Authentication security
The Ping SDKs provide two methods for implementing authentication in your applications:
- Auth journey (embedded) login
-
The app developer is responsible for building the login and registration UI.
Uses the Authorization code grant with PKCE flow, based on RFC7636.
When using auth journeys for authentication, the SDKs do not store user credentials on the device or in the browser.
- OIDC (centralized) login
-
We provide a central login UI that app developers can use with a redirect for JavaScript apps, or by using an in-app browser in Android and iOS applications.
Android and iOS use the OAuth 2.0 for Native Apps, based on RFC8252, which is recommended way for third-party applications to authenticate in terms of security, as user credentials are never exposed to the third-party web or native application.
Both options have their merits and drawbacks, and the choice usually depends on your use case. For more information, refer to:
The Ping SDKs also use the following protocols for authentication:
- WebAuthn for Mobile and Web Biometrics
-
Based on the WebAuthn W3C spec.
-
The Ping SDK for iOS uses a custom implementation of the protocol that has been created to offer backward compatibility older iOS versions including iOS 12. For more information, see Supported operating systems.
-
The Ping SDK for Android uses the Google FIDO2 API.
-