❗️

High-Risk Update: Forgot Password Flow Modifications

This update modifies the forgot-password flow by adding a transaction type to the session, which may affect session behavior. Users could experience automatic login after password reset in certain configurations. Please report any issues immediately to ensure platform stability.

🌟

Highlights

This release delivers key improvements in security, usability, and platform capabilities:

• Security Configuration Enhancements: Introduced Email OTP disable options for Identity Guard apps and updated the two-step verification logic to support primary method selection across integration types.
• Bug Fixes for UI and Flow Issues: Resolved issues with the MFA banner, and activation link expiry to ensure consistent user experience and security.
• Improved Client Configuration Controls: Added new fields for API and M2M clients, refined integration settings display, and removed unnecessary fields to simplify client management.
• Enhanced Inventory, Advanced Search & Feature Adoption Tracking: Improved advanced search with a Voice OTP filter, enhanced inventory management views, and refined feature adoption metrics to provide better insights into security feature usage.

The following changes are included in this release of the Next Identity platform.

Enhancements

Analyze

• Service Management View Enhancements: Updated the Service Management view to include new metrics, such as adoption rates, total clients, and adoption over time, with specific adjustments for Hosted Journeys and API clients. This will allow better tracking of feature adoption and client engagement.
• Adoption Rate Metrics Update: Enhanced the Service Management view to include detailed statistics on adoption rates for various security features, tailored for both Hosted Journeys and API clients.
• Identity Guard Features Consolidation: Streamlined the display of Identity Guard features to ensure consistent presentation of security settings across different client types.
• Analyze Component on Property Homepage: Added an analytics component to the Property Homepage, allowing Application Managers and Viewers to track key user interactions over the past 15 days.

Secure

• Authenticator App Toggle Disabled: Prevented users from accidentally removing their Authenticator App by making the toggle unclickable in the new security layout.
• Email OTP Disable Configuration Added: Introduced a configuration to disable Email OTP for apps using Identity Guard, requiring users to use 2FA or an Authenticator App instead. Ensures compatibility with Adaptive Authentication and risk-based triggers.

Operate

• Tailored the client detail page based on the integration type: Simplified the client detail page by highlighting the key fields that reflect the behavior of API-only client and Hosted Journey client. For Hybrid integration (Hosted Journey & API), we added a "Hosted Journey - only" flag indicating settings exclusive to this integration type.
• Two-Step Verification Field for API Clients: Displayed the "Two-Step Verification" field in the Authentication tab for clients with API integration type, with the option to enable or disable two-step verification.
• Primary Method Selection for Two-Step Verification: Updated two-step verification logic to support primary method selection, incorporating options like mobile, email, and Authenticator App based on system settings.
• Access Type Field for M2M Clients: Added the "Access Type" field to the client detail page for M2M (direct access) clients, displaying values like Read-only, Read-write, or Owner based on feature node settings.
• Added Integration Type to Client Detail Page Header: Enhanced the client detail page header to help users quickly identify the integration type of each client
• Inventory Advanced Search Enhancements: Enhanced the advanced search functionality with a new Voice OTP filter, allowing users to filter by Voice OTP status.

General

• Forgot Password Session Transaction Type Added: Added a transaction type to the session in the forgot-password route, ensuring that the session is not cleared when transactionType = forgotPassword is present on the authorize index route.

Bug Fixes

Secure

• MFA Banner Display Fix: Resolved an issue where the MFA banner incorrectly appeared after disabling the Authenticator App.
• Mobile Callout Card Display Fix: Fixed a UI bug where the callout card appeared twice on mobile devices, ensuring it displays only once in the correct location.
• Client Secret Exposure Fix: Resolved the issue where the client secret was visible in the "provider_info" section of the client Credentials page, ensuring that the secret is properly hidden as intended for security purposes.

General

• Activation Link Expiry Fixed: Resolved the issue where the activation link sent via SMS was always expired, ensuring the link now redirects correctly without expiration.
• Incorrect 2FA Flow Fixed: Corrected the 2FA flow to send the 2FA code to the user’s email when mobile verification is not completed, instead of sending it to the mobile number being added.
• Login Page Language Issue Resolved: Fixed the issue where the login page was changing languages unexpectedly, ensuring it now defaults to en-US (English).
• Authenticator App Configuration Screen Duplication Fixed: Resolved the issue where the Authenticator App configuration screen was shown twice during login, ensuring it now only appears once.