PingID Administration Guide

Frequently asked questions when upgrading biometrics and security key to FIDO2 authentication

This section addresses frequently asked questions when upgrading from FIDO2 biometrics and security key authentication methods to FIDO2 authentication.

What are the benefits of upgrading to FIDO2 authentication?

  • FIDO2 offers expanded configuration options and support for a wider range of FIDO2 authentication devices, including cloud-synced FIDO2 devices.

  • FIDO2 replaces the deprecated FIDO2 biometrics and security key authentication methods.

Can a single FIDO2 device be used across different browsers?

  • To ensure users can authenticate with a FIDO2 device across different browsers, in the FIDO2 policy, make sure that Backup Eligibility is set to Allow. This allows authentication with passkeys and devices using cloud-synced credentials.

    Learn more in FIDO policies in the PingOne documentation.

Can I upgrade to FIDO2 from within the legacy PingID admin portal?

The FIDO2 authentication method is only available for PingID accounts that are integrated with a PingOne environment.

To upgrade to FIDO2 authentication:

  1. Make sure your PingID account is integrated into a PingOne environment.

    Learn more in Setting up an environment for strong authentication (MFA).

  2. In the legacy PingID admin portal, upgrade to FIDO2 authentication.

    Learn more in Updating a PingID account to use PingOne FIDO2 policy for Passkey support.

  3. If you have a PingOne MFA policy that uses legacy FIDO2 biometrics and security key authentication methods, update it. Learn more in Updating a PingID account to use PingOne FIDO2 policy for Passkey support.

What impact will upgrading have on security keys and FIDO2 biometrics devices that are already paired to users accounts?

  • Security keys and FIDO2 Biometrics devices already paired to user accounts are automatically upgraded to FIDO2.

  • Users can continue to authenticate with their existing devices.

What happens to PingID policies that have "security key" defined as an allowed authentication method?

  • The affected policies are automatically updated to use FIDO2 as the allowed authentication method.

Can I define different authentication policies for different FIDO2 devices, such as FIDO2 security keys and Windows Hello devices?

  • In a future release, it will be possible to define multiple FIDO2 policies and apply them to different devices, such as FIDO2 security keys and Windows Hello devices.

  • PingOne’s current FIDO2 policy provides many configuration options. For example, specific supported FIDO2 devices can be configured in the FIDO policy under Authenticator Attachment as Platform, Cross-platform, or Both.

    Learn more in FIDO policies in the PingOne documentation.

Can I roll back to the legacy FIDO2 biometrics and security key authentication methods after upgrading to FIDO2?

  • Upgrading to FIDO2 permanently deactivates the legacy FIDO2 biometrics and security key authentication methods and cannot be undone. These options are grayed out in the legacy PingID admin portal, and they’re removed from PingOne policies and replaced with the FIDO2 authentication method.

If I’ve migrated a PingID account to a PingOne environment and upgraded to the FIDO2 authentication method, can I revert my PingID account to the legacy PingID admin portal?

  • After migrating a PingID account to a PingOne environment and upgrading to FIDO2, you cannot revert to the legacy PingID admin portal.

  • Deleting the PingOne environment also deletes the PingID account.