Configure → Drift → Breach → Repeat: The Cycle of Cybersecurity Control Configuration Risk
Get the report
But PingOne controls can drift as sign-on policies, password policies, FIDO settings, application configurations, external IdPs, and admin access settings change over time.
Reach analyzes Sign-On Policies and admin access settings to identify risky changes such as [Single_Factor] becoming the default policy or [mfaStatus] changing from [ENFORCE] to [OPTIONAL]. This helps prevent username-and-password-only access and reduces the risk of compromised credentials reaching administrative functions.
Reach detects drift in Password Policies, FIDO Policies, and Device Authentication Policies, including weak default password policies, downgraded passkey verification, or SMS-based MFA being enabled. This helps maintain stronger authentication assurance and reduce exposure to SIM-swapping, weak passwords, and bypassed biometric or PIN verification.
Reach analyzes application settings such as [pkceEnforcement], token endpoint authentication, and native app configurations to identify weakened OAuth and OIDC protections. By restoring stronger PKCE and application security controls, Reach helps reduce authorization code interception and token abuse risk.
Reach monitors Identity Provider settings and Alert Channels for drift, including unsigned SAML authentication requests or removed [RISK_CONFIGURATION] and [SUSPICIOUS_TRAFFIC] alert types. This helps preserve federated identity trust and ensures security teams remain aware of risky configuration changes and suspicious activity.
To join the community of customers enjoying the benefits of Reach and learn more about how it can transform your security posture, visit:
