PingOne supports the use of the FIDO2 protocol, and the PingOne FIDO2 server is a FIDO2 certified product.

You can add FIDO2 as an authentication method for your end users. To set up FIDO2, edit an existing authentication policy or create a new one. For more information, see Editing an authentication policy and Adding a multi-factor authentication step.

FIDO2 with PingOne provides many security benefits, such as protection against phishing, man-in-the-middle, and replay attacks. PingOne includes the following security measures from the FIDO2 specification:
  • Based on public key cryptography
  • Ensures that private keys remain on the FIDO2 device only
  • Does not employ server-side shared secrets that could otherwise be compromised
  • Isolates services from accounts
Users can authenticate with:
  • FIDO2 biometrics, by using a gesture in a compatible device
  • FIDO2 security keys

FIDO2 biometrics

With FIDO2 biometrics, end users can authenticate using biometrics on compatible devices. Supported devices include Windows Hello, Android OS 7.0 or later, MacOS, and iOS. For FIDO2 biometrics, the authentication method is bound to a particular device, unlike other methods such as SMS, voice and email.
Note: FIDO2 biometrics can be used for web-based authentication only through browsers that support platform authenticators.

FIDO2 security keys

A hardware-based security key can be used to authenticate users, often in sensitive environments or environments with limited device or phone access, such as hospitals, financial institutions, or federal buildings. FIDO2 security keys are backward compatible with U2F, enabling PingOne to support both FIDO2 and U2F security keys.

After you enable a security key as part of an authentication policy, the user can use it to authenticate. Pairing the device creates a trust between the security key and the user account, so it can be used for authentication.
Note: Security keys can be used for web-based authentication only through browsers that support WebAuthn.

FIDO policy

You can configure one or more FIDO policy and include it in your MFA policy. You can create a FIDO policy for the use of FIDO2 Biometrics and FIDO2 security keys. Create a FIDO policy to define which FIDO devices and authenticators can be used for registration and authentication purposes, and to enable usernameless and passwordless authentication. For more information, see FIDO.