With the 22.10 release, CyberArk Identity supports the following new features:
Multi-factor Authentication
Number Matching for Mobile Authenticator
CyberArk Adaptive Multi-Factor Authentication now supports number matching for MFA push notifications. Number matching capability is a user-friendly method to prevent attacks that rely on multi-factor authentication (MFA) fatigue to gain unauthorized access to protected systems.
MFA fatigue is a common technique used by attackers to spam targets with authentication approval requests. Attackers hope that the user continuously receiving approval requests will eventually accept one, allowing unauthorized access.
With number matching enabled, a user logging in to CyberArk Identity is shown a unique number on the login screen. To authenticate, they must select a matching number in the CyberArk Identity Mobile Authenticator app. End users who receive MFA push notifications do not know the correct number unless they initiate the login attempt and, therefore, cannot approve the request.
Number Matching for Mobile Authenticator MFA
To learn more about number matching, please see the documentation here.
Single Sign-On
Remember Last Username
CyberArk Identity Single Sign-On now allows end users to save the last username used to authenticate into the CyberArk Identity User Portal. Previously, users were required to type in their username each time they logged in to CyberArk Identity. Now, users can select the “Remember me” checkbox to allow the username to be pre-populated during the subsequent login. This feature improves the end-user experience and simplifies the login process.
Remember me checkbox UI
Please see our documentation to learn more about number matching.
Workforce Password Management
Application Access Controls Based on Email Domains
CyberArk Workforce Password Management now allows administrators to restrict access to applications based on email domains.
CyberArk Workforce Password Management is an enterprise-scale solution that enables workforce users to store and share business app credentials securely. In addition to business applications, users can add any username and password-based apps to Workforce Password Management, including consumer applications or apps that use personal email addresses to log in.
With this release, you can now prevent users from adding, sharing or launching applications associated with specific email domains by adding them to an exclusion list. For example, you can add “gmail.com” to the exclusion list, preventing users from storing their personal account credentials in the Workforce Password Management vault.
To learn more about restricting access to Workforce Password Management apps, please see here.
Application Access Controls Based on Conditional Rules
CyberArk Workforce Password Management now allows administrators to restrict access to user-added applications based on conditional access rules. Admins can use these rules to require users to pass additional authentication challenges or block access to user-added apps.
Previously, CyberArk Workforce Password Management supported access restrictions to admin-configured enterprise applications based on various conditional access rules. Now, these rules are extended to user-added applications. For example, you can require users to be on a corporate network, allow access from devices running iOS or Mac operating systems or restrict access to specific days of the week. Users attempting to launch apps outside the predefined conditions could gain access by passing additional authentication challenges or be blocked from accessing apps until all requirements are met. This gives administrators greater control over user-added applications and ensures that all apps are accessed in alignment with the corporate security policies.
Conditional Access Rules
To learn more about application access restrictions, please see the documentation here.
Clear Clipboard Data
Workforce Password Management allows users to copy username and password entries from their vaults and paste them into the login form rather than typing them out. With this release, you can now define how long copied data remains in the clipboard after the copy operation.
Generally, the clipboard keeps whatever is copied into it until something else overwrites it, introducing the risk of inadvertent credential disclosure. For example, hours after you copy your password, you could accidentally paste and send it in a message. Now, you can automatically clear the clipboard after a configurable time. This eliminates the need to manually overwrite your clipboard and prevents accidental disclosure of sensitive Workforce Password Management data.
For more information about configuring clipboard overwrite, please see here.
For more information on the 22.10 release, please see the CyberArk Identity release notes.