Component interoperability

PingOne Recognize uses client state to enable authentication scenarios that don’t rely on specific enrollment practices or techniques.

PingOne Recognize components

PingOne Recognize currently consists of three main product components:

Component	Facilitates user enrollment	Enables authentication
IDV Bridge (On-premises or SaaS)	Yes	No
Mobile SDK	Yes	Yes
Web SDK	Yes	Yes

Component

Facilitates user enrollment

Enables authentication

IDV Bridge (On-premises or SaaS)

Yes

Mobile SDK

Yes

Web SDK

Yes

All PingOne Recognize components operate in an interconnected manner.

A user can enroll using any enrollment component and later authenticate using a different component. There is no need to re-enroll.

Seamless interoperability is possible using PingOne Recognize client state.

The PingOne Recognize client state can be generated by any component listed in the earlier table.

It can be used by either the Web SDK or Mobile SDK to enable cross-platform authentication.
- The Mobile SDK creates a new client state for the enrolled user, which allows ongoing authentication for that user on that device.
- The Web SDK stores a new client state for the specific {UserID} on the PingOne Recognize server to allow ongoing authentication from any browser where PingOne Recognize is configured as a second authentication factor.

This interoperability enables multiple authentication scenarios.

Live enrollment to cross-platform authentication:

Users enroll into PingOne Recognize by taking a selfie using a PingOne Recognize UI deployed by customers into their own mobile or web apps using PingOne Recognize SDKs.
- Enroll users through the Web SDK and then activate them in your mobile app at a later stage to authenticate there without the need to re-enroll.
- Enroll users on the Mobile SDK and authenticate them in your web application (again without any re-enrollment).
IDV Bridge to cross-platform authentication:

When customers have previously captured selfies during Know Your Customer (KYC) onboarding flows, these images can be used to enroll new users into PingOne Recognize:
- On-premises: Enroll user selfies using the "PingOne Recognize Agent" component installed inside their own infrastructure, and then use client state in your web or mobile app to authenticate them later.
  - This option ensures that the selfies stay within your own infrastructure and therefore the entire process preserves privacy.
- SaaS: Enroll user selfies using Authentication Service API, which creates a user. Client state can then be stored to permit your web or mobile app to authenticate the user later.
  - The selfie is sent to a Secure Enclave in PingOne Recognize and instantly transformed into a cryptographic key. No biometric data or personally identifying information (PII) is then stored.

Enroll using IDV Bridge on-premises to authenticate with Web SDK:

The Integrator tutorial shows how to enroll user selfies captured outside of PingOne Recognize using IDV Bridge on-premises and then allow those same users to authenticate with their web app or SDK.
Enroll with either Web SDK or IDV Bridge (on-premises or SaaS) → authenticate using Mobile SDK:

Where customers have enrolled using either the Web SDK or IDV Bridge, start by exporting the client state:
```
GET /v1/customers/{customer}/client-state-encryption
{
"keyId": "alias/pii-encryption-key",
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"supportedAlgorithms": [
"RSAES-OAEP-SHA-256"
]
}
```
Use the response results when the customer authenticates on a new device using the Mobile SDK. Refer to Account Recovery for details showing how to authenticate users on a new device. This enables ongoing authentication.