PingOne

Device profiling methods

In addition to the basic transaction information, PingOne Risk can include an optional device profile in its risk evaluation.

There are different methods for collecting the device profile depending on your preferences and whether users are authenticating directly through PingFederate or through the PingFederate authentication application programming interface (API).

Complete steps for each device profiling method are available when you reach the Integrating device profiling part of the setup process.

Signals SDK and Fingerprint JS

Signals SDK is the preferred device profiling method and is recommended for use in the PingOne Risk Integration Kit 1.3 and later. This method provides the best risk detection and is required for the newest risk predictors such as New Device.

For backwards compatibility, Fingerprint JS is also supported. Either option can be used for device profiling and can be used with each of the following scenarios.

Some resource files might need to be updated if using Fingerprint JS.

Direct authentication mode: Captured by the PingOne Risk IdP Adapter

The PingOne Risk IdP Adapter inserts a page into the sign-on flow that shows a spinner animation while it collects the device profile. The page appears in the sign-on flow in the order set by your PingFederate authentication policy, typically after the first-factor sign-on page.

This method does not require modifications to any other pages, but adds a wait time to the sign-on process while the device profile is collected. The length of the wait depends on your environment.

Direct authentication mode: Captured by a previous adapter

You add a device profiling script to a page that appears earlier in the sign-on flow than the PingOne Risk IdP Adapter. The script creates the device profile and stores it in a series of HTTP cookies. When the PingOne Risk IdP Adapter is triggered by the PingFederate authentication policy, it picks up the device profile from the cookies. The adapter sends the device profile to PingOne Risk along with the transaction information.

By adding the device profiling script to your first-factor authentication page, for example, the device profile is created while the user types in their credentials. This can reduce the perceived wait time during sign on.

You can integrate the device profiling script into any page that meets the following criteria:

  • The page appears before the PingOne Risk IdP Adapter in the sign-on flow.

  • The page is hosted in the same domain as your PingFederate server. This allows HTTP cookies to pass the transaction information to the PingOne Risk IdP Adapter. You might be able to work around this requirement by consolidating your domains with a reverse proxy server.

  • You have access to the page to add the script.

Authentication API mode: Captured by your web application first-factor sign-on page

You add a device profiling script to your web application sign-on page. The script creates the device profile and stores it in a series of HTTP cookies. When the PingOne Risk IdP Adapter is triggered by the PingFederate authentication policy, it picks up the device profile from the cookies. The adapter sends the device profile to PingOne Risk along with the transaction information.