshooting PingID authentication.
Biometrics: Facial Recognition
PingID supports facial recognition. Authentication by facial recognition is model dependent for Apple and Android devices.
Both facial recognition and fingerprint authentication results are transparently passed through to the PingID app. For configuration information, see Configuring biometrics authentication for the PingID mobile app.
- Apple: Apple uses Face ID for some iPhone and iPad devices.
These devices are configured for Face ID or Touch ID, but not both. Devices that
support Face ID include:
- iPhone: iPhone XS Max, iPhone XS, iPhone XR, iPhone X
- iPad: iPad Pro 12.9" (third generation), iPad Pro 11"
For the most recent information from Apple, see iPhone and iPad models that support Face ID.
- Android Platforms: Facial data is acquired using the device's camera. If the user attempts to authenticate with an unlocked screen, only fingerprint authentication is available. On a locked screen, fingerprint authentication and facial recognition are both available on supported devices.
Swipe/Lock Screen Buttons
An authentication request is sent to the PingID mobile application via a push message on the end user's device. Then the user can respond to the authentication request directly on the lock screen, or launch the application and manually swipe the PingID button to approve the authentication request.
Mobile Soft Token
If a user has an Apple Watch connected to their iPhone, the PingID app automatically presents the Approve or Deny authentication actions on the Apple Watch, so the user can authenticate without needing to access their device.
The user can take advantage of FIDO2 strong cryptographic authentication, using built-in FIDO2 platform biometrics on their device.
Biometrics are supported for the following devices:
- Windows Hello
- Apple Mac (Touch ID)
- iOS biometrics
- Android biometrics
For more information, see Configuring FIDO2 biometrics for PingID.
The user can authenticate with any FIDO2 compliant security key or wearable device. The security key allows relying parties to offer a strong cryptographic authentication option for end user security. For more information, see Configuring the FIDO2 security key for PingID.
Desktop Soft Token
If the organization has approved the use of the PingID desktop app, users can generate an OTP from the local installation of the desktop app on their Windows or Mac computer. For more information, see PingID desktop app authentication.
If the organization has approved the use of external Time-based One-time Password (TOTP) authenticator apps, such as Google authenticator, a user can generate an OTP from the authenticator app on their device. For more information, see Configuring authenticator app authentication for PingID.
An OATH token is a secure OTP that can be used for two factor authentication and is OATH compliant. For more information, see https://openauthentication.org/.
Use hardware OATH tokens where there are no provisions for connection to the Internet, USB connections, or mobile phones. Such connections might be disallowed for security reasons. For more information, see Configuring OATH token authentication for PingID.
YubiKey™ - Yubico OTP
The user must click a YubiKey with Yubico OTP capabilities in order to authenticate. Select this method of authentication if you've distributed YubiKey hardware tokens to users who are not authenticating using a mobile device.
YubiKeys that are FIDO2 compliant can be used as either a YubiKey or a Security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.
If you have users who aren't using devices that support the PingID mobile application, you can choose to enable this method of authentication. The user is authenticated by providing a 6-digit OTP sent by email to their email address. For more information, see Configuring email authentication for PingID.
SMS and Voice
If you have users who aren't using devices that support the PingID mobile application, you can enable this authentication method of authentication. The user is authenticated by providing a 6-digit OTP sent to the user's mobile device or landline phone, using SMS or voice channels.
For more information, including SMS and Voice usage limits, see SMS and voice authentication.