Back

PingOne Advanced Identity Cloud

CIAM

Read Docs
OVERVIEW

Consumer account takeover (ATO) starts with credentials attackers already have. The SpyCloud Auth Node for PingOne Advanced Identity Cloud and PingAM brings credential exposure intelligence natively into your consumer authentication journeys — checking whether a user’s credentials have been exposed at login, registration, or password change, and routing automatically to the right response before authentication completes. No custom development required.

The SpyCloud Auth Node is a native Journey Node for PingOne Advanced Identity Cloud and PingAM. Drag it into any existing journey at the point where you want the exposure check to occur, typically after credentials are collected. The node reads the user identifier from the shared state, queries the SpyCloud Consumer Threat Protection API, and returns one of three outcomes: Compromised, Not Compromised, or Error. Each outcome branches the journey to your configured response — step-up MFA, forced password reset, access block, or fraud team alert — with no manual intervention required.

BENEFITS
  • Stop consumer ATO before it starts
    catch exposed credentials before authentication completes, not after an attacker is already in
  • Apply friction only when exposure is confirmed
    step-up MFA and password resets trigger on real risk, keeping the experience smooth for legitimate users
  • Configure proportionate responses by risk level
    step-up MFA, forced password reset, access block, or SOC alert
  • Deploy into existing PingOne AIC or PingAM journeys
    no development sprint required
  • Get ahead of the threat
    SpyCloud recaptures identity data from the criminal underground weeks to months before it surfaces publicly
HOW IT WORKS

Where the SpyCloud Auth Node is placed, the node reads a user identifier from the journey’s shared state — typically the user’s email address — and sends it to the SpyCloud Consumer Threat Protection API. SpyCloud checks the identifier against its recaptured database and returns a result indicating whether the user’s credentials have been exposed. The node returns three possible outcomes:

  • Compromised: A matching exposed password was detected
  • Not Compromised: No exposed credentials detected
  • Error: An error occurred during the API call — review logs for details
Each outcome maps to a separate branch in the authentication journey, giving administrators full control over what happens next.