Ping Identity: Product Strategy and Passkey Capabilities

60-page Enterprise Passkey Whitepaper:
Learn how leaders get +80% passkey adoption. Trusted by Rakuten, Klarna & Oracle

Get free Whitepaper

The trajectory of Ping Identity offers a compelling narrative on the maturation of the Identity and Access Management (IAM) market itself—from a niche enterprise technology focused on federation to a critical pillar of cybersecurity and digital transformation. The company's journey through venture funding, private equity ownership, a public offering, and a landmark merger reflects the increasing strategic value of identity. This section provides a detailed historical analysis of Ping Identity, tracing its corporate development and the strategic rationale behind the key transactions that have shaped its current market position.

Ping Identity was established in 2002 by Andre Durand and Bryan Field-Elliot in Denver, Colorado. The company's founding vision was centered on providing federated identity management and pioneering standards-based solutions to replace insecure passwords, positioning it as an early innovator in the nascent IAM landscape. The company's first major product, PingFederate version 2.0, was released in February 2005, marking its formal entry into the enterprise software market.

This initial period was characterized by steady growth fueled by significant venture capital investment. Between 2004 and 2014, Ping Identity secured multiple funding rounds, raising a total of $137 million from prominent investors such as Kohlberg Kravis Roberts (KKR), DFJ Growth, and Silicon Valley Bank. This capital was instrumental in expanding its product suite and establishing a global presence.

An important moment in the company's history occurred on June 1, 2016, when Vista Equity Partners, a private equity firm specializing in enterprise software, acquired a majority ownership stake for $600 million. This transaction signaled a shift from a venture-backed growth stage to a more mature phase focused on scaling operations and market consolidation. Under Vista's ownership, Ping Identity began to strategically expand its platform through acquisitions.

Rather than pursuing a sale, Vista Equity Partners guided Ping Identity through an Initial Public Offering (IPO) in September 2019. The company was listed on the New York Stock Exchange (NYSE) under the ticker symbol "PING" with an initial share price of $15.00. The stock experienced a 30% increase on its first day of trading, reflecting strong market confidence in its enterprise-grade identity solutions and its critical role in securing digital transformations. This was a notable milestone, as it was the first company that Vista Holdings had taken public.

The next major chapter for Ping Identity began in August 2022, when the software-focused private equity firm Thoma Bravo announced a definitive agreement to acquire the company for $2.8 billion in an all-cash transaction. This offer represented a substantial 63% premium over Ping's closing share price at the time, indicating a strong belief in the company's untapped value. The acquisition was finalized in October 2022, and Ping Identity once again became a privately held company.

The strategic rationale behind the take-private deal was clear. Thoma Bravo, a seasoned investor in the cybersecurity sector with a portfolio that included identity vendor SailPoint, identified Ping Identity as a leader in the estimated $50 billion Enterprise Identity market. The firm's stated goal was to "accelerate its cloud transformation" and inject capital to "turbocharge innovation and open new markets". Thoma Bravo's extensive experience in the identity space allowed it to appreciate the value of Ping's customer base and its growing customer identity (CIAM) use case, which was seen as a high-growth segment tangential to major digital transformation trends.

The defining move of the Thoma Bravo era, however, was the consolidation of two of the industry's biggest rivals. In August 2023, after a 10-month investigation by the U.S. Department of Justice, Thoma Bravo completed its separate $2.3 billion acquisition of ForgeRock. Immediately upon closing, it was announced that ForgeRock would be merged into Ping Identity. This was a deliberate and transformative act of market consolidation designed to create an identity security powerhouse with the scale and breadth to compete more effectively against market leader Okta. The combined entity, operating under the Ping Identity brand, is on a trajectory to approach $1 billion in annual recurring revenue, fundamentally reshaping the competitive dynamics of the IAM industry.

Before the monumental ForgeRock merger, Ping Identity executed a series of targeted acquisitions, each designed to fill a specific capability gap in its platform. This "buy-to-build" strategy was crucial in evolving the company from a federation specialist to a comprehensive identity platform.

• UnboundID (August 2016): Acquired shortly after the Vista Equity Partners investment, UnboundID was a provider of high-performance customer identity and access management (CIAM) and directory services. This was a critical acquisition that bolstered Ping's capabilities beyond its traditional strength in workforce IAM. UnboundID, founded by former Sun Microsystems engineers who had worked on the OpenDS project, provided a highly scalable user directory essential for the massive user populations in CIAM and Internet of Things (IoT) scenarios. This technology now forms the foundation of the PingDirectory product.

• Symphonic Software (November 2020): The acquisition of Symphonic Software brought in sophisticated dynamic authorization technology. This capability was integrated into the Ping platform and led directly to the enhancement and rebranding of the existing PingDataGovernance product into PingAuthorize. This new offering provides fine-grained, policy-driven, and attribute-based access control (ABAC), a cornerstone of modern Zero Trust security architectures.

• SecuredTouch (June 2021): To address the growing threat of automated attacks and account takeovers, Ping acquired SecuredTouch, an Israeli firm specializing in fraud and bot detection. The company's technology uses behavioral biometrics, artificial intelligence (AI), and machine learning to generate advanced risk signals. These capabilities were integrated into the PingOne Cloud Platform and are a core component of the PingOne Protect service, which provides real-time threat intelligence for adaptive authentication decisions.

• Singular Key (September 2021): The acquisition of Singular Key was an important move to address the integration challenges inherent in complex, multi-vendor identity ecosystems. Singular Key provided a no-code identity orchestration platform that allows enterprises to visually design and automate user journeys across disparate identity services. This technology became the foundation for PingOne DaVinci, a vendor-agnostic, drag-and-drop orchestration service that now serves as the strategic "glue" for the entire Ping Identity Platform.

The following table provides a chronological summary of these key corporate milestones.

Table 1: Ping Identity Corporate & M&A Timeline

The merger of Ping Identity and ForgeRock created one of the most comprehensive identity platforms on the market. However, it also introduced significant complexity and potential confusion for customers, partners, and developers navigating a product suite that now contains the heritage of two distinct, and formerly competitive, technology stacks. This section provides a definitive guide to the modern Ping Identity portfolio, clarifying the post-merger rebranding and outlining the structure of the unified platform.

Following the merger, the new leadership under Ping's CEO Andre Durand made a decisive move to consolidate the combined company under the Ping Identity brand. This strategy, which third-party analysis has dubbed the "Ping Won" approach, necessitated a comprehensive renaming of the entire ForgeRock product line to align with Ping's established naming conventions. The goal was to present a unified face to the market and begin the long-term process of technical and cultural integration.

The rebranding was systematic and logical. The core on-premises and self-hosted software products from ForgeRock were given "Ping" prefixes (e.g., ForgeRock Access Management became PingAM). Simultaneously, the ForgeRock Identity Cloud, a single-tenant Identity-as-a-Service (IDaaS) offering, was strategically positioned as a premium, high-control tier within the broader PingOne cloud platform. This approach preserved the powerful capabilities of the ForgeRock stack while integrating it into the Ping brand family.

graph TD
    %% Legend
    subgraph Legend
        direction LR
        subgraph " "
            A((Acquired Company))
            B[Product]
        end
    end

    %% ForgeRock Evolution
    subgraph "ForgeRock Evolution"
        direction LR
        ForgeRock[ForgeRock]
        ForgeRock --> ForgeRockAM[ForgeRock<br>Access Management]
        ForgeRock --> ForgeRockDS[ForgeRock<br>Directory Services]
        ForgeRock --> ForgeRockIDM[ForgeRock<br>Identity Management]
        ForgeRock --> ForgeRockGateway[ForgeRock<br>Identity Gateway]
        ForgeRock --> ForgeRockSDKs[ForgeRock<br>SDKs]
    end

    %% Ping Identity Evolution
    subgraph "Ping Identity Evolution"
        direction LR
        PingIdentity[Ping<br>Identity]
        PingIdentity --> PingFederate[PingFederate]
        PingIdentity --> PingAccess[PingAccess]
        PingIdentity --> PingOne[PingOne]
        PingIdentity --> PingDataGovernance[PingDataGovernance]
    end

    %% Acquisitions feeding Ping product portfolio
    subgraph "Ping Identity Acquisitions"
        direction TB
        Accells((Accells<br>Technologies)) --> PingID[PingID]
        UnboundID((UnboundID)) --> PingDirectory[PingDirectory]
        Symphonic((Symphonic<br>Software)) --> PingAuthorize[PingAuthorize]
        SecuredTouch((SecuredTouch)) --> PingOneProtect[PingOne Protect]
        SingularKey((Singular<br>Key)) --> PingOneDaVinci[PingOne DaVinci]
        ElasticBeam((Elastic<br>Beam)) --> PingIntelligence[PingIntelligence<br>for APIs]
        ShoCard((ShoCard)) --> PingOneNeo[PingOne Neo]
    end

    %% Merged Company Product Portfolio (Ping + ForgeRock combined)
    subgraph "Merged Company: Ping Identity (2023+)"
        direction LR
        PingAM[PingAM]
        PingDS[PingDS]
        PingIDM[PingIDM]
        PingGateway[PingGateway]
        PingSDKs["Ping SDKs"]
        PingFederate
        PingAccess
        PingDirectory
        PingAuthorize
        PingOneProtect
        PingOneDaVinci
        PingID
        PingIntelligence
        PingOneNeo
    end

    %% Rename / merger mappings
    ForgeRockAM --> PingAM
    ForgeRockDS --> PingDS
    ForgeRockIDM --> PingIDM
    ForgeRockGateway --> PingGateway
    ForgeRockSDKs --> PingSDKs

    PingDataGovernance --> PingAuthorize

The combined product portfolio is extensive, offering solutions across multiple deployment models (SaaS, private cloud, on-premises software) and for all major identity use cases (customer, workforce, B2B, IoT). The stack can be understood in three primary layers: Cloud Platforms, Core Software Components, and Cross-Platform Services.

This is Ping's original multi-tenant SaaS platform, often positioned for organizations prioritizing "speed" and ease of deployment. It delivers a comprehensive suite of IAM capabilities, including Single Sign-On (SSO), Multi-Factor Authentication (MFA) via its PingID service, and foundational directory services.

This is the rebranded ForgeRock Identity Cloud. It is a single-tenant, dedicated SaaS platform designed for enterprises that require greater "control," such as stringent data residency, complex configurations, and full tenant isolation.

This layer includes the installable software products that can be deployed on-premises or in a private cloud. A notable consequence of the merger is the functional overlap between the legacy Ping and legacy ForgeRock products in this category.

Ping's original flagship product, a highly flexible and powerful enterprise federation server for complex SSO, identity bridging, and API security.

Ping's traditional solution for web and API access security, acting as a policy enforcement point.

A high-performance, highly scalable LDAP directory server designed for storing massive volumes of identity data, built on the technology acquired from UnboundID.

Provides a comprehensive suite of capabilities for authentication, SSO, and fine-grained authorization.

A high-performance LDAP directory designed for storing and managing identity data.

A full-featured identity management and governance solution for user provisioning and lifecycle management.

An identity-aware gateway for securing access to legacy web applications and APIs.

This layer represents the strategic heart of the new Ping Identity. These are largely cloud-delivered services designed to be consumed across both the Ping and former ForgeRock platforms, providing a path toward a unified experience even while the underlying core components remain distinct.

The no-code identity orchestration engine acquired from Singular Key. It serves as the critical integration fabric, allowing enterprises to design and automate complex user journeys by connecting services from Ping, ForgeRock, and hundreds of third-party vendors via a drag-and-drop interface

Provides advanced threat protection, fraud detection, and risk signaling. It leverages the behavioral biometrics and AI/ML technology from the SecuredTouch acquisition to enable intelligent, risk-based adaptive access policies.

The dynamic authorization engine, born from the Symphonic acquisition, that externalizes and centralizes fine-grained access control decisions. It allows organizations to enforce complex, real-time policies on who can access what data and APIs, based on a rich set of contextual attributes.

A mobile and software-based multi-factor authentication (MFA) solution that provides a secure and user-friendly way to verify user identities.

An AI-powered solution that provides deep visibility into API traffic, detects and blocks attacks, and helps secure the API infrastructure.

A decentralized identity solution that allows individuals to control their own digital identities through a secure, portable wallet.

The existence of two distinct and feature-rich software stacks for access management (PingAccess vs. PingAM) and directory services (PingDirectory vs. PingDS) presents both an opportunity and a challenge. While it offers customers a choice of architectures, it also creates complexity in product selection, support, and long-term roadmap planning. The company has indicated a "long-term unification" strategy for these overlapping areas, but in the near term, they exist as parallel offerings. The strategic emphasis is therefore placed on the cross-platform services layer. Services like DaVinci, Protect, and Authorize provide a common plane of innovation that can be applied regardless of which underlying software stack a customer uses. This allows Ping Identity to deliver a unified user journey and advanced security capabilities while undertaking the multi-year effort of rationalizing the foundational platforms.

As the industry moves decisively away from passwords, the strength of a vendor's passwordless authentication capabilities has become a critical evaluation criterion. Passkeys, based on the FIDO2 and WebAuthn standards, represent the pinnacle of this shift, offering a phishing-resistant and user-friendly alternative. This section provides a granular, technical assessment of Ping Identity's support for passkeys, moving beyond marketing claims to detail the implementation realities, developer tools, and underlying policy frameworks.

Ping Identity's platform offers a comprehensive suite of passwordless authentication methods, catering to a wide range of security requirements and user preferences for both workforce and customer identity scenarios.

• FIDO2 and Passkeys: This is the cornerstone of Ping's phishing-resistant authentication strategy. The platform is a FIDO2-certified product and fully supports the WebAuthn standard. This enables authentication using:

  • Platform Authenticators: Biometric sensors built into user devices, such as Windows Hello, Apple's Touch ID and Face ID, and Android's biometric systems.

  • Roaming Authenticators: External hardware security keys, such as those from YubiKey, which can be used for highly secure access scenarios.

  The implementation critically supports discoverable credentials (the technical underpinning of passkeys), which allows for a true passwordless and "usernameless" login experience where the authenticator itself identifies the user to the service.

• Other Passwordless Methods: Beyond the FIDO2 standard, the platform provides several other methods to reduce or eliminate password reliance:

  • Magic Links and One-Time Passcodes (OTPs): Secure, time-sensitive links or codes sent via email or SMS provide a low-friction method for passwordless login, particularly popular in customer-facing applications.

  • Push Notifications: A common MFA method delivered via the PingID mobile application, where a user simply approves a login request on their trusted device.

  • Social Login: Federating authentication to trusted third-party identity providers like Google, Microsoft, and Apple allows users to leverage existing accounts for secure access.

  • QR Code Login: A form of device-based authentication where a user can scan a QR code with a trusted device to sign in to another session.

Enabling passkey authentication within the Ping Identity ecosystem is not a single toggle but a deliberate process of policy configuration that varies depending on the deployment model.

• PingOne Configuration (Cloud): For customers using the PingOne cloud platform, enabling passkeys is managed through a layered policy framework.

  1. Configure a FIDO Policy: An administrator must first create or edit a FIDO policy within the PingOne admin portal. This policy defines the specific parameters for FIDO2-based authentication.

  2. Set Key Parameters: Several settings within the FIDO policy are critical for a successful passkey implementation. The Relying Party ID must be set to the application's domain. Most importantly, Discoverable Credentials must be set to either Preferred or Required. This setting is what enables the passkey to be used for a passwordless primary authentication, rather than just as a second factor. User Verification is typically set to Required to enforce that the user unlocks their device with a biometric or PIN.

  3. Integrate into MFA Policy: The configured FIDO policy must then be included as an allowed authentication method within a broader MFA policy, which is then applied to the relevant applications or user populations.

• PingFederate Configuration (Software/Hybrid): For organizations using PingFederate for on-premises or hybrid deployments, specific version prerequisites must be met. Enabling passwordless FIDO2 requires PingFederate 9.3 or later and the PingID Integration Kit 2.7 or later. The configuration involves two main steps:

  1. Create a PingFederate Authentication Policy: An administrator must design a policy in the PingFederate console that orchestrates the passwordless authentication flow, directing users to the FIDO2 authenticator instead of a password form.

  2. Enable FIDO2 in PingID: In the corresponding PingID admin console, FIDO2 must be enabled as an alternate authentication method.

It is also important to note that as of April 15, 2024, Ping has deprecated its legacy "FIDO2 Biometrics" and "Security Key" authentication methods within PingID. Existing customers are required to migrate to the new, unified "FIDO2" authentication method, which is managed by the PingOne FIDO policy, to gain full support for modern passkeys and cloud-synced credentials. This migration is a permanent change and a necessary step for platform modernization.

Ping Identity provides a robust set of tools for developers to integrate passkey authentication directly into their custom applications, offering deep control over the user experience.

• Ping SDKs (formerly ForgeRock SDKs): The primary tools for native integration are the Ping SDKs for Android, iOS, and JavaScript. These SDKs provide libraries that handle the complexities of the WebAuthn protocol, allowing developers to programmatically trigger passkey registration, authentication, and de-registration ceremonies within their applications. The official documentation includes detailed guides and use cases for implementing biometrics and WebAuthn with these SDKs.

• API-Based Integration and Custom UI: For maximum flexibility, PingID supports a fully API-based integration mode. This allows developers to build a completely custom user interface for passkey management and authentication, making calls directly to the PingID APIs for pairing and authentication workflows. This is ideal for organizations that require a deeply branded and unique user experience. Additionally, the PingFederate Authentication API offers a JSON-based interface that allows an external web application to drive the authentication flow, providing state information and available actions at each step.

• Sample Code and Tutorials: To accelerate development, Ping Identity provides sample applications and code on its public GitHub repository. A notable example is the pingone-sample-app-ios repository, which contains a detailed, step-by-step guide for implementing passkeys in a native iOS app. This sample leverages a PingOne DaVinci flow on the backend to orchestrate the server-side logic, demonstrating a powerful pattern for modern application development.

The availability of these tools demonstrates that Ping Identity offers a technically complete and flexible platform for passkey implementation. However, it is not a simple, out-of-the-box feature for custom applications. It requires deliberate and careful configuration across multiple policy layers by administrators, and for custom integrations, it demands significant developer effort using the provided SDKs and APIs. This level of control is characteristic of enterprise-grade software but highlights a complexity that could be a barrier for teams with limited identity expertise.

Understanding a vendor's future direction is critical for any strategic technology decision. While Ping Identity does not publish a detailed, public-facing product roadmap, it is possible to synthesize its strategic priorities for passkeys and passwordless authentication by analyzing its market positioning, thought leadership, and recent product initiatives.

The most significant factor influencing Ping's near-term roadmap is the ongoing integration of the ForgeRock platform. The company has been transparent that this is its primary engineering focus. Official support forum responses confirm that detailed roadmaps are not shared publicly; instead, customers are encouraged to submit feature requests through official support channels to provide input on future development.

Analysis from third-party sources and statements from Ping's Chief Product Officer, Peter Barker, corroborate that the roadmap through 2025 is heavily weighted toward "integration, unification, and migration". The stated goal is to achieve "long-term unification" of the overlapping product areas, most notably the directory services (PingDirectory and PingDS) and the access gateways (PingAccess and PingGateway). This immense engineering effort to rationalize two complex platforms will naturally consume a significant portion of the company's development resources, likely prioritizing foundational integration work over net-new feature development in the short term.

Despite the internal focus on integration, Ping Identity continues to project a forward-looking vision centered on passwordless security.

• Analyst and Market Positioning: Ping Identity is consistently recognized as a "Leader" in influential industry reports, such as the Gartner Magic Quadrant for Access Management. Critically, Gartner's companion "Critical Capabilities" report now explicitly calls out "phishing-resistant MFA" and a vendor's "alignment and readiness for passkeys" as key evaluation criteria. Ping's strong and consistent leadership position in these reports indicates that its existing capabilities and strategic direction are well-aligned with the demands of the enterprise market and the expectations of top industry analysts.

• Thought Leadership and Vision: At major industry events like Identiverse 2025, Ping's leadership articulates a clear vision for the future of identity. CEO Andre Durand's keynotes have focused on themes of establishing "Verified Trust" in an era of AI-driven deepfakes and impersonation. He has explicitly highlighted frictionless, passwordless experiences using passkeys and biometrics as essential tools to achieve this vision. This consistent public messaging reinforces that passwordless authentication is not just a feature but a core pillar of the company's long-term strategy.

• Ping YOUniverse Conference: The company's annual customer conference, Ping YOUniverse, is positioned as the primary venue where the CEO and Chief Product Officer "outline their vision for The Future of Identity" and discuss how our roadmap is poised to support your IAM business needs". This suggests that while detailed feature timelines are not public, high-level roadmap themes and strategic priorities are shared directly with customers and partners in these controlled settings, providing a channel for direct feedback and alignment.

Perhaps the most concrete indicator of Ping's near-term passkey strategy was the September 2023 launch of PingOne for Customers Passwordless. This is not a new underlying technology but rather a packaged cloud solution designed specifically to accelerate the adoption of passwordless methods for customer identity (CIAM) use cases.

The key innovation of this solution is its reliance on the PingOne DaVinci orchestration engine. It provides administrators with pre-built, no-code templates for common passwordless user journeys, including registration, authentication with FIDO passkeys, and login with magic links. This allows organizations to design, test, and deploy sophisticated passwordless experiences in minutes using a visual, drag-and-drop interface, dramatically reducing the need for custom development.

This initiative is strategically significant. It represents a shift from merely providing a technical "toolbox" of APIs and SDKs to delivering a pre-fabricated, solution-oriented assembly. It directly addresses market feedback that implementing passwordless authentication, while technically possible with the core platform, can be too complex, slow, and resource-intensive for many organizations. By leveraging the DaVinci orchestrator—the technology from the Singular Key acquisition—Ping can abstract away the underlying policy and API complexity, thereby lowering the barrier to entry and accelerating time-to-market for its customers. This is a pragmatic approach that allows Ping to drive adoption of its advanced passwordless capabilities without having to wait for the full, multi-year unification of the underlying Ping and ForgeRock platforms to be complete.

A comprehensive analysis requires a balanced and critical examination of a platform's weaknesses alongside its strengths. While Ping Identity provides a powerful and feature-rich foundation for passkey authentication, it is not without its limitations, implementation challenges, and a market perception that reflects its enterprise-grade complexity.

The implementation of any advanced security protocol comes with inherent complexities and dependencies. Ping's FIDO2 and passkey support is subject to several known constraints that can impact deployment and user experience.

• Platform and Browser Dependencies: As a standard, WebAuthn is reliant on the client environment. Ping's documentation explicitly states that passkey registration and authentication must be performed using modern, supported browsers like the latest versions of Chrome, Safari, or Edge. Functionality may be degraded or fail entirely in older browsers or when users operate in incognito or private browsing modes.

• User Enrollment and Recovery: A persistent challenge for all FIDO-based systems, which Ping acknowledges in its own thought leadership, is the user lifecycle management around passkeys. The initial registration of a passkey may still require a legacy credential like a password to bootstrap trust. More critically, the account recovery process if a user loses all their registered devices can be significantly more complex than a traditional password reset. This can lead to user frustration and an increased burden on help desk support teams if not carefully designed.

• Specific Technical Constraints: The platform has several documented technical limitations.

  • PingID does not support Android-key attestation, a mechanism for verifying the integrity of the Android device's key store.

  • The WebAuthn ceremony has a hardcoded timeout of two minutes, which may not be suitable for all user scenarios.

  • On Apple devices, clearing Safari's history and website data will break the FIDO registration, effectively unpairing the device and forcing the user to re-enroll. While these are granular issues, they can create significant friction and support tickets in a large-scale deployment.

While Ping provides the technical tools for passkey implementation, you can argue that this is insufficient to drive high user adoption.

Passkey Adoption Platforms, such as Corbado, have built their business model on the premise that the native passkey support in enterprise platforms like Ping is complex and delivers low adoption. Typical adoption rates for such native implementations are in the 5-10% range. Achieving rates of 80% or higher requires a specialized, passkey-first user experience layer that optimizes enrollment and login flows. Moreover, native passkey implementations with Ping in enterprises can be lengthy, ranging from 12 to 36 months, due to the need for dedicated engineering resources to navigate this complexity.

Ping Identity's market perception is largely that of a powerful, flexible, and highly capable enterprise IAM leader, a view consistently reinforced by its leadership position in Gartner reports. User reviews frequently praise its robust security features, scalability for complex hybrid IT environments, and extensive integration capabilities.

However, this power comes at a cost. A recurring theme in user reviews and market analysis is the platform's complexity and high total cost of ownership. The administrative console is described as having a steep learning curve, and initial setup and configuration are often seen as intricate processes requiring specialized expertise. This positions Ping Identity as a premium solution well-suited for large enterprises with complex requirements and the resources to manage them, but potentially overly complex and expensive for smaller organizations or those seeking a simpler, more streamlined solution.

There is a discernible gap between supporting passkeys and actively driving the adoption of passkeys. Ping Identity excels at the former, providing a comprehensive and technically robust foundation for FIDO2 and WebAuthn. However, achieving high adoption rates requires a relentless focus on user experience, from seamless enrollment flows to intuitive account recovery. The market's perception, fueled by competitors, is that this can be a potential weakness in a complex, enterprise-focused platform. Ping's recent launch of "PingOne for Customers Passwordless" is a direct acknowledgment of this challenge. By using the DaVinci orchestrator to pre-package user journeys, Ping is attempting to solve the UX problem and bridge the gap between its powerful backend capabilities and the need for simple, turnkey deployment.

Ping Identity stands at an important moment in its history. The journey from a federated identity pioneer to a private equity-backed behemoth, culminating in the transformative merger with ForgeRock, has solidified its position as a dominant force in the enterprise IAM market. The strategic acquisitions of UnboundID, Symphonic, SecuredTouch, and Singular Key were tactical masterstrokes, systematically building out a comprehensive platform with best-in-class capabilities in directory services, dynamic authorization, fraud detection, and orchestration.

The merger with ForgeRock, however, represents a different class of challenge. While strategically sound for market consolidation, it has resulted in a complex and partially redundant product portfolio. The company's near-term focus is necessarily on the monumental engineering task of integrating these two platforms, a process that could temper the pace of net-new innovation. The strategic decision to innovate at the cloud services layer - leveraging DaVinci, Protect, and Authorize as a common fabric over the distinct underlying software stacks - is a pragmatic approach to managing this complexity while still delivering value to customers.

In the critical arena of passwordless authentication, Ping Identity's capabilities are technically robust. The platform provides support for the FIDO2 and WebAuthn standards, enabling passkey-based authentication. However, this power is coupled with significant implementation complexity and low passkey adoption. The path to enabling passkeys requires careful administrative policy configuration and usually huge effort from the customers to get high adoption.

The primary challenge for Ping Identity is not in the technology of passkeys, but in the user experience of their adoption. The market perceives a gap between the platform's technical capabilities and the ease with which organizations can deploy them to achieve high user adoption.

For organizations evaluating Ping Identity, the conclusion is nuanced. It remains one of the most powerful and flexible identity platforms available, particularly for large, complex enterprises with hybrid IT environments. Its passkey and passwordless capabilities are there. However, prospective customers must be prepared for a level of complexity and cost commensurate with an enterprise-grade solution and should closely evaluate the role of a Passkey Adoption Platform like Corbado.