With release 21.12, CyberArk Identity supports the following new features:
CyberArk Workforce Identity
Single Sign-On
Dynamic role type
CyberArk Identity roles define permissions that role members have to access applications and perform tasks. With this release, we are introducing a new Dynamic role type. Administrators use JavaScript-based logic to define role membership within Dynamic roles based on specific user attributes. For example, you can create a script that adds users from a specific country to the role. This ensures that any user with particular attributes matching the granular criteria defined in the dynamic role script is assigned the membership. Users are automatically granted access to dynamic roles each time they log in, based on their current attributes. Dynamic roles support users stored in CyberArk Identity Cloud Directory and Microsoft Active Directory (AD).
Dynamic Roles UI
The Dynamic roles feature is currently in preview. To learn more, please get in touch with CyberArk Identity support.
Transfer ownership of shared application credentials
CyberArk Identity enables application owners (end users who have added a username and password application to their user portal) to securely manage shared access to their business apps. For example, a marketing team lead can share access to a social media application that uses a single set of credentials with their team members. With this release, administrators can configure CyberArk Identity to transfer ownership of a specific shared application to another user if the original application owner is deprovisioned from CyberArk Identity. This ensures uninterrupted access to username and password apps even when the user that initially added and shared the application leaves the company.
Application ownership transfer UI
Refer to Configure users to share business application credentials for more information.
Audit changes to shared credentials for username and password-based business apps
You can now create custom reports to capture changes to the shared business application credentials stored in CyberArk Identity or CyberArk self-hosted vault. With this reporting capability, you can monitor and audit updates to password permissions, ownership transfers and credentials changes for shared business applications. For example, you can create a report to track when an application was shared, who it was shared with and what permissions were granted to additional users. The report captures granular details, including action type, where the shared credentials are stored, when the change occurred and specific fields changes, among other information.
Reports for shared credential auditing
To learn more about this feature, please see create reports for shared application events.
Multi-Factor Authentication
Automatic setup of OATH OTP in CyberArk Identity Mobile App
Initiative for Open Authentication (OATH) One-Time Password (OTP) is an authentication mechanism that enables users to enter a unique one-time use code to pass multi-factor authentication challenges. CyberArk Identity users can obtain OTP codes for an application or website by setting up this authentication mechanism in their CyberArk Identity app. With this release, administrators can now enable the automatic setup of OATH OTP authentication for users who enroll their mobile devices with CyberArk Identity. This reduces the need for manual OATH OTP authentication setup and ensures that all users with enrolled Android and iOS mobile devices can use this secure authentication mechanism.
Enabling auto-setup of OATH OTP
To learn more about enabling the automated setup of OATH OTP in the CyberArk Identity app, please see here.
Additional MFA redirection options
MFA redirection enables CyberArk Identity administrators to perform secondary authentication on behalf of another user’s account. With MFA redirection, secondary authentication factors only need to be configured on the main user’s account. They will then be applied when using an alternate administrative account and an MFA policy is triggered. For example, system admins may have a primary low-privilege account for routine tasks and additional alternate-admin or “dash-a” accounts for high-privilege administrative tasks. Previously, MFA redirection supported CyberArk Identity Mobile App as the only second factor. Now, administrators can use all factors supported by CyberArk Identity MFA. This reduces the need for administrators to maintain redundant secondary authentication factors, making privileged access both secure and convenient.
MFA Redirection UI
To learn more about the additional MFA redirect options, please see here.
CyberArk Customer Identity
Authentication widget builder
CyberArk Customer Identity now provides the ability to create and modify authentication widgets, including the login and MFA widgets, directly in the Admin Portal. This enables administrators to leverage user-friendly UI to create multiple authentication widgets, see an instant preview of widget customizations and eliminate the need to redeploy modified widgets.
Authentication Widget UI
The authentication widget feature is in preview. Please get in touch with CyberArk support to learn more about this feature.
Progressive password migration
Companies can now easily migrate users with hashed passwords from their custom websites to CyberArk Customer Identity with this release. Previously, user migration required developers to replicate the password hashing algorithm used by the website’s existing authentication mechanism or request all users to reset their passwords post migration. Now, developers can use progressive password migration to seamlessly move users along with their hashed passwords without requiring user input or re-creating hashing algorithms. Progressive password migration supports all hashed password implementations and leverages the existing authentication system’s API to validate users and their passwords.
Progressive Password Migration UI
The progressive password migration feature is currently in preview. Please get in touch with CyberArk support to learn more.
Push Authentication for Android and iOS SDKs
CyberArk Customer Identity allows you secure access to your apps and websites with a broad range of secondary authentication methods. With this release, you can now use a software development kit (SDK) to add push authentication to your Android and iOS applications. This enables you to embed risk-based authentication workflows into your web applications and provide end users a fast, secure and convenient authentication experience. For example, you can use push notification authentication to allow users to access your web applications, set up push authentication as a secondary authentication mechanism or require end users to approve push notifications on their mobile devices before allowing them to perform high-risk activities.
The Android and iOS SDKs are currently in preview. Please get in touch with CyberArk support to learn more.
Additional features included in the 21.12 release:
• Enhanced authentication experience: Users who have only a single authentication factor setup will now be automatically directed to complete the authentication process without seeing the dropdown of authentication factor choices.
• Support for additional service providers for SMS retry messages: SMS messages containing retry OTP authentication codes will now use alternative service providers to improve message delivery.
For more information on the 21.12 release, please see CyberArk Identity release notes.
