Overview
This version introduces a lot of new features and mechanisms that improve functionality and security, besides the usual bugfixes and improvements.
Highlights
New features & improvements:
Administrative improvements:
latest FIDO 2.1 support has been added. Administrators can now configure minimum PIN length validation for enrol and authentication (FIDO passkeys, FIDO, authentication flows, security)
administrators can now enable/disable all authenticators. Once a registered authenticator is disabled, it will not be available anymore in the login flows, with a notable exception: FIDO and OTP authenticators, which can be multiple devices or instances (ex: one FIDO key is blocked, but user has more registered - then he will still have the FIDO authentication method available because of the remaining available authenticators of the same type. Similar mechanism is for OTP.) (Lifecycle Management, authentication flows, security)
OIDC support for Admin Manager continues evolution towards complete flow support (authentication flows, SSO)
added support for Oracle Access Manager as a plugin for Veridium Manager authentications
Added a dedicated page for dormant devices at Admin / Devices tab / “Deprovisioned devices” link in the right panel
added information about account and device history in Administrators, Devices and Identity areas (administration)
Action Logs raw data (i.e. from audited sessions) can now be stripped of sensitive information by defining the censored parameters in action-logs.json (administration, security)
TOTP configuration and synchronization improvement to allow continuous operation in case of validity, algorithm or code length changes. In addition, the new configuration adoption will be visible in statistics and reports, and a migration deadline can be set. (Auth flows, Policy flows, Secure PIN code, Mobile auth)
Improved the keystore manipulation for SAML Admin and SSP by allowing admins to upload a desired keystore either by using a file with passwords and aliases, or by using a certificate content directly (security, self-help portal)
improved the new enrolment flow by ensuring new users have compliance with all policy-mandated authenticators. This means that all new users will need to complete all mandatory steps in the enrolment process to ensure compliance with configured policies. The enrolment tracker in admin will monitor and record the completion of each mandatory step in the enrolment process.
As an example, PIN is now enforced as the first authenticator to be enrolled if is set to “true” or “optional” in Policy (security, policy flows, auth flows)Added a new orchestrator condition to mark if FIDO was used in the session (policy flows, auth flows)
Vastly improved the Statistics part of the product by introducing more detailed graphs, better filtering & controlling options in the following areas: Statistics, Tools / Access Logs, Application Logs, Main Dashboard. (administration, server side)
Improved reports viewability when Excel (Windows) is used to open them (administration)
Added the “Identity” column in the FIDO report, so an admin can easily track the identity attached to a FIDO device (administration, FIDO)
Administrators are now notified via UI message if email or SMS are selected, but not available (configured) for renewal (administration)
Server-side improvements:
Added etag mechanism for translations, so now the i18n files are only downloaded if there are changes between server and client, instead of always downloading them on API call (server side)
A new DDOS & Brute Force defense mechanism is implemented at the application layer level to mitigate the risk of brute force attacks. Specifically, after a certain number of failed authentication/enrollment attempts, the application layer will automatically block further attempts from the combination of user & IP. This proactive approach helps prevent malicious actors from repeatedly attempting to gain unauthorized access to the application by rapidly trying different combinations of credentials. (security, auth flows, user session integrity, identity assurance)
Added support for Lost Mode functionality in RADIUS authentication flows (administration, user experience, security, authentication flows)
Authentication enhancements:
improved enrolments flows to provide a seamless user experience. The enrolment tracker now offers a user-friendly interface to guide the users through each step, providing clear instructions and feedback. This also includes a more robust user autonomy concept, where the user has freedom to enter and exit the enrolment process at any point. (enrolment flows)
LOST MODE can now be activated temporary (it will deactivate after a set time and the blocked device will become available again) or permanent (device remains blocked after lost mode code expiration) by the administrators. (administration, user experience, security, authentication flows)
Windows Components:
Improved protection of SSO Tokens (SAML or OIDC) in correlation with Windows login and browser user session. (security, auth flows)
Added support for certificate authentication
Allow users to authenticate using a password when user is not yet onboarded to Veridium. To Enable this feature, we need to set registry key: AllowPasswordAuthForNonOnboardedUsers:DWORD=1
Added support for the new PIN length change campaign functionality.
Improved protection of SSO Tokens (SAML or OIDC) in correlation with Windows login and browser user session.
QR code can be automatically renewed when AutoRefreshQR:DWORD=1
There is a option on RDP to enforce to use Veridium CP for incoming authentication calls.
Mobile Components:
Certificate authentication using mobile devices USB/Lightning port for key connections is now supported, as an addition to the NFC PIV support introduced in version 3.6. (authentication methods, auth flows, mobile)
Improved iOS location mechanism to offer more retries' opportunities and a more graceful fail scenario in case the location is not available (mobile, authentication, iOS)
Added iOS widget support (mobile, iOS)
Bug fixes:
Server & Administrative:
fixed a bug which caused an error occurring if the lost mode code was more than 8 chars long and a device was marked as lost (user device management)
fixed a bug that allowed the SSP link to be extracted from contextHtmlElements, even if “Hide SSP” option was enabled in Admin (security, SSO, SSP)
fixed a bug that caused an error in the first enrolment step if the Enrolment Step Type was changed from “Form” to another type (user enrol)
fixed a bug that caused the SMS Service Phone Numbers to appear twice in the sms.json (administration, server)
fixed a bug where the code validation receiver mechanism did not fallback to other options if the first one was not available for the user (for example for users with no phone numbers registered)
fixed a bug where invitation codes that were configured to expire by usage could still be used if their lifetime was exceeded (administration, enrolment)
fixed a bug where VoiceGate enrollment did not work correctly for a second profile added on an account
fixed a bug that impacted the correct calculation of certificates validity in dashboard (administration)
fixed a bug that caused some old/expired devices being inaccessible after multiple server upgrades. Now they can be viewed and deleted as expected. (administration)
OTP authentications were previously reported the browser, instead of the phone as the authenticator device. Now the device will be displayed instead.
Also in multistep journeys, the authenticator device was overwritten by each step performed. Now the first authenticator will remain the one displayed. (administration)fixed a bug that caused the SPNEGO enabled/disabled states to be saved incorrectly (authentication flows)
fixed a bug in the cmd_certificate_mobile orchestrator command introduced in previous version, that caused the PUSH option to be displayed even for accounts with no mobile devices enrolled. (SSP, authentication flows, orchestrator)
fixed a bug in authenticatorDeviceContext that caused improper data population (IP missing) for the first authentication challenge. (orchestrator, authentication flows, server)
fixed a bug that displayed the SSP URL in base64 in contextHtmlElements even if the “Hide SSP” option was enabled in admin for the application. (security, server)
fixed a bug that prevented lost mode activation for a device if the lost mode code is higher that 8 characters (administration)
fixed a UI bug in the Orchestrator section that caused the interface to ask for “Save” even if no changes were made (administration)
fixed a bug when authentication method policies were changed for an user, it was not reflected in the authentication flow (administration, server, authentication flows)
fixed a bug that affected the Active Directory expired users during authentication. Now the expired users are greeted with a relevant error message (SSP, administration)
fixed a bug where FIDO authentication device details were incorrect in Session Details (FIDO, administration)
fixed a bug when “Delegate” FIDO was set for SSP caused the FIDO token to be allowed for enrolment for multiple times under the same identity. (FIDO, security, enrolment)
Windows Components:
fixed an issue in Credential Provider where users could log in using Yubico OTP authentication method even if the User Pin provided was incorrect (user auth, policy, security)
Fixed a bug in Credential Provider that caused a QR freeze of the QR Offline authentication method was user in Shell Extension (user auth)
Fixed the bug - user can not mix offline authentication types - between QR Offline and FIDO Offline
Fixed a bug that caused Offline QR authentications to not be counted against the maximum retry parameter value.
QR Offline sessions are correctly shown on Veridium Server once user gets online again.
“See Text” button is now available also in Password change form
Session expired feature is now available also in External token authentication
The box for the lost code input is now cleared after a failed authentication
“Skip” button in PIN change campaign didn't allow user to authenticate afterwards.
Mobile Components:
fixed iOS bug that caused visual desynchronization between the countdown pie and actual OTP new code generation (user experience)
fixed an edge-case scenario where location was not acquired during authentication (authentication flows, user experience)
fixed a bug that caused the mobile version enforcement messages to not be translated correctly on authentication and enrollment flows (user experience)
fixed a crash on iPads when debug logs were exported (user experience, hardware support)
Radius authentication flows now support “expiring PIN” function notification on mobile apps. (authentication flows, user experience)
Firebase Push Notification mechanism has been updated from the legacy version (deprecated in July 2024) to HTTP v1.