What’s New

RealityCheck for Zoom User Interface Refresh

RealityCheck for Zoom has been refreshed with a redesigned interface and updated branding, improving usability and providing a more modern, consistent, and secure user experience. For full documentation, click here.

Beyond Identity began deployment of a new Secure Work software release on February 1, 2026.

What’s New

Enhancements

Bug Fixes

Beyond Identity began deployment of a new Secure Work software release on December 6, 2025.

What's New

Bug Fixes

Hot Fix Release

What's New

• New Authentication Loading Screens
  Beyond Identity now supports customizable logos on the new authentication loading screens for tenants using the Secure Work platform flow. This enhancement lets organizations display their branding during user authentication to create a seamless, trusted user experience.
  
  To enable this feature, admins can submit a request through Beyond Identity Support.
  
  
  
  For documentation on tenant logo branding, click here.
  

Beyond Identity began deployment of a new Secure Work software release on October 25, 2025.

What's New

• New Source Field in Okta Attribute Mapping
  When configuring the Install Okta Registration dialog window, users will now see a new Source field under Okta Attribute Mapping, allowing selection of the desired attribute mapping directly during setup.
  
  This new Source field has also been added to the Okta Attribute Mapping page, giving administrators more flexibility in user provisioning and attribute synchronization. Supported values include external_id, email, username, and display_name.
  
  For full documentation, click here.

  

Enhancements

• Updated Desktop Login Integration Names

  • In the Secure Work console, under Integrations, you will now see the Desktop Login tab that shows the new Windows Desktop Login with Security Keys integration. It was previously named, "Desktop Login Enrollment."

  • And, Windows Desktop Login (Legacy) is now called, Windows Desktop Login with BiometricPIN (AD Connector).

    
    

• Updated CrowdStrike API for Device Posture Data
  Secure Access now uses an updated CrowdStrike API designed for improved stability and accuracy in device posture reporting. This enhances the reliability of policy decisions that depend on device health signals.
  

Bug Fixes

• Fixed Missing Platform Icons on Authenticator Downloads Page
  Resolved an issue where platform icons were not appearing on the Platform Authenticator downloads page. Icons now display correctly for all supported platforms.

Hot Fix Release

• Improved Reliability of Threat Signal Publishing
  Fixed an issue that caused some event signals to not be published to certain SIEM integrations. The update improves the reliability and stability of the threat-signals service to ensure all events are consistently delivered.

Hot Fix Release

Bug Fix

Windows Desktop Login (YubiKey) – WS-FED Hot Fix

This hot fix addresses several issues affecting customers using Windows Desktop Login with YubiKey over WS-FED.

• Authentication events now correctly report the actor, improving visibility and auditability.

• Policy enforcement has been strengthened so that a DENY action reliably prevents login attempts over WS-FED.

• The Authenticator IP and Related IP fields now populate as expected for POLICY – DENY and POLICY – ALLOW events, ensuring accurate enforcement of IP-based rules. This also fixes the QR Roaming code display so it appears correctly when roaming is restricted by IP rules.

In the example events view below, the Principal Actor is now correctly displayed:

In the example policy event below, the Authenticator IP and Related IPs are properly populated on a POLICY event. Previously, these values were often empty or incomplete, which caused policy rules to fail when matching IP addresses.

Hot Fix Release

Platform	Description
Android / Chrome	Fixed an issue where certain Android devices, including Google Pixel models, failed to authenticate in Chrome due to corrupted data payloads generated by the browser.
Chrome v141	Updated support for Chrome v141 to reflect Google’s changes to the Local Network Access feature, ensuring users only encounter the new access prompt once per device. For documentation on this, please click here.

Hot Fix Release

Enhancement

Extended Credential Binding Job Retention
Credential binding jobs are now retained for up to 90 days after they expire or are completed/redeemed. This extension allows clients additional time to poll for binding job status, improving flexibility in integration workflows.

The specific API affected by this improvement is:
POST https://api.byndid.com/v2/binding-jobs
More documentation can be found here about this API endpoint: https://docs.beyondidentity.com/api/v0#tag/Binding-Jobs

This release of Secure Work includes three important bug fixes to enhance stability and performance.

What's New

• New API: Retrieve Credential Binding Jobs

  We’ve added support for retrieving credential binding jobs through a new API resource.

  Endpoint:
  GET /v2/binding-jobs/{binding_job_id}

  Details:

  Use this endpoint to check the status and details of an existing binding job.

  • If the delivery method for the job is SHORT_CODE, the response will not include the short code. (Short codes are only available at the time of creating a binding job.)

  • This enhancement makes it easier to track the lifecycle of binding jobs.
    
    View API Documentation

Bug Fixes

• Integration Password Entry
  Fixed an issue in the Secure Work admin console where entering a password during integration configuration incorrectly triggered a 'Credentials not valid' error. Additionally, sensitive fields (such as passwords and API tokens) now support both manual entry and copy/paste functionality for improved user experience.

• Endpoint URL Validation
  Improved endpoint configuration by preventing users from entering URLs with trailing slashes.

• Event Log Noise Reduction
  Removed unnecessary 'User Authentication – UNAUTHORIZED' events that contained no meaningful details, reducing noise in admin event logs.

What's New

New Beyond Identity Logo

Beyond Identity unveiled a refreshed logo design on August 11 as part of our company rebrand. Customers will see the updated logo across the RealityCheck, Secure Work, and Secure Access platforms, as well as on both documentation portals. This update is visual only and does not impact platform functionality or user workflows. We’re excited to share this next chapter of our brand with you.

This hot fix release resolves a bug related to the Sumo Logic SIEM integration in Secure Work.

Bug Fix

• Hot Fix: Secure Work Sumo Logic Integration Now Accepts Valid URLs
  Fixed an issue that prevented successful setup and testing of the Sumo Logic SIEM Integration in Secure Work. Previously, the Integration creation and test endpoints would error when valid URLs were entered in the Secure Work Integration page. This was caused by a bug that only allowed schemeless URLs to pass validation, which are not functional for Sumo Logic integrations. This hot fix restores support for full, valid Sumo Logic URLs.
  

  

This release includes a set of bug fixes to improve overall stability and performance.

Bug Fixes

• Synchronized Session Timeout Across Tabs
  Session inactivity timeout is now shared across all open tabs in the Secure Work Console, ensuring consistent logouts and improved security.

• Eliminated Duplicate USER_AUTHENTICATION Events on Timeout
  Timeout scenarios no longer trigger multiple USER_AUTHENTICATION events. Events are now reliably emitted once per authentication attempt, improving log accuracy.

• Corrected Invalid UNAUTHORIZED Authentication Events
  Resolved an issue where failed authentications could produce empty or invalid USER_AUTHENTICATION - UNAUTHORIZED events. These events now consistently contain the correct information for auditing and troubleshooting.

• Resolved Passkey Detection Issue on ChromeOS
  Fixed an issue where the web authenticator on ChromeOS failed to detect and display newly created passkeys. Passkeys are now properly recognized and shown as expected.

• Firefox Private Browsing Login Issue
  Resolved an issue preventing logins in Firefox Private Browsing mode after configuring Okta as an identity provider (IdP). Authentication payload handling has been improved to ensure reliable login experiences.

Enhancements

Console Session Behavior

• Synchronized Session Timeout Across Tabs

  Session inactivity timeout is now shared across all open tabs in the Secure Work Console. This enhancement ensures that users are logged out consistently across tabs once a session expires, reducing confusion and improving security by preventing orphaned active sessions in background tabs.

Bug Fixes

• Incorrect Windows OS Version Reporting

  We’ve fixed an issue in Secure Work where Windows devices sometimes reported the wrong OS version under the Users > Passkeys tab. Windows version information is now accurately captured and displayed, ensuring more reliable policy evaluation and device trust decisions.

Secure Work Release Notes for May 2025 bring powerful new features for IT admins, expanded support for identity integrations, and key improvements across the user experience. From customizable onboarding banners to enhanced proof prompts and refined role permissions, these updates are designed to strengthen security, improve clarity, and reduce friction for both users and administrators.

What's New

• Custom Enrollment Banners for User Portal Now Available
  
  IT admins can now customize enrollment banners to end users in the User Portal with the help of our Support Team. These banners support markdown formatting, making it easy to communicate onboarding instructions, security best practices, or key organizational messages at the point of device enrollment. This enhancement gives IT teams full control over messaging, helping reduce user confusion, lower support volume, and reinforce internal policies or branding.

  

• New SCIM Attribute Support: employeeNumber
  
  We've added support for the employeeNumber attribute in our SCIM implementation, aligning with RFC7643 standards. This new directory attribute provides customers with more flexibility in user correlation, particularly useful for complex identity integrations involving systems like Sailpoint and Okta. With this update, IT teams can map, store, and retrieve the employeeNumber attribute through SCIM and within the directory configuration—enabling more consistent identity lifecycle management across platforms.
  

• Kandji + Beyond Identity Integration

  The Beyond Identity Mac Platform Authenticator (PA) is now integrated into Kandji's Auto App Collections, enabling fully automated deployment and updates via the Kandji MDM platform. This eliminates the need for IT admins to manually download and re-upload the latest version of the Mac PA, streamlining operations with zero-touch updates. By selecting options like "Continuously Enforce" and "Automatically enforce new updates," you can ensure your macOS devices will always have the latest, most secure version of the Beyond Identity Authenticator.

Enhancements

• Updated Permissions for Help Desk Plus Role
  
  To better align with common access control practices, users assigned the “Help Desk Plus” role can no longer suspend other users. This helps ensure that sensitive account actions remain restricted to designated administrators.
  
  🔧 Learn more about roles and permissions
  

• Platform Authenticator Updates: iOS v2.103.1 (Released May 13)
  
  Streamlined Navigation After Authentication on iOS
  We've improved the post-authentication experience in our iOS app to make navigation smoother and more intuitive. After completing authentication, users are now guided back to the previous screen more seamlessly, reducing friction and improving overall usability. This enhancement is part of our ongoing effort to deliver a more polished and user-friendly experience on key mobile platforms.

Bug Fixes

• We’ve fixed an issue in the List Users API where the skip parameter wasn’t working as expected. You can now reliably paginate through users using this parameter in your API calls.

New event type: Fetch Data From Integration

We are now publishing a new debug capability for integrations that improves event transparency and accountability in the Beyond Identity Console.

The new event type, FETCH_DATA_FROM_INTEGRATION, provides information when an attempt to retrieve data from your integrations fails. Beyond Identity will retry the connection to your integration approximately once per 15 minutes. Each time the attempt to fetch data from the integration fails, you can view the new event in your Activity log.

After the connection to the integration is restored, we will send one FETCH_DATA_FROM_INTEGRATION event with a Success outcome to confirm that the connection has been reestablished. Future successful data retrievals will not send more events.

CrowdStrike Multi-CID Support

The Secure Workforce platform now supports CrowdStrike integrations configured using parent Customer ID (CID) credentials, enabling device posture checks across multi-CID environments. Please note that the Overall ZTA Score policy attribute is not compatible with multi-CID configurations and cannot be used in policies when integrating via a parent CID.

Console

Beyond Identity has adopted a continuous release model to deliver features more quickly. As part of this change, the Admin console will no longer have an associated version number. Instead, we will use the release date of a feature to indicate when it becomes available. Please note that authenticator releases will still include version numbers.

Email Notifications

Beyond Identity has added automatic email notifications anytime a passkey is created or revoked to improve security. Although not recommended, these emails can be disabled for your tenant by contacting support@beyondidentity.com.

When a passkey is created, the following email will be sent to the user.

When a passkey is removed, the following email will be sent to the user.

When multiple passkeys are removed, the following email will be sent to the user.

What’s new

We have a new look!

Our new homepage provides a breakdown of your organization's risks by user and passkey, allowing you to easily identify areas that require attention. It also displays authentications blocked by your policy rules, giving you insight into how secure your organization really is and any areas that need a policy.

Want to learn more?

• Risk Signals & Policy Configuration - Describes the risks that display on this page and the policies you should set to block them.

• Understanding the Risk Dashboard - Describes how risk scores are calculated and how to get the most out of this feature.

Support for biometric/password during commit signing for GPG keys

You can now require any commits to be verified with biometrics to prevent local malware from committing code or developers from bypassing hygiene and security controls.

Secure DevOps is an add-on for Secure Workforce. Contact your Account Representative to add this feature to your environment.

Want to learn more?

• SDO - Beyond Identity Authenticator commit/sign verification integration guide for GitHub

• SDO - Beyond Identity Authenticator commit/sign verification integration guide for AWS

• SDO - Beyond Identity Authenticator commit/sign verification integration guide for Azure Devops

• SDO - Beyond Identity Authenticator commit/sign verification integration guide for GitLab

• SDO - Beyond Identity Authenticator commit/sign verification integration guide for Bitbucket

New Policy Attributes

For more information about policies, see How to define policies.

• [BIT-1182] We’ve added two new TPM policies for Linux.

  • TPM is - Checks whether the authenticating device does not have TEE (Trusted Execution Environment OR TPM).
    

  • TPM version - Checks whether the authenticating device does not have TEE (Trusted Execution Environment OR TPM/Secure Enclave).
    

• Device OS End-of-Life Attributes - Under device platform, the following new end-of-life policy attributes have been added to quickly identify unsupported OS build versions so you can reach out to employees and contractors to update their devices to the latest version.

  • Windows example:

    

  • macOS example:

    

• OS Vulnerability Attributes - Under device platform, the following new policy attributes have been added to identify the number of critical or high severity Common Vulnerabilities and Exposures (CVEs).

  • Windows example:
    

  • macOS example:
    

• Launch mechanism insecure - Checks whether the authentication uses a launch mechanism without origin information.

  • Loopback (All platforms) - Applies to authentication via the localhost. Set this transaction to Allow.

  • Embedded (Web Authenticator) - Applies to authentication via a Web Browser. Set this transaction to Allow.

  • App Scheme (All platforms) - Applies to the app identifier in a deep link. Set this transaction to Deny.

  • Pipe/COM (Windows) - Applies to a temporary authentication connection between programs or commands. Set this transaction to Deny.

  • Roaming (All platforms) - Applies to authentications made from a secondary device that is enrolled with Beyond Identity. This option requires that Roaming Authentication is enabled. See Configure roaming authentication for more information. Set this transaction to Allow if you've enabled roaming authentication.

  • Copy/Paste (All platforms except Linux) - Applies to authentications where a link is manually copied/pasted to authenticate. Set this transaction to Deny.

  • Universal Link (iOS only) - Applies to authentications where a magic link is clicked on to authenticate. Set this transaction to Deny.

  • Autofill (Android only) - Applies to authentications where credentials are passed in using the autofill feature on Android. Set this transaction to Deny.

  • Accessibility (Android only) - Applies to authentications where an alternative mechanism used to launch the platform authenticator app. Set this transaction to Deny.  

• No TEE - Checks if the authenticating device does not have TEE (Trusted Execution Environment OR TPM/Secure Enclave).

  • Windows example:
    

  • macOS example:
    

• Anomalous authentication interval - Checks whether the time between authentication and trailing authentication is anomalously long > 30 days (located under Behavior).

  • Example Anomalous authentication interval policy attribute:
    

Resolved

• [BIT-1753] We now check and clear the bounce list when an admin sends a new passkey via the ‘Enroll a Passkey’ option.

• [BIT-1791] Device info collection on the Crowdstrike Falcon Agent Id has been improved. Before, when we failed to obtain the Agent Id, this was reported as unsupported. From now on, failure to read the data.zta file will include an exact error in the device info and logs to help with further investigation.

• You can now test SIEM integration Beyond Identity Authenticators without needing to change any values.

Hotfix for Zscaler

• Added the ability to match on a User Key, which can either be the username or email when configuring a Zscalar instance.

  

Hotfix for Crowdstrike Falcon

• Fixed an issue where the CrowdStrike ZTNA assessment score was not found for new Beyond Identity user enrollments, which caused the user enrollment to fail. This was related to the CrowdstrikeAgentID being set to uppercase while the Crowdstrike API requires the CrowdstrikeAgentID to be lower-case.

Resolved

• [BIT-1753] Fixed an issue with the bouncelist when an admin sends a new passkey via the ‘Enroll a Passkey’ option in the Admin console.

What's new

• Dashboard Filters - Added filters to the Risk Overview table.
  

Console

What's new

Policy

• New Linux Attributes: Added the following Linux attributes to policy rules:

  • OS Version:
    

  • File Exists:
    

  • Installed Security Software:
    
    

• New Authentication method: Added “Manual Link Copy” as an Authentication Method for transactions.
  

Events

• [BIT-1741] New “flow_type” event: If you've created policy rules for Authentication that use an Authentication Method, we’ve added "flow_type" to data in USER_AUTHENTICATION events.
  
  

  The following authentication flow types detected are:

  • localhost

  • embedded

  • scheme

  • pipe

  • roamingAuth

  • copy

  • universalLink

  • androidAutofill

  • androidAccessibility

Risk signals

The following table describes new risk signals that have been published. For more information, see Risk Signals and Policy Configuration.

Secure Work

Resolved

• [DATA-2633] Country filter: On the Insights page, fixed an issue with filtered results returned when clicking a country from the map.

• [Data-2652] Event export: Fixed the Event grid’s CSV export so it now includes filters on user, country, correlation ID, and full text.

Secure Work

What’s new

• [BIT-1159, BIT-1209] Google Workspace MDM integration support on Android.

  • Under Integrations > Beyond Identity Authenticator Management in the Beyond Identity Admin console, a new Google Workspace entry has been added.

    
    
    
    Click the download icon to the right of Google Workspace to open the following dialog.

    
    
    After entering the Customer ID, Save Changes to automatically generate the Management ID you will use in the Google Admin console.
    
    For details steps to configure the integration in Beyond Identity and Google, see the Integration Guide for Google Workspace MDM.
    
    

  • Under Policy, you can set an integration policy for Google Workspace on Android to identify whether the state is managed or not.
    

New Policies

Added the following new attributes to policy. For more information, see How to define policies

• Added IP blocklist attributes to policy for authentication.
  

• Added a File Exists device policy attribute to Linux.
  

• [BIT-1702] Added support for the following device policy attributes:
  Secure Enclave Is (TEE) availability on macOS

  
  TPM availability on Windows

  
  TPM version on Windows
  
  

Improved

• [BIT-188] Added support for multiple webcams on macOS while scanning QR codes. You can now use your iPhone camera, or any other additional webcam you may have connected to your Mac.

• Added the ability to test an SIEM connection before saving it under Integrations.

  
  

• Generates a "password not set" threat signal for SIEM integrations for iOS, macOS, and Android.

• Updated the published OS enrichment threat signals (used in SIEMs) to use a "rapid security response" (RSR) tag when looking up threats associated with macOS authentications.

• Allow more generalized version inputs for Windows and macOS installed applications. Specifically, this allows admins to write policies on Java versions.

Resolved

• [BIT-1731] On the Insights page, fixed an intermittent issue where clicking on a country in the map didn’t apply the Country filter correctly if a city name included the same name as another country.

• [BIT-1705] On some versions of RHEL/CentOS (<=7) and Ubuntu 22.04 LTS, fixed an issue where volume device info detection was not working correctly, and encrypted volume information could not be detected. Therefore, encrypted disk policy checking would not work.

• [BIT-1715] Ensure open windows/tab authentication states are synced.

• For Web Authenticator passkeys, fixed an issue where responses were being incorrectly encoded during registration.

Improved

• Added a new "launch mechanism" risk signal to the Risk dashboards, which detects whether authentications are using a launch mechanism with optimal phishing resistance. To view this enhancement:

  • Go to the Admin Console > Insights > Risk Overview > and select View risk scores by User.

  • Click a user from the table to view signals that apply to this user. If the signal applies to this user, an entry for “Launch mechanism insecure” appears with details.

    

  • When exporting data in the table, the entry will look similar to the following:
    ... ""launch_mechanism_insecure"":{""detection_count"":44,""score_count"":686,""scored_entity"":""correlation_id"",""scored_entity_count"":686} ...

• For OIDC Login Hint Validation Config, added a new “USER_NAME_LOCAL_PART” that matches the hint based on the username part of the email when an SSO requires a username to be in the shape of an email, and in some cases, the username may not match the actual email of the user.

  • Example: If the actual email address is john.smith@example.com and the username is jsmith, the username would need to be in the format of jsmith@example.com and the login hint would be jsmith, which matches the “local part” of the username, (i.e., everything before the @). If you do not have an SSO that forces usernames to look like email addresses (for example, the username is just jsmith), USER_NAME_LOCAL_PART strategy will work the same as USER_NAME login hint.
    
    Once a passkey is selected, a provided hint will be matched against the selected strategies until one succeeds and authentication can continue, or they all fail, and authentication fails. For more information, see: https://support.beyondidentity.com/hc/en-us/articles/15280892701463-OIDC-login-hint-Matching.
    

  • Authentication events also include login hints when provided. Additionally, if there is a failure due to login hint mismatches, this information will be captured in the Reason section of the authentication event, as seen in the following image:
    

Resolved

• [BIT-1689] In the Risk Overview Dashboard, in certain scenarios users were incorrectly placed in the wrong risk column in the Risk Score Bar Chart.

Hotfix for Secure Work

Resolved

• [DIR-2521] Terminate an authentication transaction early based on browser incompatibility.
  Exposes additional administrative logs for diagnosing issues related to the mishandling of OAuth binding cookies.

• [DIR-2525] Updated services related to authentication transactions.

Secure Work

Improved

• [DIR-2479] Added the username as a parameter to help determine group membership when offering roaming authentication. The protocol that produces the username is WS-Fed, which is used by Entra ID (formerly Azure AD).

• [CON-2699] You can now add threat signals individually, or by selecting all signals to SIEM integrations under Integrations > SIEM Integrations. If you want to automatically add threat signals that will be added in the future, select the checkbox.

  
  

Hotfix for Secure Work

This release applies to Secure Work policies.

Resolved

• [TS-1387] Fixed a bug related to the handling of IP attribute lists.