CyberArk Multi-Factor Authentication (MFA)
Passwordless Authentication with Passkeys
CyberArk MFA now supports authentication with phishing-resistant passkeys and qualifies for the highest NIST Authenticator Assurance Level (AAL3). Based on FIDO2 standards, passkeys replace passwords and provide faster, easier and more secure sign-ins to websites and apps across user devices.
With this release, end users can authenticate using passkeys to access their applications and resources. Passkeys eliminate the reliance on passwords when authenticating to access applications and resources and can be used for step-up authentication to access web apps and secured items. Since passkeys are passwordless, they deliver a more seamless end user experience and are phishing-resistant.
Configure passkeys for passwordless authentication.
Learn more about passwordless authentication with passkeys.
CyberArk Single Sign-On (SSO)
Single Logout for Multiple Identity Providers (IDPs)
CyberArk Identity SSO now allows a seamless logout process for federated users. Previously, users who logged into CyberArk Identity through external IDPs would have to log out of both portals manually. With this feature, users who reside in different external IDPs that access applications through CyberArk Identity SSO can simultaneously log out of both CyberArk Identity and external IDPs at once.
This ensures a seamless logout experience and allows enhanced security by ensuring the user is completely logged out of all applications with one click.
Configure single sign-out for multiple IDPs.
Learn more about single logout for multiple IDPs.
CyberArk Workforce Password Management (WPM)
List Allowed Applications
CyberArk WPM allows end users to store and share credentials securely and gives organizations control and visibility to help secure their workforce from password-based attacks. With this release, administrators can now allow users to store credentials only for a specific list of domains and URLs. When this feature is selected, CyberArk WPM restricts all other domains. Previously, administrators could specify a list of denied applications and block access to those applications.
This new feature allows organizations to more broadly restrict use and execute tighter control, particularly for high-risk users.
Administrators can restrict the use of CyberArk WPM for all domains unless they are included in this list.
Learn more about the allow list feature in CyberArk WPM.
CyberArk WPM and Secure Web Sessions
Set Time Limit for User Sessions
This new integration between CyberArk Secure Web Sessions and CyberArk WPM empowers administrators to set time limits on user sessions for username-password applications. Some web applications allow users to remain logged in without re-authenticating for weeks or months. This poses significant risks.
Companies can now specify how long they’d like to allow users to remain logged into a user session and configure a warning notification before the session is killed. Providing organizations with control over how long a user can stay logged in to a web session adds an additional layer of security to high-risk user sessions where sensitive data and resources can be accessed.
The CyberArk Secure Web Sessions administrator console includes the option to end user sessions for CyberArk WPM authenticated applications after a specified time.
CyberArk Identity Compliance
Schedule Access Termination
CyberArk Identity Compliance provides centralized visibility and stronger control to enforce compliance. With this release, access certifiers can schedule the termination of access rights for a specific date and time. This feature provides additional flexibility to organizations by reducing instances of lingering access or overprivileged users.
Previously, certifiers would revoke user access to resources when completing their certification campaign tasks — aligning with the cadence of the campaign. However, there may be a need to terminate access in the middle of a campaign cycle. For example, if a manager is reviewing contractors’ access every month, now they can revoke access for individuals based on the date their contract expires, using the scheduling feature. Administrators can enable this capability for certifiers while configuring new campaigns.
Learn more about scheduling access termination.
Certify Groups and Roles
CyberArk Identity Compliance now provides access certification capabilities for Active Directory (AD) groups and CyberArk Identity roles. Many organizations control access to resources leveraging groups or roles, and the associated access permissions must be regularly reviewed to ensure they are relevant. Certifying access to groups and roles helps prevent the accumulation of unnecessary user memberships and prevents instances of overprivileged accounts.
With this release, administrators can select which AD groups or identity roles they would like to include in a new campaign and certifiers can see the associated application or CyberArk PAM Safe permissions associated with users.
Learn more about certifying groups and roles in CyberArk Identity Compliance.
Read more about the CyberArk Identity 23.11 features in the release notes.