PingOne Risk combines multiple internal and external risk factors to provide a single access point for calculating and retrieving risk scores. Use the user interface to create risk policies and configure the weights of various risk predictors into a single risk score. You can also view data and analytics on high-risk events and get in-depth insights on the authentication behavior of your users.

A screen capture of the PingOne Risk dashboard.

By implementing risk policies, you can control the authentication flow depending on the risk level. For example, you can force high-risk users to step up to stronger authentication or deny them access while providing a frictionless experience for trusted users.

PingOne Risk leverages the following risk predictors to learn user behavior and detect anomalies:

  • User risk behavior (organization-wide)
  • User-based risk behavior (individual user)
  • User velocity
  • Anonymous network detection
  • IP reputation
  • IP velocity
  • Geovelocity anomaly
  • User location anomaly
  • New device

For more information on risk predictors, see the PingOne Risk Datasheet.

User risk behavior (organization-wide)

To understand the behavior patterns of workforce users within an organization, PingOne Risk leverages user risk behavior and machine learning.

PingOne Risk continuously learns the behaviors of users inside an organization by analyzing many data points, including:

  • Operating system
  • Browser properties
  • Activity time frame
  • IP range
  • Geolocation

Using these data points, the machine-learning model characterizes abnormal activity as low, medium, or high risk and prompts the user for the appropriate authentication action.

User-based risk behavior (individual user)

Unlike the user risk behavior model, which compares a transaction with typical behavior within an organization, the user-based risk behavior model compares a transaction with the typical behavior of that specific user.

For example, if a user accesses an application that they rarely use but is frequently used within the organization, user-based risk behavior detects an anomaly, but user risk behavior doesn't.

User-based risk behavior is a machine-learning model that continuously updates. The model learns each user's behavior from various data points, including:

  • Operating system
  • Browser properties
  • Activity time frame
  • Geolocation
  • Application being accessed

The machine-learning model characterizes abnormal activity as low, medium, or high risk.

User velocity

Stolen user accounts are becoming more common. A malicious user can have multiple sets of credentials originating from the same IP address. PingOne Risk detects the number of users originating from the same IP address and alerts on anomalies.

Anonymous network detection

Malicious actors typically use anonymous networks, such as unknown VPNs, Tor, and proxies to mask their IP address. PingOne Risk analyzes IP address data from a user’s device to determine if the address is originating from any type of anonymous network. If so, the user can be prompted for step-up authentication or denied access. PingOne Risk also supports creating a whitelist of networks, ensuring that legitimate VPN users can access authorized resources.

IP reputation

IP addresses that have been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity, are considered risky. The more frequently an IP address is used for malicious activities, the higher its risk score. If a user attempts to access an application that is associated with an IP address previously involved with suspicious activity, the probability of potentially risky behavior increases. PingOne Risk analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity.

IP velocity

Compromised accounts can be associated with many different IP addresses. PingOne Risk detects the number of IP addresses a user is leveraging and alerts on anomalies.

Geovelocity anomaly

Users frequently sign on to the same application from multiple locations throughout the day. However, a time lapse between two sign-on locations that is shorter than the time it would take to travel between the two points could indicate suspicious activity. PingOne Risk analyzes location data to calculate if travel time between two session locations is physically possible. If the elapsed time is calculated to be impossible, the user can be prompted with step-up authentication or denied access.

User location anomaly

User location anomaly predictors allow you to define a radius around the location of the previous successful sign-on attempts. Sign-on attempts outside the defined radius result in a risk score of High. This information can be used in authentication policies to reduce the risk of unintentional push notification approval and account takeover (ATO) attacks.

New device

New device predictors allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the recent past.