Skip to main content

2022

May

Updated Figma templates

At Nevis, we use Figma templates to customize the design of the Access Apps. We updated the Figma templates for a simpler and more streamlined experience on your side.

With the update, we included all your previously uploaded logos and color settings so you can continue where you left off.

On the Managament Console, you can find the updated templates under Graphics & Branding.

April

Java and Spring vulnerability fixes

Based on our analysis, Authentication Cloud is not affected by the recent Java and Spring vulnerability issues. To mitigate risks, we delivered fixes for CVE-2022-21449 and CVE-2022-22968. We keep monitoring the situation, and apply further updates if needed.

March

Escape characters in error messages

Unescaped HTML special characters in JSON error messages can lead to a security vulnerability. MSIE11 on Windows 7 and Windows 8 can be tricked into rendering application/json as text/html. However, the attack is only possible if an adversary can frame the affected response using an iframe, concurrently to the initial request being an HTTP GET.

We made sure that JSON responses do not contain unescaped HTML special characters. For characters such as < or >, we now use the JavaScript unicode escapes \u003c and \u003e. With this change, there is no further potential for triggering XSS attacks using HTML special characters inside JSON responses.

Spring4Shell

Regarding the Spring framework remote code exploit, our current understanding is that Authentication Cloud is not affected. To be on the safe side, we proactively applied the official Spring upgrades.

February

Usernameless authentication

Usernameless means you can start the authentication flow without supplying the username. Once the user has successfully authenticated, you can connect the approved transaction, such as a login, to the particular user.

  • This feature only works with the a branded or an SDK-based access app, with a QR code or a link.
  • The supported SDK & Access App version is 2.2.0 or higher.
  • The approval endpoint no longer requires a username or userId if the channel is set to app.
  • Intermittent polls on the status endpoint will not have the userId in the response. Only if the user successfully authenticated will the status API endpoint return the userId so it can be bound to the transaction session.

Visit Usernameless authentication for more details.

Authenticator ID Wildcard

If your setup supports the use of multiple authenticators, for example two mobile phones with the branded access app belonging to the same user, you can now use the * wildcard to allow for either of those to be used for transaction approval.

The payload sent to the approval endpoint would also need to set the channel to app. See example below:

curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
  -XPOST \
  -H "Authorization: Bearer $access_key" \
  -H 'Content-Type: application/json' \
  -d '{ "channel": "app", "username": "Userxyz123", "authenticatorId": "*" }'

January

FIDO2: Web Authentication (WebAuthn)

  • Register with a compulsory username that uniquely identifies your user.
  • Set the channel to fido2.
  • You also need to add a human-friendly displayName.
  • The WebAuthn feature requires specific configuration changes to your instance. For more information, see WebAuthn overview.

Independent security audit

The Auth Cloud underwent an 8-day security audit by an independent third party that specializes in penetration testing. The scope included blackbox testing of all production infrastructure, the newly released public functionality and features, and whitebox testing on the code-base. Smaller risks were discovered, all of which have been fixed and verified. Additional recommendations were also implemented.