PingOne

What is the difference between Workforce and Customer environments?

Ping Identity provides strong authentication (MFA) oriented to either a Customer or Workforce environment. A Customer environment provides capabilities that enables you to secure authentication for your CIAM (Customer Identity and Access Management) use cases. A Workforce environment provides capabilities that enable you to secure authentication for your organization’s employees and contractors.

Customer identities and Workforce identities are licensed differently, and require separate PingOne environments.

Customer environment

In the Singapore geography, the environment type is determined by the license you select. Select the PingOne MFA service, and in the Create Environment window, make sure to select a Customer license.

Your organization’s customers or consumers are more likely to:

  • Join from a wider and less predictable set of locations throughout the world.

  • Use a wider set of devices and authentication methods.

  • Tolerate less friction during enrollment and authentication.

A Customer environment enables you to provide a wider range of device types to accommodate your customer’s demographics and remove friction while maintaining security. A Customer environment also allows you to provide strong authentication as part of your mobile application using the PingOne MFA mobile SDK.

Workforce environment

Organizations are more likely to need to define more specific criteria for employee and contractor authentication and access to their systems. They are more likely to have more in-depth knowledge of:

  • The authentication methods their employees are using.

  • Information about the devices that their employees typically use to authenticate (and can create policies based on information such as IP reputation, and users authenticating from a new device).

Organizations can use a Workforce environment to:

  • Assert control over the type of device and range of authentication methods that their employees can use.

  • Choose to limit use of less secure authentication methods, such as SMS and voice authentication.

Variations between different geographies

Creating an environment

  • In the Singapore geography, the environment type is determined by the license you select. Select the PingOne MFA service, and in the Create Environment window, make sure to select a Workforce license.

  • In all other environments, to create a Workforce environment, select the PingID service.

Registration and authentication policies

Singapore geography:

  • Use a PingOne Protect policy to build a robust and flexible authentication and registration policy rules using PingOne predictors.

    An MFA-only license provides a limited subset of predictors. A full PingOne Protect license allows you to use the full range of predictors, including behavioral predictors that learn typical behavior for your organization. Learn more in Risk policies.

All other geographies:

  • For registration and authentication policies, either:

    • Use a PingOne Protect policy to build a robust and flexible authentication and registration policy rules using PingOne predictors.

      If you have an MFA-only license PingOne Protect provides a limited subset of predictors.

      Or

    • Use PingID policy to provide more frictionless authentication experiences for their trusted users, and require a step-up to MFA or block users authenticating in more risky scenarios.

      Learn more in Creating a risk policy for registration and authentication.

Integrations

  • Singapore geography: Currently, only the RADIUS Gateway (VPN) integration is available in the Singapore geography. Other legacy PingID integrations aren’t available.

  • All other geographies: A range of PingID integrations are available, including Windows login, and Windows login passwordless, Mac login, RADIUS Gateway (VPN), and SSH.

In future versions, Ping Identity will provide a range of next-generation integrations, including Windows login, Windows login passwordless, Mac login, RADIUS Gateway (VPN), and SSH, that will also be available in the Singapore geography.

Learn more in Strong authentication (MFA) integrations.

Supported authentication methods

The following authentication methods are supported:

  • Customer and Workforce environments: FIDO2, Authenticator app, Email, OATH Token, SMS, and Voice authentication. Mobile application integrated with the PingOne MFA SDK.

    For Workforce environments, mobile application integrated with the PingOne MFA SDK is only available in the Singapore geography.

  • Customer only: WhatsApp.

  • Workforce only: PingID mobile application, PingID desktop application, YubiKey OTP.

Differences in policy usage

This section isn’t relevant for the Singapore geography because it doesn’t rely on the PingID service.

The PingID legacy admin console capabilities are being transitioned to the PingOne admin console. To maintain a full set of capabilities during the transition period, some settings for the PingID service are currently configured in PingOne, while others remain managed in the legacy PingID portal.

The following differences apply to PingID accounts that were migrated to PingOne:

  • Default authentication policy:PingOne automatically creates a default authentication policy that includes the default MFA policy. Some of the MFA policy configuration options differ slightly from the equivalent settings in the legacy PingID admin console.

  • Legacy PingID policy management: PingID authentication policy settings are still managed through the legacy PingID admin portal.