February 2024 - PingOne - PingOne Cloud Platform

We’ve added support for the device authorization grant type, which you can use to enable users to authorize access to a protected resource on a device with limited user input capabilities, such as a smart TV, using a browser on a second device, such as a smartphone or computer.

For more information, see Device authorization and Editing an application - Device authorization.

To cover situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, the PingOne API now provides a request for resending the OTP. For details, see Resend Pairing OTP in the API documentation.

The user interface for configuring senders for email and SMS/voice has been updated to be more streamlined and intuitive.

When you generate a User Devices report, the report now include a field called fidoUserVerification, which indicates whether user verification has been performed successfully with a FIDO device during registration or authentication. For more information on user verification, see Adding a FIDO policy.

We've added the User Devices chart to the PingOne MFA dashboards. The User Devices chart is comprised of the following two charts (in the drill-down view):

• User Devices: view the number or percentage of devices used by the authentication method.
• App Version: view mobile applications by version.

You can filter the results by primary or secondary device, and OS version (Android or iOS).

For more information, see User devices and app version charts.

OIDC-based applications and custom resources in PingOne now support client secret JWT and private key JWT for token introspection endpoint authentication method. OIDC applications also now support asymmetric request object signing algorithms. You must provide either the JSON Web Key Set (JWKS) itself or the URL where PingOne can retrieve the JWKS to use private key JWT for authentication and for an OIDC application to send asymmetrically signed request objects.

For more information, see Token endpoint authentication methods, Editing an application, and Editing a resource.

To further enhance its ability to prevent account takeover, PingOne Protect now has a dedicated risk predictor to handle Adversary-in-the-Middle attacks.

AitM is a variant of Man-in-the-Middle attacks in which a malicious actor uses a reverse proxy to position themselves between a user and an online service in order to obtain user credentials and session tokens. This type of attack circumvents the protection usually provided by OTP-based multi-factor authentication, and of late has become a common technique in phishing attempts.

For details, see Configuring predictors and Risk Predictors in the API documentation.

For the individual charts included in the PingOne Protect dashboard (other than Risk Heat Map) the event details table now includes all risk evaluation events, even those where all the risk predictors in the policy indicated low risk.

The bot detection predictor is now taken into account when categorizing IPs as risky.

On the Risky IP chart, when you click View Details to see why an IP was categorized as high-risk, you may see bot detection given as a reason.

PingOne now supports outbound group provisioning. Use PingOne provisioning to sync groups along with its memberships out of PingOne to a connected software as a service (SaaS) application. For more information, see Outbound group provisioning.

With the new Gateway service, you can retrieve user profile information stored in on-premise and external LDAP directories, such as PingDirectory or Microsoft Active Directory, for use in authorization policies. User data is cached for improved performance. For more information, see Authorization services.