---
title: Limitations
description: This page lists the known issues and limitations of the Ping (ForgeRock) SDKs.
component: sdks
version: latest
page_id: sdks:release-notes:limitations
canonical_url: https://docs.pingidentity.com/sdks/latest/release-notes/limitations.html
revdate: Wed, 8 Apr 2025 12:47:20 +0100
keywords: ["Compatibility", "Features", "Source Code", "SDK"]
section_ids:
  all_platforms: All platforms
  ping_forgerock_sdk_for_android: Ping (ForgeRock) SDK for Android
  ping_forgerock_sdk_for_ios: Ping (ForgeRock) SDK for iOS
  ping_forgerock_sdk_for_javascript: Ping (ForgeRock) SDK for JavaScript
  ping_forgerock_authenticator_module: Ping (ForgeRock) Authenticator module
---

# Limitations

This page lists the known issues and limitations of the Ping (ForgeRock) SDKs.

## All platforms

* The Ping (ForgeRock) SDKs ***do not*** support authentication chains nor modules.

* The FRUI module is for prototyping your UI, and is not intended for production use, as-is.

* As of ForgeRock SDKs 3.0, the Identity Providers supported for social login are limited to Apple, Facebook, and Google.

## Ping (ForgeRock) SDK for Android

* []()Registering an Android device using the **WebAuthn Registration Node** fails if you set the **Preferred mode of attestation** option to **DIRECT** or **INDIRECT**.

  Users attempting to register a security key or biometric authenticator on an Android device may encounter `Registration Failed` errors, or find that the attestation process doesn't complete as expected.

  To ensure successful registration on Android, set the **Preferred mode of attestation** option to **NONE** in the **WebAuthn Registration Node** configuration:

  ![Setting preferred attestation mode to \`None\` to register WebAuthn devices on Android](_images/webauth-android-attestation-mode.png)Figure 1. Setting preferred attestation mode to `NONE` to register WebAuthn devices on Android

* []()If you specify `android:allowBackup="true"` in your SDK-enabled client application, restoring those backups doesn't restore the keys required to unlock secured data. This is by design.

  Restored apps will not have access to the following backed-up data:

  * Session tokens

  * Access tokens

  * Device bindings

  Users will need to reauthenticate, and re-bind their device.

* Displaying CAPTCHAs or using the Ping (ForgeRock) Authenticator module in your application requires the presence of the Google Play Services.

* The Authenticator module of the Ping (ForgeRock) SDK for Android only supports Firebase Cloud Messaging service as a Push Notification provider.

* Social Login requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Calling `FRUser.logout()` will only sign out the session from PingAM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

* Biometric authentication is only supported on Android 7.0 or newer.

* Biometric authentication requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Biometric authentication requires the use of Google Play Services.

* When a biometric dialog, such as the *provide fingerprint* dialog, is dismissed, the application may become unresponsive.

* Biometric authentication does not distinguish individual biometrics (fingerprints or faces), but is limited to any registered for the device's current user account.

* As of ForgeRock SDKs 3.0, only platform authenticators can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not currently supported.

* Ping (ForgeRock) SDK for Android apps do not function correctly if they are minimized to picture-in-picture mode in [Android custom tabs](https://developer.chrome.com/docs/android/custom-tabs).

  The Ping (ForgeRock) SDK is not able to detect being minimized until API support from Google is available in Android.

## Ping (ForgeRock) SDK for iOS

* Data encryption with Secure Enclave is only available for iOS 10+ devices with TouchID or FaceID.

* DeviceCollector customization is only available in Swift.

* JailbreakDetector customization is only available in Swift.

* HiddenValueCallback and SuspendedTextOutputCallback are not accessible in Objective-C.

* FRAuthenticator SDK is only available in Swift.

* Social Login requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Calling `FRUser.logout()` will only sign out the session from PingAM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

* The Google Sign-In SDK is only compatible with CocoaPods (Swift Package Manager is not supported).

* Sign In With Apple is only supported in iOS 13 and above.

* Biometric authentication requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Biometric authentication does not distinguish between individual biometrics (fingerprints or faces), but is limited to the collection of biometrics registered for the device's current user account.

* For Biometric authentication, iOS only supports the ES256 signing algorithm, this is configured in the WebAuthn Registration node.

* For "usernameless" biometric authentication support, "limit registrations" must be disabled within the WebAuthn Registration node.

* As of ForgeRock SDKs 3.0, only the platform authenticator can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not supported.

* Device Binding is not supported on iOS simulators. You must use a physical device to test Device Binding.

## Ping (ForgeRock) SDK for JavaScript

* The Ping (ForgeRock) SDK for JavaScript is currently unable to revoke PingOne-issued OIDC tokens when using Firefox and Safari, due to third-party cookie protection.

* When resources are protected by PingGateway, the Ping (ForgeRock) SDK for JavaScript can only support transactional authorization if PingAM and PingGateway are on the same origin.

* FireFox does not support Touch ID as a WebAuthn device on Mac therefore it limits some WebAuthn node configurations.

* The SDK requires polyfills to function in IE 11 and Legacy Edge.

* In WebKit for both macOS and iOS, the "Prevent Cross-site Tracking" option, which is enabled by default, can prevent the SDK from functioning when the app and PingAM are under different origins.

* Collecting location information requires the user's system preferences to allow browser access to location information.

* IndexedDB as a token storage strategy has a known issue with Firefox Private Mode. (Use `localStorage` as an alternative.)

* Social login with Apple requires the use of a form POST, so the "Redirect URL" cannot be an SPA as they are unable to handle a POST request; the use of the special PingAM endpoint explained in [Set up social login](../sdks/use-cases/how-to-setup-social-login.html) is recommended.

* Calling `FRUser.logout()` will only sign out the session from PingAM but not the social identity provider. Every subsequent social login attempt will automatically log in without asking for credentials.

## Ping (ForgeRock) Authenticator module

* []()If you specify `android:allowBackup="true"` in your Ping (ForgeRock) Authenticator module-enabled client application, restoring those backups doesn't restore the keys required to unlock secured data. This is by design.

  Restored apps will not have access to the following backed-up data:

  * Registered PUSH and OATH accounts.

  Users will need to reauthenticate, and re-register their devices.

  To work around this issue, you can override the default passphrase provider the SDK uses to secure data, although we do not recommend this practice.

  Use the `FixedPassphraseProvider` or `NonePassphraseProvider` instead of the default `KeyStorePassphraseProvider` to allow apps to access secured data after being restored:

  ```kotlin
  oathStorage = SQLOathStorage {
      context = this@AuthenticatorApp
      passphraseProvider = KeyStorePassphraseProvider(
          this@AuthenticatorApp,
          logger = diagnosticLogger
      )
      this.logger = diagnosticLogger
  }
  ```

  Learn more in [Customize storage on Android](../sdks/customize/how-to-customize-storage.html#customize-storage-on-android).

* The default storage client for Android that is built on `SharedPreferences` can behave unpredictably on devices from certain manufacturers that customize the Android operating system.

  For maximum compatibility with devices from different manufacturers we highly recommend that you [implement your own custom storage client](../authenticator-module/getting-started/03-customize-storage-clients.html#android) for Android devices.