Conditional Access for Endpoints and Infrastructure
This is without a doubt my favorite new feature in this release. As you probably know, all of our products are integrated with and/or built on the platform. This allows core capabilities, such as MFA, to be extended to all of our products. When we first integrated our Infrastructure Services and Endpoint Services agents with the platform, we created tenant-wide settings to require an Authentication Profile for Login Authentication and another profile for Privilege Elevation. This was a great first step and allowed us to offer always-on MFA for login and/or privilege elevation. This offered better security, but left 3 problems:
- poor user experience in that these protected resources / operations always required a user to provide a 2nd factor to access,
- admins could not require different profiles for servers vs workstations, and
- admins could not block access conditionally (as long as the user has the 2nd factor they can access the resource or elevate their privilege).
In this release, we have addressed this by moving this global setting to new policies. In 17.11 we now have the following policies for conditional access:
- Login Policies
- Centrify Portal
- UNIX and Windows Servers
- Windows Workstations
- Privilege Elevation Policies
- Privilege Elevation
Customization Extended to SMS Messages
As you probably know, our interface and any email messages sent through our service can already be customized. You may also know that we have recently made it much easier to change the email messages in all of the languages we support and we've improved the Admin's ability to see which languages those messages have been customized in. In the past, we had not exposed that interface to SMS messages generated by our system. We never provided SMS customization because the URLs that we send with enrollment links / MFA challenge responses were so long that there really wasn't any room for that customization. We are happy to announce that we have addressed that in this release. We now use fixed-length short URLs and have exposed those messages for Admins to customize!
FIDO U2F Support
Finally, we are very pleased to announce that we have expanded our MFA offering to include FIDO U2F Security Keys as a 2nd factor. Admins can now set policy allowing their users to self-enroll any U2F-compliant device and then use that device as a 2nd factor when authenticating through our platform.
We hope you like these new features and look forward to hearing your feedback!