PingOne

Device profiling methods

In addition to the basic transaction information, PingOne Protect can include an optional device profile in its risk evaluation.

There are different methods for collecting the device profile depending on your preferences and whether users are authenticating directly through PingFederate or through the PingFederate authentication API.

Complete steps for each device profiling method are available when you reach the not used in this IK part of the setup process.

Captured by the provider and HTML Form adapter

The PingOne Protect provider is the recommended device profiling method and is critical for the best risk detection. It is required for the newest risk predictors such as New Device. The PingOne Protect provider uses the built-in SDKs with the HTML Form adapter to evaluate the risk.

Captured by the PingOne Protect IdP Adapter

The PingOne Protect IdP Adapter inserts a page into the sign-on flow that shows a spinner animation while it collects the device profile. The page appears in the sign-on flow in the order set by your PingFederate authentication policy, typically after the first-factor sign-on page.

If Dynamic Device Profiling is enabled, the PingOne Protect IdP Adapter will only load the device profiling page if it hasn’t already received the payload from the provider.

This method does not require modifications to any other pages, but it adds a wait time to the sign-on process while the device profile is collected. The length of the wait depends on your environment.

Captured by a previous adapter

You add a device profiling script, such as Identifier First, to a page that appears earlier in the sign-on flow than the PingOne Protect IdP Adapter. The script creates the device profile and stores it in a series of HTTP cookies. When the PingOne Protect IdP Adapter is triggered by the PingFederate authentication policy, it picks up the device profile from the cookies. The adapter sends the device profile to PingOne Protect along with the transaction information.

By adding the device profiling script to your first-factor authentication page, for example, the device profile is created while the user types in their credentials. This can reduce the perceived wait time during sign on.

You can integrate the device profiling script into any page that meets the following criteria:

  • The page appears before the PingOne Protect IdP Adapter in the sign-on flow.

  • The page is hosted in the same domain as your PingFederate server. This is allows HTTP cookies to pass the transaction information to the PingOne Protect IdP Adapter. You might be able to work around this requirement by consolidating your domains with a reverse proxy server.

  • You have access to the page to add the script.

Captured by your web application first-factor sign-on page

You add a device profiling script to your web application sign-on page. The script creates the device profile and stores it in a series of HTTP cookies. When the PingOne Protect IdP Adapter is triggered by the PingFederate authentication policy, it picks up the device profile from the cookies. The adapter sends the device profile to PingOne Protect along with the transaction information.