2022
May
Updated Figma templates
At Nevis, we use Figma templates to customize the design of the Access Apps. We updated the Figma templates for a simpler and more streamlined experience on your side.
With the update, we included all your previously uploaded logos and color settings so you can continue where you left off.
On the Managament Console, you can find the updated templates under Graphics & Branding.
April
Java and Spring vulnerability fixes
Based on our analysis, Authentication Cloud is not affected by the recent Java and Spring vulnerability issues. To mitigate risks, we delivered fixes for CVE-2022-21449 and CVE-2022-22968. We keep monitoring the situation, and apply further updates if needed.
March
Escape characters in error messages
Unescaped HTML special characters in JSON error messages can lead to a security vulnerability. MSIE11 on Windows 7 and Windows 8 can be tricked into rendering application/json
as text/html
. However, the attack is only possible if an adversary can frame the affected response using an iframe
, concurrently to the initial request being an HTTP GET.
We made sure that JSON responses do not contain unescaped HTML special characters. For characters such as <
or >
, we now use the JavaScript unicode escapes \u003c
and \u003e
. With this change, there is no further potential for triggering XSS attacks using HTML special characters inside JSON responses.
Spring4Shell
Regarding the Spring framework remote code exploit, our current understanding is that Authentication Cloud is not affected. To be on the safe side, we proactively applied the official Spring upgrades.
February
Usernameless authentication
Usernameless means you can start the authentication flow without supplying the username. Once the user has successfully authenticated, you can connect the approved transaction, such as a login, to the particular user.
- This feature only works with the a branded or an SDK-based access app, with a QR code or a link.
- The supported SDK & Access App version is 2.2.0 or higher.
- The
approval
endpoint no longer requires ausername
oruserId
if thechannel
is set toapp
. - Intermittent polls on the
status
endpoint will not have theuserId
in the response. Only if the user successfully authenticated will thestatus
API endpoint return theuserId
so it can be bound to the transaction session.
Visit Usernameless authentication for more details.
Authenticator ID Wildcard
If your setup supports the use of multiple authenticators, for example two mobile phones with the branded access app belonging to the same user, you can now use the *
wildcard to allow for either of those to be used for transaction approval.
The payload sent to the approval
endpoint would also need to set the channel
to app
. See example below:
curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
-XPOST \
-H "Authorization: Bearer $access_key" \
-H 'Content-Type: application/json' \
-d '{ "channel": "app", "username": "Userxyz123", "authenticatorId": "*" }'
January
FIDO2: Web Authentication (WebAuthn)
- Register with a compulsory
username
that uniquely identifies your user. - Set the
channel
tofido2
. - You also need to add a human-friendly
displayName
. - The WebAuthn feature requires specific configuration changes to your instance. For more information, see WebAuthn overview.
Independent security audit
The Auth Cloud underwent an 8-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox testing of all production infrastructure, the newly released public functionality and features, and whitebox testing on the code-base. Smaller risks were discovered, all of which have been fixed and verified. Additional recommendations were also implemented.
Feedback
Was this page helpful?