In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.7 this weekend (Saturday, July 30th). The complete list of new features is available in the release notes, but as always I will tell you about the most important features here:
Additional Attributes for MFA
As you know, Centrify has always focused on security and has been a big proponent of the use of Multi-Factor Authentication throughout the enterprise. We are very proud of the work that we've done to make the use of MFA more accessible to our customers. MFA is not a new solution, but it is more viable today as it has become simpler to deploy. In the past, MFA solutions required rolling out infrastructure and providing users with yet another thing to carry (e.g. hard tokens). These things often led to failed MFA deployments as the costs outweighed the benefits and user adoption was slow to pick up. With the Centrify Identity Platform, MFA is much simpler as the "what you have" component can be fulfilled from several different response mechanisms, including responding to emails, phone calls or text messages. When using these factors for MFA, the email address / phone number must be on record in directory that you are authenticating against (AD, LDAP or our cloud directory). With this release, we are now enabling the administrator to define other attributes from your local directory source for email and phone.
This feature has two primary benefits:
- It allows the organization to provide users with more options for how they authenticate.
- It enables users to authenticate with personal phone numbers and email addresses that can be stored in Active Directory, but are not populated in the GAL (Global Address Library).
Mobile Notifications on Multiple Devices
We've also improved upon our mobile authenticator (mobile app for approving / denying MFA requests) to better serve users with multiple devices. For security reasons, we limit mobile notifications (MFA requests) to a single, primary device only. While this is a great feature from a security perspective, customers have asked for the ability to send those notifications to all of a user's enrolled devices. With the new release, we've added a new mobile policy to allow notifications on multiple devices (you will find the policy under Policies > Mobile Device Policies > Common Mobile Settings > Common). When this policy is enabled, the user will be able to determine which mobile devices should receive notifications.
In addition to the features above, I wanted to point out a change we are making to how we support IWA (Integrated Windows Authentication) for improved security. The summary version of the change is as follows:
- If you have IWA enabled but have not set a Corporate IP Range we will not attempt to login your users via IWA; and
- Going forward, the default setting for IWA will be to use HTTPS. (Please note: we plan to deprecate support for IWA over HTTP in version 16.9.)
For more details, please see the KB article.
We hope you enjoy these new features and look forward to hearing your feedback!