PingOne Protect dynamically evaluates risk data and calculates a risk level. You can create risk policies to control the response that the end user receives depending on the risk level.
The following diagram shows how PingOne Protect works.
- The user initiates the flow.
Possible types of user flows are access, authentication, authorization, registration, or transaction. You can also specify a flow subtype to provide additional detail about the context of the flow, such as if the user performed a password reset or signed on with their username and password. Learn more about flow types and subtypes in the PingOne API documentation.
- PingOne Protect evaluates risk levels based on various data points, such as network, location, device hardware and settings, behavioral biometrics, and more.
- The PingOne Protect risk policy calculates the risk based on policy settings.
- PingOne Protect returns a detailed response
that includes data about the event, the user and their device, predictor results,
and the risk policy result.
Learn more in Risk evaluations.
Note:You can use the PingOne API to configure and retrieve risk policies and evaluations. Learn more in the PingOne Protect API documentation.
The policy result can include the following attributes:
result.level
- The response always returns this attribute. Values can be
LOW
,MEDIUM
, andHIGH
. result.score
- The response always returns this attribute and includes the numeric score that the policy calculates. The score determines the risk level based on the policy threshold.
result.recommendedAction
- The response might return this attribute based on the attack vector.
This attribute enhances the risk level attribute and provides
information on how the user flow should continue. Possible values
are:
BOT_MITIGATION
: You should take steps to handle a scenario where a bot is involved.AITM_MITIGATION
: You should take steps to mitigate the damage from an Adversary-in-the-Middle (AitM) attack. For an AitM attack, the user's credentials have been intercepted, so in addition to blocking the access request, you should lock the user's account until the password is changed.TEMP_EMAIL_MITIGATION
: The user has specified a disposable email address, which is an indication of a fraud attempt.DENY
: When a risk level ofHIGH
is calculated for a traffic anomaly predictor, you should deny access because the repeated risk evaluations are likely a sign of a brute force attack.
result.value
- The response might return this attribute.
result.value
is free text that you can add to a policy override. Override rules are not necessary in most cases, but you can use them in scenarios that require blocking a user (for example, known IPs that you want to block).Learn more about policy overrides in Risk policies.
To view an example full response, see the PingOne Protect API documentation.
- The risk policy makes a decision based on the response, and the user flow continues based on the decision.