To enable authentication with FIDO2 devices, first create one or more FIDO policies.
Note: A small number of the options listed are not available for
use with PingID accounts that
are integrated with
PingOne. Learn
more about updating a PingID account to use a PingOne FIDO2
policy.
To enable authentication with FIDO2 devices:
- Create a FIDO policy defining which FIDO devices are permitted and the desired behavior when registering and authenticating your users. This task is described in detail in this topic.
- Include the FIDO policy in the relevant MFA policy (see MFA policies).
- Ensure the MFA policy is included in the MFA step of the relevant Authentication policy (see Adding a multi-factor authentication step).
Note:
When creating an environment, the following out-of-the-box (OOTB) FIDO policies are created by default:
- Passkeys (default)
- Security key
These policies represent best practice configurations for registration and authentication of the relevant devices. You can change the default policy if required.
Add the FIDO policy to the MFA step in the relevant Authentication policy. For information, see Adding a multi-factor authentication step.