--- title: Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow description: Learn about the Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow flow, including its purpose, structure, inputs, outputs, and variables. component: pingone-solutions page_id: pingone-solutions:healthcare:flow-reference/healthcare-authentication-threat-detection-subflow canonical_url: https://docs.pingidentity.com/pingone-solutions/healthcare/flow-reference/healthcare-authentication-threat-detection-subflow.html revdate: January 1, 2025 section_ids: purpose: Purpose structure: Structure input-schema: Input schema output-schema: Output schema variables-and-parameters: Variables and parameters --- # Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow The **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow** uses PingOne Protect to provide a risk assessment of the current user. ## Purpose The **Healthcare - Progressive Verification during Authentication - Threat Detection - Subflow** passes user information to PingOne Protect to perform a risk assessment. The assessment results are made available to other flows. ## Structure This flow is divided into sections using teleport nodes: * **Detect Threat using PingOne Protect** A function node verifies that the username, flow type, and `skriskcomponent` are all present. If all values are present, a PingOne Protect node creates a risk evaluation. A function node then checks if a new device was found. If a new device was found, function nodes check if the user's account is pre-existing and enabled. If both conditions are met, a PingOne node notifies the user of the new device. Regardless of whether a new device was found, a comparison node checks whether a bot, adversary-in-the-middle (AITM), or disposable email was detected: * If none were detected, function nodes verify that either the user ID is not known or that the user's account is enabled. The flow then progresses to the **Return Success** section. * If any were detected, the flow progresses to the **Disable User, Notify User With Password Reset Link And Return Error If AITM/Disposable Mail Detected **section. * **Disable User, Notify User With Password Reset Link And Return Error If AITM/Disposable Mail Detected** Function nodes verify that the flow type passed to PingOne Protect was not `registration` and that the user is active. If these conditions are met, PingOne nodes disable the user and notify the user with an email. * **Return Success** Sends a JSON success message. * **Return Error** Uses a function node to enrich the error details, then sends a JSON error message. If the PingOne Protect evaluation ID isn't present, a PingOne Protect node updates the PingOne Protect risk evaluation to `Failed`. ## Input schema This flow has the following inputs: | Input name | Required | Description | | ----------------------- | -------- | ---------------------------------------------------------------------------------------------------------- | | `skriskcomponent` | Yes | The `SKRisk` component to be used in the risk evaluation. | | `p1UserId` | No | The user ID to be passed to PingOne Protect. | | `p1UserName` | Yes | The username to be evaluated by PingOne Protect. | | `p1UserEmail` | No | The user email to be passed to PingOne Protect. | | `p1ProtectRiskPolicyId` | No | The risk policy ID to be passed to PingOne Protect. If it isn't provided, the default risk policy is used. | | `flowType` | Yes | The flow type to be passed to PingOne Protect. | | `ipAddress` | Yes | The user IP address to be passed to PingOne Protect. | | `isAccountEnabled` | No | A Boolean indicating whether the user's account is enabled. | | `applicationID` | No | The application ID to be passed to PingOne Protect. | | `sessionID` | No | The session ID to be passed to PingOne Protect. | | `customAttributes` | No | Any custom PingOne attributes to be passed to PingOne Protect. | | `userAgent` | No | The PingOne Protect user agent. | | `usercookie` | No | The PingOne Protect user cookie. | ## Output schema This flow has the following outputs: | Output name | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- | | `protectRiskEvalID` | The risk ID of the current user as used by PingOne Protect. | | `protectActivityState` | The user's state or province, as determined by PingOne Protect. | | `protectActivityCity` | The user's city, as determined by PingOne Protect. | | `protectDeviceStatus` | The status of the user's device as determined by PingOne Protect. | | `protectPredictor` | The action recommended by PingOne Protect. | | `protectRiskLevel` | The risk level of the current user as determined by PingOne Protect. | | `errorMessage` | The error message returned by the flow. Sent only if the flow progressed to the **Return Error** section. | | `errorDetails` | The detailed error information returned by the flow. Sent only if the flow progressed to the **Return Error** section. | ## Variables and parameters This flow does not directly use any variable or parameter values.