Multi-factor authentication

Multi-factor authentication (MFA) improves security by requiring your users to verify their identity in at least two ways to access PingOne for Enterprise. Usually, this is a combination of their username and password credentials combined with a biometric validation or one-time passcode (OTP) from email, a YubiKey, or the PingID mobile app.

You can configure MFA settings in the Setup > PingID menu. For more information, see Configure PingID authentication in the PingID documentation.

You can also separately configure MFA for administrative users at Setup > Authentication Policy. For more information, see Create or update an authentication policy.

Administrative role assignment

PingOne for Enterprise supports a number of different Administrative roles. When assigning administrative roles, you should follow the principle of least privilege, meaning that administrators have only as much access as they need to complete their job functions.

This practice reduces the impact of compromised accounts and reduces the likelihood of insider privilege abuse.

You should also conduct regular reviews of administrative access to determine whether they require and use the privileges they have, and whether they need greater or lesser levels of access. This also helps prevent privilege creep, or gradual accumulation of access rights beyond what an administrator needs to do their job.

For instructions on assigning administrative roles, see Assign administrative roles.

Signing algorithm selection

Every SAML assertion includes a signature to verify the authenticity of the sender. More complex algorithms used to generate these signatures make SAML assertions more secure.

You should use at least 256-bit encryption. In most cases, PingOne for Enterprise uses 256-bit signing algorithms by default, but you can improve security further by increasing the complexity of the algorithms.

For more information, see the following:

Application management

Not all applications have the same risk profile. Some applications might contain more sensitive data or perform critical operations.

The following settings allow you to strengthen security for your more sensitive applications:

Session lifetime

Session lifetime is the length of time that PingOne for Enterprise caches a user's authenticated status and allows a user to access an application without contacting the identity provider (IdP) to re-validate the user.

The session idle timeout is the duration that an authenticated user's session can be idle before being signed out.

The value of these settings should depend on the sensitivity of the applications on the dock and user activity patterns. If you have more sensitive applications, you should set a shorter session lifetime. If your users share computers or often leave computers unattended, you should set shorter session lifetime and idle time.

To configure the Maximum Session Lifetime and Session Idle Timeout, go to Setup > Dock > Configuration.

Reporting

Data breaches are commonly made worse by being undiscovered for weeks or even months. Some organizations don't discover breaches until they're alerted by third parties. That's why it's important to review security logs regularly.

PingOne for Enterprise audit logs are available at Dashboard > Reporting. In addition to the predefined reports, you can run custom reports that can help you detect unusual access activity

Most report types are also available as Push or Poll subscriptions to a third-party service. You can then configure that service to alert you to suspicious event types. Subscriptions allow you to monitor PingOne for Enterprise activity on a regular basis without having to run manual reports. For more information, see Subscriptions.

The following are a few examples of how you can use custom report types:

  • Use the Administrator Login report to detect suspicious administrator access from unusual times, IP addresses, or browser agents.
  • Use the SSO report to detect unauthorized access to specific applications.
  • Use the Directory report to detect unexpected account creation in the PingOne for Enterprise Directory.