--- title: Enabling passwordless authentication in a PingFederate authentication policy description: To enable passwordless authentication in a PingFederate authentication policy: component: solution-guides page_id: solution-guides:best_practice_guides:bp_enabling_passwordless_pf_authentication_policy canonical_url: https://docs.pingidentity.com/solution-guides/best_practice_guides/bp_enabling_passwordless_pf_authentication_policy.html revdate: September 7, 2022 section_ids: about-this-task: About this task steps: Steps --- # Enabling passwordless authentication in a PingFederate authentication policy ## About this task To enable passwordless authentication in a PingFederate authentication policy: ## Steps 1. **Optional:** Create a policy contract: 1. Go to **Authentication → Policies → Policy Contracts**. 2. Click **Create New Contract.** 3. Give the policy contract an appropriate name for the storage of attribute data. Click **Next**. 4. Specify any additional attributes if required outside of the `subject` attribute to be reused later within OAuth-OpenID Connect (OIDC) or SAML-WS-Federation processing. Click **Next**. 5. On the **Summary** page, click **Save**. 2. Create a local identity profile (LIP): 1. Go to **Authentication → Policies → Local Identity Profiles**. 2. Click **Create New Profile**. 3. On the **Profile Info** tab, in the **Local Identity Profile Name** field, enter an appropriate name for the passwordless authentication processing. 4. In the **Authentication Policy Contract** list, select an appropriate policy contract. If you created a new one, specify the policy contract from step 1. Click **Next**. 5. For **Authentication Sources**, select **Security Key** and click **Add**. Click **Next**. 6. On the **Summary** page, click **Save**. 3. Add the LIP to an available HTML Form IdP Adapter: 1. Go to **Authentication → Integration → IdP Adapters** and select an available **HTML Form IdP Adapter** to use within PingFederate's authentication policy that will contain a **Passwordless Security Key** option. 2. Click **IdP Adapter**. 3. Scroll down to the **Local Identity Profile** section, and in the list, select the LIP that you created in step 2. 4. Click **Save**. 4. Create an authentication policy: 1. Go to **Authentication → Policies → Policies**. 2. Click **Add Policy**. 3. Give the authentication policy an appropriate name for the passwordless authentication process that will be performed. 4. In the **Policy** list, select the **HTML Form IDP Adapter** that you added the LIP to in step 3. 5. Under the **HTML Form IDP Adapter** that you selected, click **Rules** and specify the appropriate values. | | | | - | ------------------------------ | | | Case sensitivity is important. | 6. Click **Done**. 7. For the **Fail** branch off of the **HTML Form IDP Adapter**, click **Done**. 8. For the **Security Key**branch, select the **PingID Adapter**. 9. In the **Fail** branch off of the **PingID Adapter**, click **Done**. 10. For the **Success** branch of the **PingID Adapter**, select the policy contract that you specified in step 2d. 11. Perform the **Contract Mapping** to fulfill the **Policy Contract Attributes**. Click **Done** to return to the **Policy** tree when complete. 12. In the last **Success** branch (the branch where **Security Key** is not selected), select the **PingID Adapter**. 13. Under **PingID Adapter**, click **Options**. 14. Select the appropriate attribute to provide to PingID to verify the registration status of the user performing the transaction. Click **Done.** 15. For the **Fail** branch, click **Done**. 16. For the **Success** branch of the non-passwordless PingID flow, select the **Policy Contract** that you specified in step 2d. 17. Perform the **Contract Mapping** to fulfill the **Policy Contract Attributes**. Click **Done** to return to the **Policy** tree when complete. 18. Click **Done** to return to the main **Policy** list selection. 19. Move the authentication policy to the desired location in the list. 20. Click **Save**.