❗️

High-Risk Update: OTP Endpoint Delivery Logic Update

This update modifies OTP endpoints, impacting how mobile numbers are selected for OTP delivery. Misconfigurations may cause OTP failures or other system issues. Please report any issues immediately to ensure platform stability.

🌟

Highlights

This release includes key updates to enhance security, usability, and platform consistency:

• Enhanced Authentication and 2FA Controls: Improved OTP delivery for two-step mobile numbers, introduced a public API for TOTP verification, and enforced secure 2FA methods by allowing admins to disable Email OTP, requiring mobile or authenticator app setup. Access control enforcement and Authenticator App removal restrictions further strengthen security.
• Next Identity Console Enhancements: Environments are now consistently sorted across the console, improved empty states for workflows, and the Engagement feature has been fully deactivated.
• Bug Fixes for a Smoother Experience: Resolved issues affecting MFA banners, biometric setup messages, duplicate callout cards, and Redirect URI display, ensuring a more reliable authentication experience.

The following changes are included in this release of the Next Identity platform.

Enhancements

Analyze

• Engagement Feature Deactivated in Next Identity Console: The Engagement feature has been deactivated in the Next Identity Console. This includes its removal from the left-side menu, homepage for Service Management View users, and user management roles.

Operate

• Sorted Environment List for Improved Selection: Environments are now sorted consistently across the Next Identity Console, including the Environment Filter and Manage Users screens.
• Improved Empty State for Workflows: When no workflows are created, users will now see a helpful message with a link to learn more instead of an empty table.

Unify

• Expanded OTP Support for Two-Step Mobile Numbers: Updated OTP endpoints to send and verify SMS codes using the appropriate mobile number. This enhancement improves flexibility in OTP delivery.
• Public Endpoint for TOTP Verification Available: Introduced a public API endpoint to verify TOTP codes generated by authenticator apps. This update allows customers to integrate TOTP verification into their authentication flows.
• Authenticator App Removal Option Disabled in Old Layout: Users with Authenticator App 2FA can no longer remove the integration in the old user profile layout. The option now appears grayed out and unclickable to prevent login issues.
• Mandatory 2FA Now Enforces Secure Authentication Methods: Administrators can now disable Email OTP for 2FA, requiring users to set up either a mobile number or an authenticator app during activation and login. This strengthens account security and reduces credential risks.

Bug Fixes

Operate

• Redirect URI List Display Issue Resolved: Fixed an issue where the Redirect URI list appeared empty in Client Details despite configured data. The list now correctly displays stored URIs, or a message if none are configured.

Unify

• MFA Banner Display and Dismissal Issues in Mobile View Resolved: Fixed issues where the MFA banner did not consistently appear after enabling and disabling biometrics and where the X button was unresponsive. The banner now behaves correctly and can be dismissed as expected.
• Duplicate Callout Card Issue Resolved in Mobile View: Fixed an issue where the callout card appeared twice on mobile devices. It now displays correctly, ensuring a consistent user experience.
• Biometric Setup Success Message Timing Fixed: The success message for enabling biometrics now only appears after the setup is fully completed, preventing confusion when the process is interrupted.
• Grant Access Screen Now Properly Enforces Access Control: Fixed an issue where users could log in even after closing the grant access screen or clicking the deny button. Access is now correctly blocked when permission is not granted.