PingOne

Risk policies for MFA-only licenses

PingOne Protect provides a range of predictors to enable you to build a robust and flexible risk policy.

If you don’t have a PingOne Protect license, you can create a risk policy with a limited subset of the predictors. This section outlines the differences in how a risk policy works with an MFA-only license and lists the predictors that you can use.

If you are interested in upgrading to a PingOne Protect license to take advantage of the full PingOne Protect offering, contact your Ping Identity representative.

(Workforce only) For PingID accounts migrating from the legacy PingID admin portal to a workforce environment, predictors in PingOne have a similar function to legacy PingID policy rules.

How does a risk policy differ with an MFA-only license?

  • Only a limited subset of the PingOne Protect predictors are available.

  • You can only create targeted risk policies.

  • Within a risk policy:

    • You can only apply the risk policy to authentication flows.

      In PingOne Protect, you can also apply a targeted risk policy to registration, authorization, access, and transaction flows.

    • Each predictor functions as a separate risk evaluation. Each predictor and its mitigation rule action are considered separately, in the order in which they are listed.

      In PingOne Protect the predictors are combined and considered simultaneously to provide a single risk level.

  • If you configure more than one risk policy, PingOne considers each risk policy in the order that it appears in the Risk Policies list. This behavior is the same as that of PingOne Protect targeted risk policies.

    Learn more about the greater degree of flexibility provided with a full PingOne Protect license in Adding a risk policy.

Which predictors are supported?

With an MFA-only license, the following predictors are supported:

  • Geovelocity anomaly

  • IP reputation

  • Anonymous network

  • (Workforce only) PingID device trust

  • New device

  • Composite predictor: Combine several risk predictors and factors into a single predictor. With an MFA-only license, additional risk factors are limited to country and IP range.

Learn more about configuring risk predictors in Predictors.

How do I create a risk policy if I have an MFA-only license?

  • Before you begin, you must create and configure any MFA policies and predictors you want to reference within the risk policy.

  • Risk policies work slightly differently if you don’t have a full PingOne Protect license.

    You can find more details and step-by-step instructions in Creating a risk policy with an MFA-only license.

(Workforce only) Can I reconstruct legacy PingID policy rules in PingOne?

If you integrated a PingID account with PingOne that was previously managed by the legacy PingID admin portal, and you want to recreate PingID policy rules in PingOne, you can do so using PingOne predictors. Learn more in Using predictors to recreate legacy PingID policy rules.