Managing Authenticator Versions with Policy

  • Published on Apr 14, 2026
  • 3 minute(s) read
Prev Next

You can use Beyond Identity's policy engine to enforce minimum authenticator version requirements across your organization. This guide walks through creating a policy rule that blocks authentication attempts from devices running outdated authenticator versions and displays a custom message to affected users.

Overview

Keeping the Beyond Identity Platform Authenticator up to date is critical for security. Newer versions contain security patches, bug fixes, and support for the latest device posture checks. By creating a policy rule that denies authentication for outdated authenticator versions, you can ensure that all users are running a version that meets your organization's security requirements.

After completing this guide, you will have:

  • A deny rule that blocks authentication when the authenticator version is below your specified minimum

  • A custom notification message that tells the user why they were blocked and how to update

Prerequisites

  • Admin access to the Beyond Identity Secure Work Console

  • A target minimum authenticator version (e.g., 2.107.0). Check the Authenticator Release Notes for the latest version.

Step 1: Navigate to Policy

  1. Log in to the Beyond Identity Admin Console.

  2. In the left navigation menu, click Policy.

  3. Click Edit Policy to enter editing mode.

Step 2: Add a deny rule for outdated authenticator versions

  1. Click Add Rule. The Add Rule dialog appears.

  2. Select the order for this rule. Since deny rules should generally be placed after any allow rules, position it accordingly. See the tip below for guidance on rule ordering.

  3. (Optional) Enter a name for the rule, such as Block outdated authenticators.

  4. (Optional) Enter a description, such as Deny authentication when the authenticator version is below the required minimum.

Configure the rule attributes

Under Rule Definition, configure the following:

  1. For Transaction, select Authentication from the drop-down menu.

  2. For Authenticator Details, click + Add and select Authenticator version.

  3. Set the operator to Is less than.

  4. Enter your minimum required version number (e.g., 2.107.0).

This rule will match any authentication attempt where the installed authenticator version is below the version you specified.

Set the rule outcome to Deny

  1. Under the rule outcome, select Deny.

Step 3: Add a custom deny message

When a user is denied by this rule, they will see a notification on their device. You can customize this message to explain why they were blocked and what action they should take.

  1. Under Customize notification, enter a descriptive message. For example:

Your Beyond Identity Authenticator is out of date. Please update to version 2.107.0 or later to continue authenticating. You can update by downloading the latest version for your platform at https://app.byndid.com/downloads or checking for updates within the app.

Contact your IT Help Desk if you need assistance updating. <Link to Optional Help Desk Article>.

Writing a clear, actionable deny message helps reduce confusion and support tickets by telling users exactly what they need to do.

Step 4: Save and publish the rule

  1. Click Add to save the rule. The rule appears in the Policy Rules list.

  2. Click Publish changes to apply the rule immediately.

Important: Rules are not applied until they are published. If you exit the Admin Console without publishing, your changes will be lost.

Recommended: Test with Monitor first

Before enforcing a deny rule in production, it is best practice to first create the rule as a Monitor rule. Monitor rules do not block authentication — they only log what would happen. This lets you observe the impact and verify that the rule is matching the correct users and devices before switching it to Deny.

  1. Follow the steps above, but set the rule outcome to Monitor instead of Deny.

  2. Publish the rule and review the results in the Activity log for a few days.

  3. Once you are confident the rule behaves as expected, edit the rule and change the outcome to Deny.

  4. Publish the changes again.

Example: Deny rule

Name

Condition

Outcome

Message

Block outdated authenticators

Authenticator version is less than 2.108.0

Deny

Please update your authenticator to version 2.107.0 or later.

Troubleshooting

Users are being denied unexpectedly

  • Check the Activity log under Policy to see which rule matched.

  • Verify that the version number in the rule is correct. Remember that version comparisons are performed numerically (e.g., 2.99.0 is less than 2.100.0).

  • If you recently published a new rule, use View previous policy rules to compare with the previous rule set.

Users are not seeing the custom deny message

  • Ensure the message was entered under Customize notification in the deny rule.

  • Confirm the rule has been published.

Rolling back a rule

  • Click the Last published link at the top of the Policy page to view previously published rule sets.

  • Select a previous version and click I want to restore this version to revert.

Related articles

Copyright © 2026 Beyond Identity™. All Rights Reserved.