PingOne Platform APIs

Sensitive data exposure

What PingOne does to prevent against secret or sensitive data exposure:

  • Passwords are securely hashed using industry-standard algorithms, with proper salting. This ensures that even if password hashes are leaked, they cannot be easily reversed or cracked by attackers, as long as you maintain our recommended password policies, particularly when it comes to password length (shorter passwords are less resistant to brute force attacks). For more information refer to Password encoding.

  • All sensitive data, including credentials, is encrypted using strong cryptographic algorithms when stored at rest. This prevents attackers from accessing such information even if they manage to breach the system’s storage.

  • All data, including credentials, transmitted between the user’s device and PingOne services is encrypted using Transport Layer Security (TLS). This prevents credentials or other sensitive data from being intercepted by attackers during transmission.

What you can do to prevent secret or sensitive data exposure

  • Implement Single Sign-On (SSO) to your applications using PingOne. This enables you to reduce the need for users to manage multiple sets of credentials across various applications. With SSO, users authenticate once, limiting the number of login prompts and reducing the risk of password leakage across different platforms. For more information refer to Authentication flow states.

  • Use role-based access control (RBAC) within PingOne to restrict access to sensitive data based on the user’s role within the organization. Only authorized users should have access to sensitive information, and permissions should be granted based on the principle of least privilege. For more information refer to Roles, scopes, and permissions.

  • Use phishing-resistant authentication methods like FIDO2 and WebAuthn (both supported by PingOne), to eliminate the need for passwords by using public-key cryptography and hardware-based authentication tokens. This reduces the risk of credential leakage entirely, as there are no passwords to steal or leak. For more information refer to Multi-factor (MFA) action and FIDO Policies.

  • Implement detailed logging of access to sensitive data, including who accessed it, when, and from where. This provides an audit trail that can be reviewed in the event of a data exposure incident. For more information refer to Audit Activities.