Changelog
2023
May
FIDO2 autofill UI
We added support for the FIDO2 autofill UI feature to provide an easier user experience. With the autofill UI feature, users do not need to provide their username when they authenticate a transaction.
Status token parameter is no longer required in FIDO2 registration and authentication responses
You do not need to add the statusToken parameter in FIDO2 registration and authentication calls, because the REST API endpoints does not require the statusToken field anymore.
January
Display registered phone numbers on the management console
If a user registered a phone number, now the number is displayed on the management console in the user profile. The phone number is masked. You can also remove a phone number here.
2022
December
REST API extended with new optional push notification message
The newly introduced notificationMessage REST API parameter makes it possible to configure two different notification messages for push authentication. The notificationMessage parameter is optional, and its message is displayed on the notification drawer or notification center. In comparison, the text configured in the message parameter only appears in the Access App. If you only use the message parameter, the text from this parameter appears in both places.
November
Display recovery codes on the management console
If a user registered recovery codes as authentication method, now the management console displays information about them in the user profile. You can check how many active recovery codes a user has, and how many were redeemed. You can also revoke all 16 recovery codes at once here.
September
Management console dashboard
We added a dashboard screen to the management console. If you click Dashboard on the sidebar, you can now see visualized metrics about your Authentication Cloud instance.
May
Updated Figma templates
At Nevis, we use Figma templates to customize the design of the Access Apps. We updated the Figma templates for a simpler and more streamlined experience on your side.
With the update, we included all your previously uploaded logos and color settings so you can continue where you left off.
On the Management Console, you can find the updated templates under Graphics & Branding.
April
Java and Spring vulnerability fixes
Based on our analysis, Authentication Cloud is not affected by the recent Java and Spring vulnerability issues. To mitigate risks, we delivered fixes for CVE-2022-21449 and CVE-2022-22968. We keep monitoring the situation, and apply further updates if needed.
March
Escape characters in error messages
Unescaped HTML special characters in JSON error messages can lead to a security vulnerability. MSIE11 on Windows 7 and Windows 8 can be tricked into rendering application/json as text/html. However, the attack is only possible if an adversary can frame the affected response using an iframe, concurrently to the initial request being an HTTP GET.
We made sure that JSON responses do not contain unescaped HTML special characters. For characters such as < or >, we now use the JavaScript unicode escapes \u003c and \u003e. With this change, there is no further potential for triggering XSS attacks using HTML special characters inside JSON responses.
Spring4Shell
Regarding the Spring framework remote code exploit, our current understanding is that Authentication Cloud is not affected. To be on the safe side, we proactively applied the official Spring upgrades.
February
Usernameless authentication
Usernameless means you can start the authentication flow without supplying the username. Once the user has successfully authenticated, you can connect the approved transaction, such as a login, to the particular user.
- This feature only works with the a branded or an SDK-based Access App, with a QR code or a link.
- The supported SDK & Access App version is 2.2.0 or higher.
- The
approvalendpoint no longer requires ausernameoruserIdif thechannelis set toapp. - Intermittent polls on the
statusendpoint will not have theuserIdin the response. Only if the user successfully authenticated will thestatusAPI endpoint return theuserIdso it can be bound to the transaction session.
Visit Usernameless authentication for more details.
Authenticator ID Wildcard
If your setup supports the use of multiple authenticators, for example two mobile phones with the branded Access App belonging to the same user, you can now use the * wildcard to allow for either of those to be used for transaction approval.
The payload sent to the approval endpoint would also need to set the channel to app. See example below:
curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
-XPOST \
-H "Authorization: Bearer $access_key" \
-H 'Content-Type: application/json' \
-d '{ "channel": "app", "username": "Userxyz123", "authenticatorId": "*" }'
January
FIDO2: Web Authentication (WebAuthn)
- Register with a compulsory
usernamethat uniquely identifies your user. - Set the
channeltofido2. - You also need to add a human-friendly
displayName. - The WebAuthn feature requires specific configuration changes to your instance. For more information, see WebAuthn overview.
Independent security audit
The Auth Cloud underwent an 8-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox testing of all production infrastructure, the newly released public functionality and features, and whitebox testing on the code-base. Smaller risks were discovered, all of which have been fixed and verified. Additional recommendations were also implemented.
2021
November
My Customer Portal
All our demos are now available under our brand-new My Customer Portal (MCP). Sign up, enroll a device see how biometric approvals can help you improve security and boost customer retention on your own portal.
October
Widget Integration
The widget is a ready-made, light-weight, secure JS client, which provides a graphical user interface that can be embedded into your webpage. It can manage your user registrations and authentications for you. Read the widget docs to understand the prerequisites and the flows. Read the details about the intent token management in the API docs.
August
method deprecation
⚠️ The method member has been deprecated in the API. Going forward it is replaced by channel. This was necessary to consolidate new features such as SMS OTP and recovery codes.
Deprecated means that going forward, method will still work for existing integrations until further notice, but its use should be replaced by channel in existing integrations. Only channel is to be used for new integrations.
May
SMS OTP
Hot off the press, the new SMS OTP-based second factor for authentication is now available for Auth Cloud. If you want to roll this out to your customers, get in touch with us so we can configure your SMS provider in your instance.
For technical details, see the API guide on how to authenticate with SMS
Recovery Codes
Auth Cloud can now provide one-time recovery codes for your customers. These 16-digit codes with 75+ bit entropy enable your customers to recover their accounts even when all their authenticators are lost or damaged. This feature can be tested on the test app of your instance under Test & Debug. See the API Documentation for details.
March
Auth Cloud Trial
The Nevis Authentication Cloud, nicked Auth Cloud, is now publicly available. You can sign up here for a free trial.
2020
December
Independent security audit
The Auth cloud underwent a 10-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox and whitebox testing of all production infrastructure, and public functionality and features. No major risk was discovered, all recommendations were implemented and verified.
November
Management console improvements
Several small improvements were implemented on the console for the user and device search functionality.
October
API version 1 is available
The API is now public so you can start the integration of your front-end and back-end applications using our APIs directly. Visit the API documentation for more.
September
Management console is now available
The Nevis Authentication Cloud management console is now available. The current functionality includes user and device management, and the creation and deletion of access key for server access.