PingOne

Risk policies for MFA-only licenses (limited access)

This feature is available as part of a limited access release to PingID administrators who created a new PingOne environment with PingID enabled, or migrated their PingID account to PingOne.

To enroll in the limited access release, contact your Ping Identity representative.

PingOne Protect provides a range of predictors to enable you to build a robust and flexible risk policy. Predictors in PingOne have a similar function to legacy PingID policy rules.

If you don’t have a PingOne Protect license, you can create a risk policy with a limited subset of the predictors. This section outlines the differences in how a risk policy works with an MFA-only license and lists the predictors that you can use.

If you are interested in upgrading to a PingOne Protect license to take advantage of the full PingOne Protect offering, contact your Ping Identity representative.

Creating a risk policy with an MFA-only license is possible only for MFA workforce (PingID) environments.

How does a risk policy differ with an MFA-only license?

  • Only a limited subset of the PingOne Protect predictors are available.

  • You can only create a targeted risk policy and apply it to an authentication flow.

  • Within a risk policy:

    • You can only apply the risk policy to the authentication flow target.

      In PingOne Protect, you can also apply a targeted risk policy to registration, authorization, access, and transaction flows.

    • Each predictor functions as a separate recommended action that you can add to the risk policy mitigations list.

    • Unlike PingOne Protect, the policy doesn’t return a single risk level. Instead, PingOne considers each predictor separately, in the order in which it appears in the Mitigations list, and returns a single score for the relevant predictor.

      You can change the order in which a predictor appears in the Mitigations list.

  • If you configure more than one risk policy, PingOne considers each risk policy in the order that it appears in the Risk Policies list. This behavior is the same as that of a PingOne Protect targeted risk policies.

    Learn more about risk policies with a full PingOne Protect license in Adding a risk policy.

Which predictors are supported?

With an MFA-only license, the following predictors are supported:

  • Geovelocity anomaly

  • IP reputation

  • Anonymous network

  • PingID device trust

  • New device

  • Composite predictor: Combine several risk predictors and factors into a single predictor. With an MFA-only license, additional risk factors are limited to country and IP range.

Learn more about configuring risk predictors in Predictors.

Can I reconstruct legacy PingID policy rules in PingOne?

If you integrated a PingID account with PingOne that was previously managed by the legacy PingID admin portal, and want to recreate PingID policy rules in PingOne, you can do so using PingOne predictors. Learn more in Using predictors to recreate legacy PingID policy rules (limited access).

How do I create a risk policy if I have an MFA-only license?

  • Before you begin, you must create and configure any MFA policies and predictors you want to reference within the risk policy.

  • Risk policies work slightly differently if you don’t have a full PingOne Protect license.

    You can find more details and step-by-step instructions in Creating a risk policy with an MFA-only license (limited access).