top of page
Stronger Identity,
Happier Customers.

Ready to modernize your identity infrastructure?

Let's secure your growth together.

Phased Device Migration to Ping

  • Writer: Juan Redondo
    Juan Redondo
  • Jun 10
  • 4 min read
ree

How PingGateway Enabled a Controlled, Risk-Managed Migration to Modern Identity

In a fast-moving digital identity landscape, enterprises must evolve authentication systems with minimal disruption. Midships Organization, operating globally, sought to transition from a legacy DAON deployment pattern to a modern, standards-based approach with PingAM and FIDO2 device credentials.

Rather than executing a risky “big bang” switch, the team architected a phased migration strategy, using PingGateway to orchestrate user flow and slowly shift user devices to PingAM, based on successful FIDO registration events.


Migration Objective: Replace DAON Without Compromising Access

The existing identity setup relied on DAON’s biometric platform for user authentication. However, limitations in scalability and standards support (e.g., FIDO2/WebAuthn) prompted the need for modernization. There was also an extra licensing cost associated which could be avoided by using Ping´s out of the box FIDO2 services.

Ping Identity’s PingAccess Management (PingAM) offered an ideal upgrade path, featuring:

  • Strong support for FIDO2 authentication

  • Centralized access policies

  • Seamless user and session management

  • Flexible orchestration with PingGateway

Key challenges included:

  • Avoiding downtime

  • Preserving user sessions and existing access rights

  • Ensuring phased rollout without end-user confusion


Phased Migration Strategy: PingGateway as the Smart Router

At the heart of the migration was PingGateway, functioning as an intelligent proxy and orchestration layer. It intercepted all authentication requests and evaluated each based on a dynamic rule set that included random percentage allocation and device state tracking. This interception and real-time evaluation was the heart of the Smart Routing logic configured.

Main Routing Logic:

Each incoming user request was evaluated by PingGateway as follows:

  1. Random Allocation for Migration Eligibility:

    • On first contact, each user requests was assigned a random value (e.g., 0–100).

    • This value was compared to the current migration threshold (e.g., 20% in Phase 2).

    • If the value was below the threshold, the user was marked as eligible for migration.

  2. Routing Decision Based on Eligibility and Device State:

    • Not eligible: User continued to authenticate via DAON (legacy system).

    • Eligible but not migrated yet: After successful DAON authentication, PingGateway initiated a background migration, transferring:

      • Device metadata

      • Associated user information

      • FIDO2 credentials (registered silently in PingAM)

    • Already migrated: Authentication request routed directly to PingAM.


    ree

Figure 1. A logic diagram depicting the routing and migration operations

Transparent Migration

One of the key strengths of the strategy was its zero-friction user experience:

  • No prompts, no redirects. Users continued to log in via DAON.

  • If eligible, upon a successful login to DAON, the migration process occurred transparently.

  • Once migrated, future login attempts were routed to PingAM, using the now-available FIDO2 credentials for a modern, passwordless experience.

This seamless orchestration allowed Midships to:

  • Migrate users and their devices progressively without burdening the helpdesk.

  • Avoid mass user re-registration or onboarding campaigns.

  • Monitor and tune the rollout with confidence at each stage.


Traffic Segmentation via Percentage Rollout

The migration followed a controlled, percentage-based strategy, allowing the team to gradually increase exposure to PingAM:

  • Phase 1: 5% of user devices (identified via UUID) were randomly selected for registration and rerouted to PingAM upon success. These belonged to internal test users.

  • Phase 2: Increased to 20%, focusing on low-risk user groups.

  • Phase 3: 50% of general users, with expanded observability and failover.

  • Phase 4: 100% rollout; legacy DAON endpoints deprecated.

The phased model ensured that any error or service degradation in PingAM would only affect a small portion of users—mirroring canary deployments used in application release pipelines.


FIDO2 Registration: Silent Key migration

Each user selected for migration was elected to register a FIDO2 security key or platform authenticator. The PingGateway was configured to silently call the PingAM FIDO2 registration service in the background with the new provided FIDO2 keys and upon successful registration:

  • The mobile app tagged the user device as migrated by storing a boolean flag on the secure enclave of the device.

  • All future authentication flows were routed directly to PingAM.

  • DAON was bypassed entirely for that user device.

Users who failed or skipped registration were retained on the legacy path. There was a grace period until all users were finally forced to migrate to the new system (Phase 4).


Results and Benefits

Service Stability and Zero Downtime

Thanks to PingGateway’s routing intelligence and graceful fallback design, no outages occurred during the migration.

Increased Security

FIDO2-based authentication significantly reduced phishing and replay attack risks.

Improved UX

The move to PingAM enabled passwordless flows, reducing friction for daily logins.

Reduced costs

By adopting PingAM’s native FIDO2 services, it significantly reduced licensing and support costs associated with the DAON platform.

Lower operational complexity

Consolidate identity infrastructure under the Ping Identity suite, lowering operational complexity.


Final Thoughts

Midships’ migration to PingAM exemplifies a modern, secure identity transformation done without sacrificing user experience or availability. By leveraging PingGateway as a migration router and FIDO registration as the transition trigger, the team modernized authentication architecture with surgical precision.

For organizations migrating identity platforms, this approach demonstrates how controlled rollout strategies, smart traffic routing, and standards-based authentication can yield high-impact results with minimal risk.


Writer’s Overview

Juan Redondo – Co-Founder & Head of Identity, Midships

Juan is a certified IAM specialist with 12+ years of experience architecting CIAM platforms for global banks and retailers. He leads the Identity practice at Midships, blending deep product knowledge with hands-on delivery in complex environments.

Short bio: Juan brings technical excellence in Ping, ForgeRock, and Kubernetes, delivering scalable, secure identity solutions from concept to production.

Comments

bottom of page