Risk policies
Risk policies determine how the various risk predictors are combined and how the aggregated risk score should be translated into a final risk level of low, medium, or high. Learn more about how risk policies work in Introduction to risk policies.
You can modify the default risk policy or create additional custom risk policies of your own. After you’ve defined risk policies, you can use them as part of the integration with PingFederate or PingOne Advanced Identity Cloud or part of a flow designed with PingOne DaVinci or the PingOne API.
Learn more about building risk policies in Adding a risk policy and Integrating PingOne Protect with user journeys.
Use the following sections for guidance when building and customizing a risk policy.
Which predictors should be included?
When you create a new risk policy, it includes the following subset of the predictor types that PingOne supports:
-
Anonymous network detection
-
Geovelocity anomaly
-
IP reputation
-
IP velocity
-
New device
-
User velocity
-
User-based risk behavior
-
User location anomaly
The scores assigned to the various predictors in the default risk policy are not uniform. The risk predictors that are not related to the detected IP are given a higher score because they are a better indication of serious risk.
You can also create custom risk predictors that analyze data that you provide. Learn more in Adding custom predictors.
|
The default risk policy includes a New Device predictor. To have this predictor included in the actual risk evaluation, your authentication flow must provide information that can be used to identify individual devices. The best way to do this is to bring the information from the PingOne Signals (Protect) SDK. Having the predictor included in the risk evaluation can also be done by providing a persistent cookie as input. |
Do you want to use the default predictors included in a risk policy or customize them?
Learn more in Configuring predictors.
How do you want each predictor to affect the overall risk score?
To combine the predictors, use Scores to specify an exact numerical score that should be assigned when PingOne Protect determines a medium or high risk level for a predictor.
How should the calculated risk score be mapped to a final risk level?
Controls are provided on the Risk Policies page to map the aggregated risk score to the three categories that represent the final result of the risk analysis: low, medium, and high.
Do you need overrides?
You can define overrides that assign a specific final risk level (low, medium, or high) based on a specific criterion, regardless of what the overall calculated risk score was. For example, you can define an override that states that if a geovelocity anomaly is detected, the final risk evaluation should always be high.
|
If you enter text in the Notes field for overrides, the text is returned in the risk evaluation response. |
Do you need mitigations?
You can configure mitigations in a risk policy to define custom recommended actions to be included in the risk evaluation response if a given condition is met. For example, you can configure a mitigation rule to recommend denying access if the email reputation predictor returns high risk. You must then translate the recommended action into an action in your user flow.
|
If you enter text in the Notes field for mitigations, the text is returned in the risk evaluation response. |
Which policy type should you use?
There are two types of risk policies:
-
Global: Allows you to configure predictor scores, risk thresholds to map the scores to a risk level, and overrides or mitigations that take priority over the scores and levels. When using a global risk policy, you must choose which risk policy to pass to the risk evaluation. If no risk policy is specified, the default risk policy is used.
-
Targeted: Allows you to choose flow types, applications, and user groups to which the risk policy will apply in addition to configuring predictor scores, risk thresholds to map the scores to a risk level, and mitigations. When using targeted policies, you’re passing multiple risk policies to the risk evaluation and allowing PingOne Protect to choose the applicable policy based on the defined criteria. During risk evaluations, policies are processed in the order displayed in the Targeted Policies list. Processing stops when the target criteria for a policy are met.
Learn more in Adding a risk policy.
What type of flow is this risk policy for?
Flow types categorize the user interaction being evaluated. The following table lists the most common flow types and what predictors to add to those policies to best align with the flow purpose:
| Flow type | Description | Predictors |
|---|---|---|
Registration |
Initial creation of an account |
Focus on new account fraud:
|
Authentication |
Standard authentication for sign-on |
Focus on returning-user sign-ons:
|
Transaction |
Sensitive transactions, such as profile changes, monetary transactions, or account linking |
Use the same predictors as the authentication flow type but define them separately to improve audit and reporting clarity. |
For integrations with PingOne Authorize, PingAuthorize, and PingAccess, additional flow types are available. Learn more in Adding a risk policy and Risk Evaluations in the PingOne Protect API documentation.
Best practices for risk policies
When you’re first starting out with risk policies, you should use the Risk Policy Assistant, which generates risk policies that match your organization’s needs. Based on your responses to a number of questions, it creates a new policy and assigns different scores to the various predictors to maximize the accuracy of your risk evaluations. To launch the Risk Policy Assistant, click Assistant on the Risk Policies page.
