Improved
-
Added a new "launch mechanism" risk signal to the Risk dashboards, which detects whether authentications are using a launch mechanism with optimal phishing resistance. To view this enhancement:
-
Go to the Admin Console > Insights > Risk Overview > and select View risk scores by User.
-
Click a user from the table to view signals that apply to this user. If the signal applies to this user, an entry for “Launch mechanism insecure” appears with details.
-
When exporting data in the table, the entry will look similar to the following:
... ""launch_mechanism_insecure"":{""detection_count"":44,""score_count"":686,""scored_entity"":""correlation_id"",""scored_entity_count"":686} ...
-
- For OIDC Login Hint Validation Config, added a new “USER_NAME_LOCAL_PART” that matches the hint based on the username part of the email when an SSO requires a username to be in the shape of an email, and in some cases, the username may not match the actual email of the user.
-
Example: If the actual email address is john.smith@example.com and the username is jsmith, the username would need to be in the format of jsmith@example.com and the login hint would be jsmith, which matches the “local part” of the username, (i.e., everything before the @). If you do not have an SSO that forces usernames to look like email addresses (for example, the username is just jsmith), USER_NAME_LOCAL_PART strategy will work the same as USER_NAME login hint.
Once a passkey is selected, a provided hint will be matched against the selected strategies until one succeeds and authentication can continue, or they all fail, and authentication fails. For more information, see: https://support.beyondidentity.com/hc/en-us/articles/15280892701463-OIDC-login-hint-Matching.
- Authentication events also include login hints when provided. Additionally, if there is a failure due to login hint mismatches, this information will be captured in the Reason section of the authentication event, as seen in the following image:
-
Example: If the actual email address is john.smith@example.com and the username is jsmith, the username would need to be in the format of jsmith@example.com and the login hint would be jsmith, which matches the “local part” of the username, (i.e., everything before the @). If you do not have an SSO that forces usernames to look like email addresses (for example, the username is just jsmith), USER_NAME_LOCAL_PART strategy will work the same as USER_NAME login hint.
Comments
0 comments
Please sign in to leave a comment.