With the 23.8 release, CyberArk Identity supports the following new features:
Multi-Factor Authentication (MFA)
YubiKey One-Time Password (OTP) Support for Passwordless Authentication
YubiKey is a widely used physical authentication device that qualifies for NIST Authentication Assurance Level 2 (AAL2). With this release, you can now use the OTP generated by your YubiKey to securely authenticate to any application protected by CyberArk Identity.
Historically, passwords and basic two-factor authentication methods such as SMS and email are more vulnerable to phishing attacks. More traditional and secure methods, such as smart cards, are difficult to deploy and use at an enterprise scale. The YubiKey OTP authentication factor eliminates passwords while delivering a more secure and frictionless login experience that is easy to implement at enterprise scale. First, it uses YubiCloud, which means that supporting YubiKey OTP is not much more difficult than supporting regular passwords. It does not need a client software because the OTP is just a string, and if you can send a password, you can send an OTP. Also, the YubiKey ID embedded in the OTP allows for self-provisioning and authenticating without a username.
Yubikey OTP Support for Passwordless Authentication
Learn more about YubiKey One Time Password (OTP) Support.
User Behavior Analytics
New Event Types Added for User Behavior Analytics (UBA) Response Automation
As CyberArk continues to make strides in providing the best-in-class identity security, you can now select additional event types which denote potential risky behavior. These event types include when roles and permissions are updated, passwords are changed, or authentication profiles are deleted.
Once the UBA engine has observed an event type and when an event is triggered, it will initiate an automated and customizable response in the form of a webhook or email to notify the end user. For example, you can select the event “Cloud.Core.Access.Rights.Change,” and the UBA engine will trigger an automatic custom webhook or email response if it detects a change in permissions for an end user. With this feature, you can take proactive steps to detect risky behavior and prevent further security threats.
Create custom UBA Response Automation with a webhook or email for new event types.
Learn more about event types added for UBA response automation.
CyberArk Identity Flows
Support for Stronger Authentication
CyberArk Identity Flows now supports mutual TLS (mTLS), a stronger mechanism for authentication. This method requires both parties – the client and the server – to validate one another when interacting. With this enhancement, customers can integrate high-demand applications that require this kind of authentication within their workflows. For example, you can now include APIs from ADP, which require mTLS, to create an HR-driven employee lifecycle management workflow within CyberArk Identity Flows.
Mutual authentication is more secure because it provides a more rigorous process for sending and receiving certificates and ensures that users interacting with CyberArk Identity Flows are who they say they are.
Stronger authentication support
Learn more about Support for mTLS.
New Role Types
CyberArk Identity Flows now allows organizations to assign different roles within the no-code workflow builder – limiting the actions one can take based on their role. In addition to the existing administrator role, which allows access to all flows and actions, new roles include:
- Flows contributor. Enables users to create, modify and run their flows within a tenant. These users will also have “read-only” access to flows created by other users.
- Flows read. Enables users to view flows and associated logs, but the user cannot update, edit or run the flows.
The introduction of these new roles provides an additional layer of security, allowing administrators to apply controls over the types of actions users can create. CyberArk Identity Flows is a powerful tool integrating applications and orchestrating organizational actions. This enhancement can better enforce security.
New Role Types
Learn more about new roles in Identity Flows.
CyberArk Workforce Password Management (WPM)
Support for TOTP-protected Apps in CyberArk Identity Mobile App
CyberArk introduced support for username and password-based business applications protected with time-based one-time Password (TOTP) in the CyberArk Identity 23.6 release. This feature allowed users accessing business applications through CyberArk WPM to complete the TOTP authentication challenge within the application by using verification codes from the CyberArk WPM web portal, the CyberArk Identity Browser Extension or the browser context menu.
With this latest release, CyberArk is extending the TOTP authentication support to the CyberArk Identity mobile app. Now, end users can set up, update and generate TOTP verification codes and access TOTP-protected apps directly in the mobile app. This capability simplifies the TOTP setup process and provides more flexibility for end users on the go.
Set up TOTP authentication step within business apps.
Note: support for TOTP authentication is currently in preview and is available for admin and user-added apps with credentials stored in the CyberArk Identity Cloud vault. Please get in touch with CyberArk support to enable it on your tenant.
New Options for the CyberArk WPM Landing Page
CyberArk Workforce Password Management now supports additional options for the default layout of the CyberArk WPM User Portal. Previously, administrators could specify applications, authentication factors or personal profiles as the landing page for CyberArk WPM.
Administrators can also now specify “All Items” or “Secured Items” as a default landing page view. The “All Items” option allows end-users to see the “All” tab with all their applications and secured items. Once successfully authenticated, the “Secured Items” option directs users to the “Secured Items” tab.
If administrators do not define the layout, the system presents end users with the tab containing all applications by default.
Landing screen customization policy
Learn more about customizing your CyberArk WPM tenant.
Reference Template for Importing Accounts
CyberArk WPM now provides a reference template to simplify the bulk import of username and password-based accounts. The CyberArk WPM import function lets users quickly add credentials from third-party password managers, including LastPass, KeePass, Google Password Manager and Dashlane. End users can also export their accounts and notes from other password managers into a CSV file and migrate them to CyberArk WPM.
With this latest release, users can access a downloadable sample template to streamline the import process and ensure all relevant account data is included and correctly formatted for storage in the CyberArk Identity Cloud or the CyberArk PAM Self-Hosted Vault.
Option to download CSV file template
Learn more about importing accounts into CyberArk WPM.
Enhancement to Account Import
CyberArk WPM now allows users to import folder names and TOTP configuration information from third-party password managers. With this release, CyberArk WPM users can include their TOTP authentication key (the secret key needed to set up TOTP authentication) as part of the credentials migration to CyberArk WPM. This action simplifies the configuration of TOTP authentication mechanism for business applications with built-in two-factor authentication and reduces IT overhead.
Users can also ensure that apps are automatically reflected in the respective CyberArk WPM folders by specifying each application’s folder name.
Import options for CyberArk WPM.
TOTP and folder name migration are currently available for LastPass and generic password managers.
Learn more about import options and TOTP configuration
Folder Designation for Apps and Secured Items
You can now assign applications and secured items to folders from the settings menu. Previously, applications and secured items could be added to folders by simply dragging and dropping them into the folder tab. With this release, you can also specify the folders you want your applications and secured items to appear in using the applications or secured item setting menu.
In addition, you can use the settings menu to create new folders or remove the folder assignment. This feature simplifies folder assignment management and can help end users be more productive.
Folder assignment settings.
Learn more about folder management in CyberArk WPM.
For more information on the 23.8 release, please see the CyberArk Identity release notes.