When using security keys with PingID, the following requirements and limitations apply:
- Security keys are supported for Web authentication only.
- PingID supports FIDO2 and U2F security keys.Note:
U2F security keys can only generate a single credential per domain. A device can only be paired by one user per domain.
- Security keys can be used for web-based authentication through WebAuthn supporting
browsers only. Note:
If a browser supports the use of a security key, the browser also supports WebAuthn.
- When authenticating with a mobile device, use of FIDO2 and U2F security keys with
- Is supported on Android 7 and later
- Is supported on iOS 13.3 and later
- Registration and authentication must be performed with a WebAuthn supported browser, such as the latest versions of Google Chrome or Microsoft Edge.
- The use of FIDO2 security keys for manual (offline) authentication:
- Requires PingID Integration for Windows login 2.3 or later.
- Requires the user to pair the security key specifically for manual authentication. For more information, see the PingID End User Guide.
- WebAuthn timeout is defined for 2 minutes. The actual timeout value might vary depending on the browser used.
- PingID does not support security keys that require a signed attestation using ECDAA in packed attestation format.
- A user can pair more than one security key with their account.
- The same security key can be used by more than one user if each user is pairing the security key to a different account.
- A user cannot pair the same security key with their account more than once.
- YubiKeys can be paired for either:
- Security Key FIDO2 authentication
- YubiKey OTP authentication
PingID YubiKeys that feature one-time passcode (OTP) support only, or for which you only want to use OTP authentication, should be paired as a YubiKey authentication method rather than as a security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.
The following limitations should be considered when configuring security key authentication with PingID:
- Some browsers do not support the use of a FIDO2 security key when User Verification is set to Required.
- Some browsers do not allow authentication with a security key when the security key is paired as a resident key.
- Some browsers do not support security key registration when Resident Key is set to Required.
- Windows login supports the use of FIDO2 security keys. However, these types of
security keys cannot be used as a second authentication factor if you are using
RDP.Note: If user verification has been set to Required for security keys in the admin portal, this will not affect offline authentication, and users will be able to use their security key for offline authentication without user verification.
Passwordless security key
- The security key must support the use of a resident key, and be paired as a resident key.
- When creating a PingFederate policy for passwordless authentication with a security key you must use PingID Integration kit 2.10 or later, with PingFederate v9.3 or later.
- Windows 10 machines running the latest version of Windows Edge, FireFox, Opera, and Chrome.
- Apple Mac 10.15 (Catalina) machines running the latest versions of Windows Edge, Opera, and Chrome.
- Testing has also been performed successfully on Apple Mac 11 (Big Sur), and Mac 12.4 (Monterey).
Security keys supported
PingID is a FIDO2-certified service and supports any FIDO2 key that complies with the FIDO2 standard.