Configuring Ping for passwordless authentication with FX7

The innovative FIDO2 passwordless technology by OneSpan allows users to securely sign in to Ping using a USB key, completely removing the need for traditional passwords. Once set up, users can effortlessly access their accounts and log onto their Windows devices with OneSpan FX7 FIDO2 security keys. This method ensures robust two-factor authentication by requiring both the physical security key and a PIN or biometric verification (such as a fingerprint) configured on the FIDO2 security keys.

This article offers step-by-step instructions for enabling OneSpan FX7 FIDO2 passkeys in Ping and setting them as the default security measure for Microsoft 365 logons.

Setting up authentication using FIDO2 devices includes the following steps:

1. Define a FIDO policy. Specify which FIDO devices are allowed and outline the desired behavior for user registration and authentication.

2. Integrate the FIDO policy into the MFA policy.

3. Incorporate the MFA policy into the authentication policy. Ensure the MFA policy is included in the MFA step of the appropriate authentication policy.

Define a FIDO policy

1. Navigate to Authentication > FIDO.

2. On the FIDO Policies page, click the Passkeys policy and click the pencil icon to edit.

3. In the Name box, type a descriptive name for the policy (up to 256 characters).

4. In the Device Display Name section, select the format to display the device during self-service registration and authentication:

   • Label: A free text field where the device name is not translated.

   • Translatable Keys: Select an option from the list of translatable keys, which will be translated into the relevant language.

5. If you only want to use OneSpan FX7 devices, enable Allow Specific Authenticators in the Attestation Request section and select Allow Specific Authenticators.

   • Enable Enforce During Authentication.

   • Select OneSpan DIGIPASS FX7 from the Allowed Authenticators list.

Integrate the FIDO policy into the MFA policy

1. Navigate to Authentication > MFA Settings.

2. For the MFA status of new users, specify whether MFA should be enabled by default when a new user account is created.

   Set Maximum allowed methods to the maximum number of authentication methods users can set up.

   The default value is 5. Users can have multiple methods on the same device, e.g. SMS, voice, biometrics, and an authenticator app on a single mobile device).

   If you reduce the maximum number, existing methods are not affected. For instance, if a user already has four methods set up and you reduce the maximum to three, the user won't need to remove any existing methods.

3. If some users will pair devices with phone numbers that have extensions, enable Phone numbers with extensions.

4. For Account lockout, configure the following:

   • Account lockout: Set the maximum number of incorrect MFA attempts (e.g., entering an incorrect OTP or declining a push confirmation) before the account is locked. This applies across all configured devices.

   • Account lockout duration: Specify the duration (in seconds) for which the account remains locked after exceeding the failure count. The account will automatically unlock after this period.

5. Select the type of key for device pairing. This can be either a 12-digit numeric key or a 16-character alphanumeric key.

6. Click Save.

   

Configure users to use the new FIDO policy

1. Expand Directory > Users.

2. Select the users who will use the new FIDO policy.

3. Switch to the Services tab.

   1. Enable Multi-Factor Authentication.

   2. In the Methods section, select FIDO2 and pair the user to that method.

Configure PingIdentity

This article provides step-by-step instructions to configure PingIdentity to support OneSpan FX7 tokens. Follow these steps to set up FIDO authentication, modify the default MFA policy, and ensure proper multi-factor authentication settings.

1. Sign in to PingIdentity.

2. Select Authentication > FIDO.

   

3. Select Passkeys and click the pencil icon to edit the entry:

   1. Select Label and type OneSpan FX7.

   2. Select Allow Specific Authenticators from the Attestation Requirements list.

   3. In the Search box, type OneSpan.

   4. Select the check box for OneSpan DIGIPASS FX7.

   5. Click Save.

      

4. Select Authentication > MFA.

5. Select Default MFA Policy, and click the pencil icon to edit the entry:

   1. Clear all options in the Allowed Authentication Methods section, except for FIDO2.

   2. Under the FIDO2 option, select Passkeys from the FIDO Policy list.

   3. Click Save.

      

6. Select Authentication > Authentication.

7. Click the icon to expand Multi_Factor.

8. Click the pencil icon to edit the policy:

   1. Under the title of the policy (Multi_Factor), click Make Default.

   2. In the MULTI-FACTOR AUTHENTICATION section, select Default MFA Policy from the MFA POLICY list.

   3. Click Save.