The following diagram shows how PingOne Protect works.

A diagram showing how PingOne Protect works.
  1. The user initiates the flow.

    Possible types of user flows are access, authentication, authorization, registration, or transaction.

  2. PingOne Protect evaluates risk levels based on various data points, such as network, location, device hardware and settings, behavioral biometrics, and more.
  3. The PingOne Protect risk policy calculates the risk based on policy settings.
  4. PingOne Protect returns a detailed response that includes data about the event, the user and their device, predictor results, and the risk policy result.

    For more information, see Risk evaluations.


    You can use the PingOne API to configure and retrieve risk policies and evaluations. For more information, see the PingOne Protect API documentation.

    The policy result can include the following attributes:

    The response always returns this attribute. Values can be LOW, MEDIUM, and HIGH.
    The response always returns this attribute and includes the numeric score that the policy calculates. The score determines the risk level based on the policy threshold.
    The response might return this attribute based on the attack vector. This attribute enhances the risk level attribute and provides information on how the user flow should continue. Currently, the attribute only has one possible value: BOT_MITIGATION.
    The response might return this attribute. result.value is free text that you can add to a policy override. Override rules are not necessary in most cases, but you can use them in scenarios that require blocking a user (for example, known IPs that you want to block).

    To learn more about policy overrides, see Risk policies.

    To view an example full response, see the PingOne Protect API documentation.

  5. The risk policy makes a decision based on the response, and the user flow continues based on the decision.