To enable authentication with FIDO2 devices, first create one or more
To enable authentication with FIDO2 devices:
- Create a FIDO policy defining which FIDO devices are permitted and the desired behavior when registering and authenticating your users. This task is described in detail in this topic.
- Include the FIDO policy in the relevant MFA policy (see MFA policies).
- Ensure the MFA policy is included in the MFA step of the relevant Authentication policy (see Adding a multi-factor authentication step).
When creating an environment, the following out-of-the-box (OOTB) FIDO policies are created by default:
- Passkeys (default)
- Security key
These policies represent best practice configurations for registration and authentication of the relevant devices. You can change the default policy if required.
- Go to .
- On the FIDO Policies page, click the + icon.
In the Name field, enter a meaningful name for the
There is a 256 character maximum.
In the Device Display Name, select the format in which
you want the device to be displayed on self-service registration and
- Label: Free text field. The device name that is not translated.
- Translatable Keys: Select an option from the list
of translatable keys. The key is translated into the relevant language.Note:
The list of translatable keys can be modified on the FIDO policy page for the relevant language. The FIDO policy page should be updated in the Self-Service module and the Sign On Policy module. For information, see Languages.
In the Relying Party field, select the relevant Relying
Party ID (RPID):
- PingOne (default): Use the PingOne RPID (such as pingone.com).
- Custom Domain: Use the active custom domain for the selected environment. For information about custom domains, see Domains.
- Other: Enter a valid domain.
In the Discoverable Credentials field, select one.
Discoverable credentials make it possible for registered users to authenticate without providing credentials.
- Discouraged: Discoverable credentials are not used, even when supported by the FIDO device. In cases where use of discoverable credentials is required by the FIDO device itself, this setting does not override the device setting.
- Required: Require the use of discoverable credentials. This option is required for usernameless authentication.
- Preferred (default): Use discoverable credentials where possible.
In the Authenticator Attachment field, select the type
of authenticator that can be used to register.
- Platform: Only allow the use of FIDO device authenticators that contain an internal authenticator (such as a face or fingerprint scanner).
- Cross-platform: Allow use of cross-platform authenticators , that are external to the accessing device (such as a security key).
- Both (default).
In the User Verification field, select one.
User verification requires the user to perform a gesture (such as a public key credential, fingerprint scan, or a PIN code) when using their FIDO device.
- In the User Verification field, select either:
Note: For usernameless flows, User Verification must be set to Required.
- Discouraged: User verification is not performed, even when supported by the FIDO device. In cases where user verification is required by the FIDO device itself, this setting does not override the device setting.
- Required: Only FIDO devices supporting user verification can be used.
- Preferred (default): User Verification is performed if the user's FIDO device supports it, and is skipped if not supported.
- To apply user verification to authentication as well as registration, select the Enforce during authentication checkbox.
- In the User Verification field, select either:
In the Backup Eligibility field, indicate whether you
allow users to authenticate with a device that uses cloud-synced credentials,
such as a passkey.
Options are Allow or Disallow.
Select up to six attributes that can be used to populate the User
Display Name and place them in order of preference.
The User Display Name is a human-readable name associated with the user's account.Note:
You can select any OOTB user profile attributes. The first attribute that contains valid data is used to populate the User Display Name. It is displayed to the user during registration and authentication.
In the Direct Attestation Request area:
In the Attestation Requirements field, select
one of the following.
- None: Allow all FIDO devices, and do not request attestation.
- Audit only: Request attestation for auditing purposes only.
- Allow All Global: Allow use of all FIDO devices listed in the Global Authenticators table and request attestation.
- Allow FIDO Certified Authenticators: Only
allow use of FIDO Certified devices, and request
To add a FIDO device to the Global Authenticators Table, see Managing the Global Authenticators Table.
- Allow Specific Authenticators: Allow use of only the devices specified. Select this option and then select the devices you want to use in the Allowed Authenticators table below the list.
To prevent users from authenticating with other devices that are
already registered with their account, but are not included in the
Allow Specific Authenticators list, select
the Enforce during authentication check
This option can be applied only to devices that included a FIDO resident key during the registration process.
- In the Attestation Requirements field, select one of the following.
The policy is added to the Policy list.Tip:
In the Policy list, click a policy to see a summary of the policy details in the right pane or edit an existing policy.
Add the FIDO policy to the MFA step in the relevant Authentication policy. For information, see Adding a multi-factor authentication step.