--- title: Component interoperability description: Describes how to use client state to authenticate PingOne Recognize users on different platforms (web or mobile). component: recognize page_id: recognize:idv-bridge:idv-bridge-component-interoperability canonical_url: https://docs.pingidentity.com/recognize/idv-bridge/idv-bridge-component-interoperability.html llms_txt: https://docs.pingidentity.com/recognize/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: pingone-recognize-components: PingOne Recognize components interoperability-between-components: Interoperability between components how-client-state-works: How client state works interoperability-scenarios: Interoperability scenarios further-resources: Further resources --- # Component interoperability PingOne Recognize uses client state to enable authentication scenarios that don't rely on specific enrollment practices or techniques. ## PingOne Recognize components PingOne Recognize currently consists of three main product components: | Component | Facilitates user enrollment | Enables authentication | | -------------------------------- | --------------------------- | ---------------------- | | IDV Bridge (On-premises or SaaS) | Yes | No | | Mobile SDK | Yes | Yes | | Web SDK | Yes | Yes | ## Interoperability between components All PingOne Recognize components operate in an interconnected manner. A user can enroll using any enrollment component and later authenticate using a different component. There is no need to re-enroll. Seamless interoperability is possible using PingOne Recognize client state. ## How client state works The PingOne Recognize client state can be generated by any component listed in the earlier table. * It can be used by either the Web SDK or Mobile SDK to enable cross-platform authentication. * The **Mobile SDK** creates a new client state for the enrolled user, which allows ongoing authentication for that user on that device. * The Web SDK stores a new client state for the specific `{UserID}` on the PingOne Recognize server to allow ongoing authentication from any browser where PingOne Recognize is configured as a second authentication factor. This interoperability enables multiple authentication scenarios. ## Interoperability scenarios 1. Live enrollment to cross-platform authentication: Users enroll into PingOne Recognize by taking a selfie using a PingOne Recognize UI deployed by customers into their own mobile or web apps using PingOne Recognize SDKs. * [Enroll users through the Web SDK](../web-sdk/web-sdk-guide-enrollment.html) and then activate them in your mobile app at a later stage to authenticate there without the need to re-enroll. * [Enroll users on the Mobile SDK](../mobile-sdk/mobile-sdk-enrollment.html) and authenticate them in your web application (again without any re-enrollment). 2. IDV Bridge to cross-platform authentication: When customers have previously captured selfies during Know Your Customer (KYC) onboarding flows, these images can be used to enroll new users into PingOne Recognize: * On-premises: Enroll user selfies using the "PingOne Recognize Agent" component installed inside their own infrastructure, and then use client state in your web or mobile app to authenticate them later. * This option ensures that the selfies stay within your own infrastructure and therefore the entire process preserves privacy. * SaaS: Enroll user selfies using [Authentication Service API](idv-bridge-saas.html), which creates a user. Client state can then be stored to permit your web or mobile app to authenticate the user later. * The selfie is sent to a Secure Enclave in PingOne Recognize and instantly transformed into a cryptographic key. No biometric data or personally identifying information (PII) is then stored. ## Further resources 1. Enroll using IDV Bridge on-premises to authenticate with Web SDK: The [Integrator tutorial](idv-bridge-onprem-enrollment-websdk-authentication-tutorial.html) shows how to enroll user selfies captured outside of PingOne Recognize using IDV Bridge on-premises and then allow those same users to authenticate with their web app or SDK. 2. Enroll with either Web SDK or IDV Bridge (on-premises or SaaS) → authenticate using Mobile SDK: Where customers have enrolled using either the Web SDK or IDV Bridge, start by exporting the client state: ```REST GET /v1/customers/{customer}/client-state-encryption { "keyId": "alias/pii-encryption-key", "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n", "supportedAlgorithms": [ "RSAES-OAEP-SHA-256" ] } ``` Use the response results when the customer authenticates on a new device using the Mobile SDK. Refer to [Account Recovery](../mobile-sdk/mobile-sdk-account-recovery.html) for details showing how to authenticate users on a new device. This enables ongoing authentication.