PingID supports several types of authentication for users:

As an administrator, you determine which authentication methods the users in your organization use. For example, you can use a lenient method such as SMS and move to stricter methods at a later stage, such as biometrics authentication.

Note:

The only authentication method enabled by default is the swipe method. You must manually enable any other authentication method. For more information, see Configuring authentication for the PingID mobile app.

PingID Mobile App

Biometrics: Fingerprint

The fingerprint authentication uses a device's native capability to scan and authenticate the user’s fingerprint.

Fingerprint authentication is supported on devices that support biometrics and is included in the PingID mobile app Supported operating systems.

You can set the fingerprint authentication rollout mode with the following settings:

  • Disable fingerprint authentication.
  • Enable for iOS, Android, or both, in one of the following modes:
    • Enable: If the user has a supporting device and has enabled the fingerprint scan option, they are authenticated by fingerprint.
    • Require: Users with supporting devices are required to set up their fingerprint scan option and authenticate with it.
    • Enforce: Fingerprint scanning by the PingID app is required on every authentication, even if the user unlocked the device using their fingerprint.

An image showing the PingID authentication prompt for Touch ID on an iPhone.

For more information, see Configuring biometrics authentication for the PingID mobile app and Troubleshooting PingID authentication.

Biometrics: Facial Recognition

PingID supports facial recognition. Authentication by facial recognition is model dependent for Apple and Android devices.

Both facial recognition and fingerprint authentication results are transparently passed through to the PingID app. For configuration information, see Configuring biometrics authentication for the PingID mobile app.

  • Apple: Apple uses Face ID for some iPhone and iPad devices. These devices are configured for Face ID or Touch ID, but not both. Devices that support Face ID include:
    • iPhone: iPhone XS Max, iPhone XS, iPhone XR, iPhone X
    • iPad: iPad Pro 12.9" (third generation), iPad Pro 11"

    For the most recent information from Apple, see iPhone and iPad models that support Face ID.

  • Android Platforms: Facial data is acquired using the device's camera. If the user attempts to authenticate with an unlocked screen, only fingerprint authentication is available. On a locked screen, fingerprint authentication and facial recognition are both available on supported devices.

Swipe/Lock Screen Buttons

An authentication request is sent to the PingID mobile application via a push message on the end user's device. Then the user can respond to the authentication request directly on the lock screen, or launch the application and manually swipe the PingID button to approve the authentication request.

An image of the PingID swipe button on an iPhone. An image of a PingID push notification on an iPhone. The user has the option to approve or deny the request.

Mobile Soft Token

A user can generate a one-time passcode (OTP) with the PingID app for iOS or Android. This OTP can be used for authentication in cases where the user’s mobile is offline, such as when there is no network connection, or in any other use case set by the administrator as an organization's policy.
An image of an OTP on the PingID app for iPhone.

Apple Watch

If a user has an Apple Watch connected to their iPhone, the PingID app automatically presents the Approve or Deny authentication actions on the Apple Watch, so the user can authenticate without needing to access their device.


An image of the PingID app on an Apple Watch.

FIDO2 biometrics

The user can take advantage of FIDO2 strong cryptographic authentication, using built-in FIDO2 platform biometrics on their device.

Biometrics are supported for the following devices:

  • Windows Hello
  • Apple Mac (Touch ID)
  • iOS biometrics
  • Android biometrics

For more information, see Configuring FIDO2 biometrics for PingID.

Security key

The user can authenticate with any FIDO2 compliant security key or wearable device. The security key allows relying parties to offer a strong cryptographic authentication option for end user security. For more information, see Configuring the FIDO2 security key for PingID.

An image of a Yubico security key.

Desktop Soft Token

If the organization has approved the use of the PingID desktop app, users can generate an OTP from the local installation of the desktop app on their Windows or Mac computer. For more information, see PingID desktop app authentication.

An image of an OTP on the PingID desktop app.

Authentication app

If the organization has approved the use of external Time-based One-time Password (TOTP) authenticator apps, such as Google authenticator, a user can generate an OTP from the authenticator app on their device. For more information, see Configuring authenticator app authentication for PingID.

OATH token

An OATH token is a secure OTP that can be used for two factor authentication and is OATH compliant. For more information, see https://openauthentication.org/.

Use hardware OATH tokens where there are no provisions for connection to the Internet, USB connections, or mobile phones. Such connections might be disallowed for security reasons. For more information, see Configuring OATH token authentication for PingID.

An image of a hand-held OTP generator.

YubiKey™ - Yubico OTP

The user must click a YubiKey with Yubico OTP capabilities in order to authenticate. Select this method of authentication if you've distributed YubiKey hardware tokens to users who are not authenticating using a mobile device.

YubiKeys that are FIDO2 compliant can be used as either a YubiKey or a Security key. For more information, see Configuring YubiKey authentication (Yubico OTP) for PingID.

An image of a YubiKey.

Email OTP

If you have users who aren't using devices that support the PingID mobile application, you can choose to enable this method of authentication. The user is authenticated by providing a 6-digit OTP sent by email to their email address. For more information, see Configuring email authentication for PingID.

An image of an OTP being entered during sign-on.

SMS and Voice

If you have users who aren't using devices that support the PingID mobile application, you can enable this authentication method of authentication. The user is authenticated by providing a 6-digit OTP sent to the user's mobile device or landline phone, using SMS or voice channels.


An image of an SMS containing a PingID authentication code.

For more information, including SMS and Voice usage limits, see SMS and voice authentication.