Authentication security
The Ping SDKs provide two methods for implementing authentication in your applications:
- Embedded authentication
-
The app developer is responsible for building the login and registration UI.
Uses the Authorization code grant with PKCE flow, based on RFC7636.
When using embedded authentication, the SDKs do not store user credentials on the device or in the browser.
- Centralized authentication
-
We provide a central login app (or web page) that app developers can use with a redirect for JavaScript apps, or by using an in-app browser in Android and iOS applications.
Android and iOS use the OAuth 2.0 for Native Apps for centralized authentication, based on RFC8252, which is recommended way for third-party applications to authenticate in terms of security, as user credentials are never exposed to the third-party web or native application.
Both options have their merits and drawbacks, and the choice usually depends on your use case. For more information, refer to Choose how users authenticate.
The Ping SDKs also use the following protocols for authentication:
- WebAuthn for Mobile and Web Biometrics
-
Based on the WebAuthn W3C spec.
-
The Ping SDK for iOS uses a custom implementation of the protocol that has been created to offer backward compatibility older iOS versions including iOS 12. For more information, see Supported operating systems.
-
The Ping SDK for Android uses the Google FIDO2 API.
-