Skip to main content




Week 25

Notable changes
  • Fetch channel: We have provided a method in the Authentication Cloud to allow the Nevis Mobile Authentication SDK to obtain ongoing operations for a user or authenticator. This functionality can be used as an alternative to push notifications, or as a fallback method. Fetch is only available from Nevis Mobile Authentication SDK version 3.7.0 onward.
  • Reports: Instance availability reports are now available on the Reports screen in the Management Console. This report type provides SLA and availability information for a selected instance between two defined dates.
  • We added recovery codes last login timestamp on users API endpoints.


Week 22

  • Authenticator API responses now return the last authentication attempt date and outcome in the lastLoginDateSuccess and lastLoginDateFailure fields.
  • The user details screen now displays the correct date for when each authenticator was created. This information in shown in the CREATED column within the Authenticators section of the page.


Week 19

Notable changes
  • Reports: Audit trail reports are now available on the Reports screen in the Management Console. This report type lists the details of all data changes performed by both users and administrators between two defined dates.
  • When the name of a device is changed in the Access App, the new name is now saved in the field of the logs. The earlier device name is saved in the details field.

Week 17

Notable changes
  • Management console: We reorganized the management console navigation sidebar, to provide a more concise overview of all features and a better overall navigation experience. You can now find Users and Authenticators under the User management sidebar container, while integration features and Access App branding are moved to Settings. The navigation sidebar now also contains a link to the Authentication Cloud Documentation, replacing the Help button.

Week 15

  • We now display additional information about FIDO UAF devices on the authenticator details screens of the management console. This includes the following:
    • Device model
    • Mobile OS version
    • Mobile App version
    • SDK version
    • Bundle ID


Week 13

Notable changes
  • Reports: Active users reports are now available on the Reports screen in the Management Console. This report type lists all active users in the system and the details of their last activity between two defined dates. For more information, see Active users report.
  • Push notifications disabled by user: In the Management Console you can now check when a user disabled push notifications on a device registered as an authenticator. Both the user details and the authenticator details screens display a notifications blocked icon next to the authenticator name to show this. The same information is also included in the API response for FIDO UAF authenticators in the userDisabledPushNotification field.

Week 11

Notable changes
  • Reports: Registered users reports are now available on the Reports screen in the Management Console. This means, that you can now generate and download reports that list all user registration events between two defined dates. For more information, see Registered users report.


Week 8

  • We renamed the Devices screen on our Management Console to Authenticators to be consistent with the terms our API use.
  • We have added escaping characters to all CSV extracts in order to provide additional protection against CSV injection attacks.

Week 6

Notable changes
  • Reports: On the reports screen you can now specify start and end dates to filter events.
  • We added filter refresh and reset buttons to the logs screen in the management console.
  • We added Device Ref to the Device screen in the management console to show the ID of the physical device.
  • We changed the field to device.authenticatorId in logs CSV exports to avoid ambiguity between the ID of the authenticator and the ID of the physical device. This affects both the CSV export generated via the management console and the API endpoint.
  • We changed Device ID to Authenticator ID on the logs details screen in the management console.


Week 3

  • The ID of the physical device is now returned in the authenticator response in the deviceRef field.
  • Username is now included in the status endpoint's response.

Week 2

Notable changes
  • Reports: It is now possible to generate and download user authentications reports from the management console. This gives you a simple way to extract data regarding authentication events on your Authentication Cloud Instance. You can access reports on the Management Console under the Reports sidebar item.
  • We improved the categorization of logs for recovery codes and SMS.
  • We changed the HTTP method from POST to GET for the log export endpoint.
  • We changed the Content-Type for exporting endpoints to text/csv.
  • It is now possible to view logs older than 30 days.
  • Renaming a FIDO2 authenticator no longer voids the FIDO2 authenticator.



Week 49

Notable changes
  • Push rate limiting: It is now possible to limit the number of push notifications that can be sent to user devices within 24 hours, to prevent bombing attacks. If the limit is reached, the user and the affected devices become temporarily blocked from push notifications, but can continue to use other authentication methods such as QR code. You can manually unblock a user or an authenticator on the Management Console. To enable this functionality, contact the Support Team.
  • We modified the log messages on the UI to no longer have double escaped characters.


Week 48

Notable changes
  • Exporting logs with API calls: We created a new API endpoint that allows for the export of event log data to a CSV file. By using query parameters, you can apply filters to the export. For more information, see the Log export endpoint documentation.
  • You can now search the logs by
  • We added the category field to log exports.

Week 46

New Management Console design

We made the following changes on the Management Console:

  • Improved the design of the Users, Devices, and Logs search bar.
  • Improved the design of the user and device details screens.
  • Increased the number of items to 20 in the Users and Devices tables.

Go to the Nevis Orbit portal to check out the changes.

New default name for a FIDO2 authenticator

If the name of a FIDO2 authenticator is left empty, the name now defaults to Unnamed FIDO2 authenticator. This improves the handling of FIDO2 authenticators on the Management Console.


New FIDO UAF user agent

User agent data is now available for FIDO UAF authenticators. The data is part of the HTTP response of the users and authenticators endpoints. The response can be used for data analytics. For more information, see the respective pages of the API endpoint reference documentation.


Export function and new filters for the event log

We added a new export function and additional filtering options to the Logs overview on the Management Console. For more information, see Logs.

FIDO2 JavaScript change

We have replaced our FIDO2 JavaScript client with a more flexible JavaScript solution. For more information, see the FIDO2 documentation.


Number matching for push authentication

Number matching is now available as an optional feature for push authentication. Number matching adds an extra layer of security by requiring the user to provide a random code before they can use the push notification for authentication.


New logs feature on the Management Console

With the new logs feature, you can view and analyze your data for potential issues, without the need to contact the customer support team. You can access the feature on the Management Console under the Logs menu.


FIDO2 autofill UI

We added support for the FIDO2 autofill UI feature to provide an easier user experience. With the autofill UI feature, users do not need to provide their username when they authenticate a transaction.

Status token parameter is no longer required in FIDO2 registration and authentication responses

You do not need to add the statusToken parameter in FIDO2 registration and authentication calls, because the REST API endpoints does not require the statusToken field anymore.


Display registered phone numbers on the management console

If a user registered a phone number, now the number is displayed on the management console in the user profile. The phone number is masked. You can also remove a phone number here.



REST API extended with new optional push notification message

The newly introduced notificationMessage REST API parameter makes it possible to configure two different notification messages for push authentication. The notificationMessage parameter is optional, and its message is displayed on the notification drawer or notification center. In comparison, the text configured in the message parameter only appears in the Access App. If you only use the message parameter, the text from this parameter appears in both places.


Display recovery codes on the management console

If a user registered recovery codes as authentication method, now the management console displays information about them in the user profile. You can check how many active recovery codes a user has, and how many were redeemed. You can also revoke all 16 recovery codes at once here.


Management console dashboard

We added a dashboard screen to the management console. If you click Dashboard on the sidebar, you can now see visualized metrics about your Authentication Cloud instance.


Updated Figma templates

At Nevis, we use Figma templates to customize the design of the Access Apps. We updated the Figma templates for a simpler and more streamlined experience on your side.

With the update, we included all your previously uploaded logos and color settings so you can continue where you left off.

On the Management Console, you can find the updated templates under Graphics & Branding.


Java and Spring vulnerability fixes

Based on our analysis, Authentication Cloud is not affected by the recent Java and Spring vulnerability issues. To mitigate risks, we delivered fixes for CVE-2022-21449 and CVE-2022-22968. We keep monitoring the situation, and apply further updates if needed.


Escape characters in error messages

Unescaped HTML special characters in JSON error messages can lead to a security vulnerability. MSIE11 on Windows 7 and Windows 8 can be tricked into rendering application/json as text/html. However, the attack is only possible if an adversary can frame the affected response using an iframe, concurrently to the initial request being an HTTP GET.

We made sure that JSON responses do not contain unescaped HTML special characters. For characters such as < or >, we now use the JavaScript unicode escapes \u003c and \u003e. With this change, there is no further potential for triggering XSS attacks using HTML special characters inside JSON responses.


Regarding the Spring framework remote code exploit, our current understanding is that Authentication Cloud is not affected. To be on the safe side, we proactively applied the official Spring upgrades.


Usernameless authentication

Usernameless means you can start the authentication flow without supplying the username. Once the user has successfully authenticated, you can connect the approved transaction, such as a login, to the particular user.

  • This feature only works with the a branded or an SDK-based Access App, with a QR code or a link.
  • The supported SDK & Access App version is 2.2.0 or higher.
  • The approval endpoint no longer requires a username or userId if the channel is set to app.
  • Intermittent polls on the status endpoint will not have the userId in the response. Only if the user successfully authenticated will the status API endpoint return the userId so it can be bound to the transaction session.

Visit Usernameless authentication for more details.

Authenticator ID Wildcard

If your setup supports the use of multiple authenticators, for example two mobile phones with the branded Access App belonging to the same user, you can now use the * wildcard to allow for either of those to be used for transaction approval.

The payload sent to the approval endpoint would also need to set the channel to app. See example below:

curl "https://$" \
-H "Authorization: Bearer $access_key" \
-H 'Content-Type: application/json' \
-d '{ "channel": "app", "username": "Userxyz123", "authenticatorId": "*" }'


FIDO2: Web Authentication (WebAuthn)

  • Register with a compulsory username that uniquely identifies your user.
  • Set the channel to fido2.
  • You also need to add a human-friendly displayName.
  • The WebAuthn feature requires specific configuration changes to your instance. For more information, see WebAuthn overview.

Independent security audit

The Auth Cloud underwent an 8-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox testing of all production infrastructure, the newly released public functionality and features, and whitebox testing on the code-base. Smaller risks were discovered, all of which have been fixed and verified. Additional recommendations were also implemented.



My Customer Portal

All our demos are now available under our brand-new My Customer Portal (MCP). Sign up, register a device, see how biometric approvals can help you improve security and boost customer retention on your own portal.



method deprecation

⚠️ The method member has been deprecated in the API. Going forward it is replaced by channel. This was necessary to consolidate new features such as SMS OTP and recovery codes.

Deprecated means that going forward, method will still work for existing integrations until further notice, but its use should be replaced by channel in existing integrations. Only channel is to be used for new integrations.



Hot off the press, the new SMS OTP-based second factor for authentication is now available for Auth Cloud. If you want to roll this out to your customers, get in touch with us so we can configure your SMS provider in your instance.

For technical details, see the API guide on how to authenticate with SMS

Recovery Codes

Auth Cloud can now provide one-time recovery codes for your customers. These 16-digit codes with 75+ bit entropy enable your customers to recover their accounts even when all their authenticators are lost or damaged. This feature can be tested on the test app of your instance under Test & Debug.

See the Developer Documentation for details.



Independent security audit

The Auth cloud underwent a 10-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox and whitebox testing of all production infrastructure, and public functionality and features. No major risk was discovered, all recommendations were implemented and verified.


Management console improvements

Several small improvements were implemented on the console for the user and device search functionality.


API version 1 is available

The API is now public so you can start the integration of your front-end and back-end applications using our APIs directly. Visit the Developer documentation for more.


Management console is now available

The Nevis Authentication Cloud management console is now available. The current functionality includes user and device management, and the creation and deletion of access key for server access.