The Madrid release introduces powerful new features and enhancements—particularly around Strivacity dashboards—that make it easier than ever to monitor, analyze, and act on your identity data.

Important: This release includes breaking changes affecting:

• Consent translations
• Adaptive Access policy configuration
• Legacy hook log endpoints

Please check with your Customer Success representative before upgrading.

New Features & Enhancements

Dashboard Click-Throughs to Account Events

Your Strivacity dashboard just got more interactive. Certain dashboard widgets now allow you to click directly into the events behind the metrics—giving you instant visibility into the activity driving your graphs.

New Dashboard Templates

To help you get started faster, we’ve added new pre-built dashboard templates for:

• A/B testing
• Consent acceptance
• On-premises components

Dashboard Widget Browser Improvements

Our library of dashboard widgets keeps expanding! To make navigation easier, you can now search for widgets by name and quickly find the metrics you need.

Stacked Bar Charts

You now have a new way to compare metrics over time. Stacked bar charts make it simple to visualize multi-metric comparisons—such as login successes, failures, and abandonments—within a single view.

Hook Execution Dashboard Widget

Track performance like never before. The new Hook Execution widget helps developers measure orchestration response times as well as providing visibility into unhandled exceptions and hook errors that occur during hook execution. All of this to ensure your Lifecycle Event Hooks run smoothly.

Configure Temporary and Permanent Lockouts

We’ve made brute-force protection more flexible. With the Adaptive Access policy, you can now independently configure temporary and permanent lockout thresholds for both passwords and one-time passcodes.

Expanded Before ID Token Generation Hook

Developers now have more power when working with tokens. The Before ID Token Generation hook can: add or adjust token scopes

Other Updates

• Added SessionIndex GUID to SAML assertions
• Expanded documentation for managing email and phone authenticators via the My Account Portal APIs
• Introduced a new Account Management API endpoint to change or remove organization assignments from an account

Bug Fixes

We fixed issues where:

• The back-to-login link did not pick up the acr_value from session start
• Custom telephony providers failed if the Strivacity default provider wasn’t enabled
• The password requirements indicator didn’t handle Unicode lowercase letters
• Password length wasn’t displayed properly in some cases
• Adaptive Access policy didn’t include custom MFA configurations
• Consents didn’t always render in the correct translation
• The native SDK incorrectly fell back to web views in some scenarios
• Password quality policy wasn’t listed in the admin console’s identity store view
• The Before Authenticator Enrollment hook template missed required callback parameters
• A/B testing evaluated usernames as case-sensitive
• Tags containing underscores (_) weren’t always searchable
• The My Account API endpoint didn’t return maxLength or restrictedCharacters fields

New Features

Self-Service Account Unlock

Strivacity now supports self-service account unlock workflows for password lockouts. When customers lock their account during login, they can immediately receive a password reset link along with customizable messaging. Admins can also manually unlock accounts affected by password or OTP locks, or trigger a password reset to clear password-reset locks.

Fine-Grained Access Control for the Admin Console

Building on recent improvements to policy tagging and filtering, brand admins can now define permissions—based on policy tags—for viewing or managing individual policies. A new “use” permission has also been added, allowing admins to use a policy (e.g., in flows) without being able to view or modify its configuration. This enables precise control over who can read, write, delete, or apply specific policies.

Centralized Lifecycle Event Hook Logging

All Lifecycle Event Hook (LEH) logs are now accessible through a single, centralized UI. You can filter logs by date/time, Identity Store, Account Event ID, Account ID, and Application Client ID for easier troubleshooting and auditing.

Organization Portal Enhancements

We’ve rebuilt the organization administration portal from the ground up. Improvements include:

• Admin Console-style user filtering
• Easier management of favorite organizations
• Improved session expiry handling and smoother return-to-login flow

Policy Filtering Improvements

We’ve enhanced filtering throughout the Admin Console:

• Filters now persist across sessions—return to any page and your last-used filters are retained
• Admin Console URLs now support query string parameters, enabling deep linking to filtered views

Expanded Session Information for Login Flow UIs

Front-end brand developers now have access to more session context for building custom experiences. Newly available data includes:

• Password and OTP failed attempt counts and limits
• Session timeout configuration for login flows

Other Enhancements

• ECDSA JWT signing support for JWT private keys
• Ability to set multiple audience claims on access tokens
• Support for sending multiple email invitations to recipients with existing accounts or pending invitations

Bug Fixes

• Fixed an issue where account attributes on the MyAccount page always appeared in English despite a selected language
• Fixed a bug preventing hooks with underscores in tag labels from being deployed
• Resolved issue where notifications were sent to disabled email identifiers
• Fixed an error that blocked deletion of identifiers on disabled accounts
• Resolved an issue that prevented admins from changing their password via the admin MyAccount portal
• Fixed a permissions bug preventing full-access admins from resetting translations
• Corrected UI text in the event streaming interface

Headline features

Variable and secret management

Strivacity now provides brand developers variable and secret management, enabling flexible use of these across the platform. You can define variables and secrets at the global level and use them in any Strivacity code editor. You can also define variables at the Journey or Lifecycle Event Hook level to leverage variables and secrets local to just that code base. Finally, you can set variables and secrets that are applied when hooks and journeys are attached to an application, allowing you to promote environmental configurations between applications on the same or different product instances.

IdP-initiated SAML support

Strivacity now supports Identity Provider (IdP) initiated SAML2, which expands Strivacity’s federation capabilities by enabling brands to start a SAML2-based authentication journey with Strivacity directly from a third-party IdP without first receiving an authentication request from the Service Provider (SP). This facilitates smoother user experiences, especially in federated identity environments, by enabling organizations to centralize authentication and maintain user control within their own domain. This feature is configurable via an External login provider.

Custom telephony provider

In addition to the four native telephony providers supported today, Strivacity now lets you create your own custom telephony provider integration. This feature allows brand developers to write code that sends Strivacity SMS messages to whatever telephony provider or messaging service you choose. This is configurable via the Telephony provider configuration .

Before password reset extensibility point

We now support a Before password reset hook, allowing brands to add custom journeys to a password reset link password reset. Want to put MFA in front of a password reset? How about asking for additional confirmation or doing a third-party risk assessment before letting a user update that password? All of these are now possible using the Before Password Reset extensibility point along with the Strivacity Journey Builder.

Synchronous capabilities for the After password change extensibility point

Brand developers now have the ability to stop the flow after a password change has occurred to ensure synchronizations with 3rd party data stores are successful before changing the password locally. We've also changed the name from "After password change" to "Before password persist". Lifecycle event hooks

Additional client context values available in hooks

Brand developers now have a seamless way to send information from the browser to the back-end context of Lifecycle Event hooks. This allows for better integration with security tools and other products that need to handle sensitive browser-gathered information.

Expose the Strivacity token endpoint to all configured domains

Previously, Strivacity’s token endpoint was only exposed to the primary DNS domain configured in the Strivacity.. Now, you can access the token endpoint from any of the domains configured to be used in Strivacity.

Enhanced MFA journey step: “Remember this device” support

The MFA Authentication custom journey step now supports dual behavior: it can function as an “always require MFA” step or as an MFA step that respects the “Remember this device” setting. This allows for greater flexibility in balancing security and user convenience.

Simulated password and forgotten password steps to mitigate account enumeration

To help counter account enumeration attacks, Strivacity’s custom journeys can now simulate a successful user identification when no matching account is found. When used at the “At failed identification” extensibility point, these new steps mimic a legitimate identification flow and trigger standard account recovery options, helping to obscure account existence from malicious actors.

Authenticator app setup: manual code entry option

During MFA registration using Google Authenticator-style apps, users can now opt to manually enter a setup code in addition to scanning a QR code. This provides an accessible alternative for users who can’t scan QR codes.

Input masking support for sensitive fields

In brand policies, the sty-input-text selector now supports input masking for sensitive data types, such as national ID numbers. For details on how to implement this, see the Strivacity brand policy documentation available inside the brand policy configuration of a Strivacity product instance.

Support for multiple invitations to the same email address (build 3)

Previously, Strivacity prevented brand administrators from sending invitations to email addresses already associated with a pending invitation or an existing account. This limitation has been removed.

Brand admins can now send multiple invitations to the same email address, enabling greater flexibility, especially for use cases involving username-based identity stores, where the same user may need access to multiple accounts.

Granular controls for “Keep me logged in” behavior (build 3)

Strivacity’s “Keep me logged in” feature allows customers to maintain active sessions across applications within the same identity store, bypassing the login step during an inactivity timeout.

With this update, brand administrators now have more fine-grained control over how this feature is exposed and behaves for end users.

New configuration options:

Administrators can now choose from the following options when configuring this feature:

• User-configurable, unchecked by default: Allows the user to opt in; the toggle is off by default.
• User-configurable, checked by default: Allows the user to opt out; toggle is on by default.
• Hidden from the user – Never keep logged in: The feature is disabled completely, with no user control.
• Hidden from the user – Always keep logged in: The feature is always enabled without user interaction.

Other stories

• Account management now indicates if a phone number identifier has been confirmed.
• You can now link to the list of notifications associated with an account event.
• We renamed the Strivacity Bridge components to be clearer about their purposes. The Strivacity Bridge for Header-based Authentication is now the Strivacity Login Gateway. The Strivacity Bridge for On-premises Directories is now the Strivacity Directory Connector.
• We’ve added additional notification templates to notify customers when a user has unenrolled an MFA method and when an identifier has been changed.
• Passcode and OTP attempts against the lockout count are now exposed in the user account records.

Bug fixes

• Fixed an issue where the Admin Console account event date filter was handling timestamps incorrectly.
• Fixed a broken link in the brand policy developer docs.
• Fixed an issue where deleting an Adaptive Access policy was impossible if the custom MFA method was enabled.
• Fixed an unnecessary warning when enabling identifiers in an identity store.

Stream account events to external data aggregators

You can now stream Account events and Audit logs to third-party data aggregators in real time. Out of the box, the Buffalo release supports Splunk and Elasticsearch.

Directory connector password syncing

Our Strivacity Directory Connector now synchronizes password changes made in Strivacity to your on-premises directory. This means fewer manual updates and more consistent account credentials across environments.

Bring your own telephony provider

You can configure your own telephony provider for SMS and voice calls. Use the same provider for both, or separate providers for each. Once set up, these configurations apply to all applications within your Strivacity instance.

Account notifications lists in account management

Customer support teams can now see a comprehensive list of notifications sent to account holders, including the recipient’s email or phone number and a preview of the message. This helps support quickly track and troubleshoot any notification-related inquiries.

Bulk account update API

We’ve introduced a new API that updates the attributes or disabled state of up to 1,000 users at once, making large-scale user management changes easier and more efficient.

Bulk customer invitation

Our Bulk customer invitation feature now supports uploading a CSV list of up to 200 users to invite. You just download a CSV file containing the identity store schema, fill in each user’s invitation email (required) and any attributes (optional), then click submit to send them all at once.

Connector statistics on the dashboard

Strivacity Strivacity Directory Connector statistics now appear on the Strivacity Dashboard. You can monitor uptime, response times, and error messages right from your admin view.

In-journey Account Activation for phone/email identifiers

We’ve added a new capability to our Account activity feature that allows you to provide an in-registration account activation experience, requiring a one-time passcode sent to the email or phone identifier during the registration process.

Searching for accounts by email domain

When filtering in the Account Management portal, you can now search specifically by an email domain. Just start your query with “@” to filter by the domain portion of the email address.

JWTs for client authentication

Strivacity now supports JWT authentication for OAuth2 clients, giving you another secure method to validate and authorize client requests.

Other features

• Create an account without a password in the Admin Console (STY-5845)
• Independently control “Remember me” and “Remember my device” (STY-5856)
• Add password maximum length to the password requirement indicator (STY-5879)
• Support JWTs that are missing a trailing dot character (STY-5974)
• Rearrange the account create/invite form in the Admin Console (STY-6010)

Bug fixes

We resolved several issues in this release, including:

• Clicking “Back to login” on the password reset page resulted in an unexpected error (STY-5457)
• Sending a password reset email from the Admin Console failed in some cases (STY-5833)
• Date filters on the dashboard sometimes returned unexpected results (STY-5978)
• Multiple consent steps in a journey incorrectly shared state (STY-6002)
• MFA authentication journey step did not always follow attached policy (STY-6006)
• Dashboard registration duration widget layout issues at certain browser sizes (STY-5503)
• Broken tooltips in the Admin Console (STY-5950)
• PDF generation failing in Firefox (STY-5969)

Customer self-service APIs

Build custom user management experiences directly within your brand’s portal using Strivacity’s My Account APIs. These APIs eliminate the need to use admin APIs for users making account changes on their own behalf. The same APIs power our My Account no-code component, enabling you to manage identifiers, attributes, passwords, consents, and personal data downloads.
Explore the API reference

Editing identifiers in My Account and self-service APIs

Users can now update their own identifiers directly within the My Account portal or through our self-service APIs.
Learn more about My Account

Configurable brute-force attempt limits

Brute-force limits for both password and MFA authenticator challenges are now configurable on a per-session basis via Adaptive Access policies, giving you more control over security thresholds. Previously, brute-force limits were hard-coded to 3 attempts.

Granular username requirements

Username requirements can now be configured with minimum and maximum length settings. You can also enforce specific formats using regular expressions and define custom error messages for invalid inputs.

Enhanced password policy options

Password policies now include options to set maximum length requirements and disallow specific special characters.
Learn more

Search for OIDC client IDs in applications list

You can now search for OIDC client IDs directly on the Applications page. This makes it easy to locate applications by client ID.

"Remember my device" on MFA passcode screen

The “Remember My Device” setting is now available on the MFA passcode screen, in addition to the MFA method chooser screen.

“Back to login” button on MFA screens

We’ve added “Back to Login” buttons to all MFA screens, including MFA method selection, MFA passcode, and MFA enrollment screens, improving the user experience.

Support for additional telephony providers for SMS

Strivacity now supports additional telephony providers, including Sinch and Infobip, for sending SMS messages.

Other features

• Description field for policies
  Add descriptions to policies for easier management and documentation.

• Sensitive customer input in Journey Builder
  Input steps set as “sensitive” within Journey Builder will display information inputted by customers as masked in logs, enhancing privacy for sensitive user data.

• Date attribute indexing and filtering
  Attributes with date values can now be indexed and filtered for streamlined data queries.

• Error messages based on HTTP error codes in brand policies
  Customize error messages triggered by HTTP error codes in brand policies.

• New language support
  We added support for the following additional languates:

  • Arabic (Egyptian)
  • Creole (Cape Verdean)
  • Creole (Hatian)
  • Norwegian (Norway)
  • Polish (Poland)
  • Somali (Somalia)

Bug fixes

• Fixed an issue where the account engagement widget incorrectly displayed an empty state.
• Resolved an issue preventing spaces from being typed in dropdown filters.
• Fixed an issue where the ‘&’ character was not allowed in email subject lines.
• Corrected a problem where MFA options were not displaying in the self-service portal when logging in via an external account.

Released: July 2024

AI Assist

Strivacity AI Assist is an intelligent helper embedded directly within the Strivacity product, including the admin console, organization portal, and My Account portal. It leverages the latest advancements in large language models (LLMs), meticulously trained on our comprehensive product documentation and use cases. This allows AI Assist to provide contextually relevant advice, instructions, and explanations as you interact with the product. Talk to your Customer Success manager to set up AI Assit in your environment.

AI Assist

Passkeys

Strivacity has expanded its FIDO2 support (we are a FIDO2 certified server now through the full support of passkeys. Passkeys makes logging in easy and secure for customers by utilitizing their device's biometric features, enabling multi-factor authentication in a single, easy to use step. We even include optional Passkey promotion pages to encourage users to upgrade to Passkeys when they create or change their passwords.

Passkeys

A/B Testing

Ever want to make a small change in your CIAM experience to see what happens without disrupting your entire user base? Do you want to understand how business objective achievement changes if you make a change to your customer’s experience?

With Strivacity’s A/B Testing feature, you can now create experiments, target customers for those experiments, and view the results. And our robust dashboard capabilities makes gaining deep insight on how these experiments could affect your bottom line. Strivacity’s A/B testing makes testing alternative workflows for your brand a snap.

A/B Testing

Automated account lifecycle management

Automated account lifecycle management allows customers to do automatic operations on accounts based on account activity/non-activity or if an account has certain group/role memberships or attributes. These actions happen automatically in the background and are captured and auditable, as always, inside of our Account Events. Automated Account Lifecycle Management

Journey builder

Journey builder

We continue to build out our Journey Builder feature, enabling brands to construct custom journeys for their customer without the need to write any code. In this release we add:

🌟NEW🌟 Journey library: Strivacity now has an ever expanding list of pre-build custom journeys for you to add to your applications. Using Journeys

🛠️UPDATE🛠️­­ Condition step: You can now create conditions based on group, role memberships, and time-based conditions. Condition step

🛠️UPDATE🛠️ Persist data step: You can now update a customer’s identifier in the persist data step Persist data step

🛠️UPDATE🛠️ Consent step: You can now present a selected consent to a user inside this new journey step Consent step. We also have a new dasboard widget to see your consent acceptace and revocation rates.

🛠️UPDATE🛠️ Custom code step: You can now author custom code as a journey step. It's like having a lifecycle event hook inside of your journey. Custom code step

🛠️UPDATE🛠️ Set cooke step: You can now drop a cookie and populated it with context, account, or other local variable data.

Custom multi-factor authenticator

You can now create a customer authenticator integration that seamlessly embeds into the Strivacity policy-driven workflows. Once you’ve coded up your custom integration, this new authenticator becomes available inside any adaptive access policy. Works great for setting up integrations with Firebase and social providers such as WhatsApp or even Slack.

Custom multi-factor authenticator

Code editor snippets

Lifecycle Event Hooks now have an expanding list of code snippets available right inside of Strivacity IDEs. These code snippets are curated specifically for each Lifecycle Event Hook type. Developers can use these as a quick start to customizing their brand’s customer journeys.

Using the IDE

Other stories

• Added the ability to define tags and apply them to applications and policies
• You can now copy and clone journeys
• Our account create and password change API endpoints now support an "ignorePasswordPolicy" flag when creating passwords via API.
• Improved filtering experience for account management, policies, and other filter intensive administrative experiences
• MFA change notifications are no longer sent if they are performed during an initial registration flow for an account.
• Account locks are now distinctly called out inside of account events and can be tracked on the dashboard https://docs.strivacity.com/docs/account-events
• Improved the user experience of assigning organization roles in the admin console
• Added support for PageUp and PageDown buttons when viewing lists of things, such as policies
• Added the ability to see the organization associated with an invitation inside the list of invitations
• Added “?” as one of the specified special characters in the password quality policy https://docs.strivacity.com/docs/password-quality-settings
• We’ve updated our bot risk scoring behavior to minimize false positives. https://docs.strivacity.com/docs/adaptive-rules
• We doubled the size of our brand policy limits from 16k to 32k. https://docs.strivacity.com/docs/branding-visualizer
• Account identifier information is now available inside of hook contexts.
• The "skip mfa if there is only one method available" configuration in Adaptive Access policies is now available for registrations as well.
• We now support Infobip as a telephony provider.

Bug fixes

• Fixed an issue where a restricted character, the apostrophe ( ‘ ), was not causing the proper error (STY-5091)
• Fixed an issue where an invalid secret would return a 500 error instead of 401 (STY-5377)
• Fixed an issue where updating an organization role would populate the role list incorrectly (STY-5509)

Released April, 2024

Dashboard

https://docs.strivacity.com/docs/dashboard-overview

Our reimagined dashboard ensures brands get the data they need to make informed decisions about how to configure the product to achieve business outcomes. In this release you will see:

• Login and registration successes, failures, and abandonment metrics as trends over time, rather than single counts
• A list of failure reasons and the screen name of step the failure occurred
• The median duration per step in a login/registration flow
• Trends over time for forgotten username request (requests vs. failures), password resets, MFA authentications and MFA registrations
• Detailed Adaptive Access statistics, showing authentication step-up, step-down, and blocking action trends
• Tracking of identity verification transactions
• Tracking of SMS and SES email resend requests
• Ability to create multiple custom dashboards
• Ability to create multiple widgets of the same metric filtered differently
• Ability to filter per-widget by dates and application clients
• Easy PDF export of dashboards

These dashboard updates come with the added benefit of having more verbose account events, including more information about failure reasons, drop-off steps, and adaptive access outcomes.

Journey builder

https://docs.strivacity.com/docs/journey-builder

We continue to add new features and capabilities to our journey builder to make it easy to drop custom journeys into our existing policy-driven configuration.

New journey steps:

• Password authentication step
• Persist data collected to the users account
• Identity verification - insert any identity verification policy workflow as a journey step and branch based on the verification outcome.

Journeys can now be launched from additional hooks

Lifecycle event hook context can now be passed to a custom journey for use in conditions.

Local variables can be collected as data input and be used in conditional statements.

Condition statements now have a preview on the condition list screen.

Email and physical address risk

https://docs.strivacity.com/docs/email-and-physical-address-risk

Fraudulent accounts can costs brands money. Account onboarding is your first line of defense against fraudsters using false information to create accounts for nefarious purposes.

Strivacity’s email and physical address risk step allows brands to evaluate information submitted during onboarding for risk signals. Higher risk accounts can either then be blocked or further vetted to ensure authenticity.

Strivacity Bridge for on-premises directories

Brands can now connect to an on premises LDAP connector to sync identities into the Strivacity identity store. Much like our Bridge for headers-based authentication, Strivacity’s Bridge for on-premises directories provides a path for organizations with legacy systems to adopt modern authentication approaches before they’ve shed their dependancies these older technologies.

Account impersonation

https://docs.strivacity.com/docs/account-impersonation

Sometimes, the easiest way for a customer service representative to help a customer is to log in on their behalf and see exactly what the customer is seeing. With Strivacity’s Account Impersonation feature, customer service can temporarily login as the customer using a time-limited access link.

Physical document verification updates

https://docs.strivacity.com/docs/document-verification

Brand admins can now map attributes captured from a physical documents into native claims, allowing storage of that information in the user’s account, which can improve the customer onboarding experience.

Support for Web Application Firewalls

Brands can now put their own web application firewall in front of the Strivacity product to augment Strivacity security features and provide deeper control over access to the Strivacity product.

Account events updates

https://docs.strivacity.com/docs/account-events

More Account Event detail

Account events now contain:

• Adaptive MFA results
• Account locks that appear as failed authentications
• Information received from external identity providers

Organization admin portal

https://docs.strivacity.com/docs/delegated-administration

B2B administrators can now view per-user account events so B2B administrators can monitor access and troubleshoot issues.

Clear session of account after admin delete

Now when an administrator deletes an account, the users sessions are cleared automatically, ensuring deleted accounts lose access immediately after deletion.

External login provider experiences

We’ve added external login buttons to the password screen so the external identity users can quickly login if they have a remember account

We’ve also added a pre-external registration hook to allow customization and orchestration during external login registrations

Developer experience

We’ve added character counters to all IDEs so developers can keep an eye on their character limits for code editors

You can also now view a 10 minute/5000 line subset of lifecycle event hook logs by specifying a time stamp at the time of the log request.

Email sender address override for admin console notifications

You can now override the local-part of the sender email address for admin notifications.

Token lifespan and type configuration for OIDC clients

Each application client can now have its own, configurable, refresh, ID, and access token lifespans. You can also choose whether the access token format is opaque or uses JWT.

Other stories

• Support for failover SMS/Telephony providers
• Alphabetical organization and group ordering
• Deploy "Password requirements indicator" as a default setting
• Small table performance optimizations
• Updated default Adaptive Access policy setting
• Added monthly query option for existing statistic APIS
• Custom upstream server path for bridge clients
• Detect blocked cookies in login page

Released January, 2024

Journey builder

A journey starts with a single step. 

We are pleased to announce the initial release of Journey Builder, a hub and spoke graphical interface that lets you design and implement custom sign-in, sign-up, and self-service journeys. This feature enhances the existing policy-driven configuration by dropping custom journeys into various parts of the existing workflows.

The initial release includes:

• Ability to define the following types of journey steps:
  • Inputs - a native-claim-driven data collector step, for setting up multi-step registrations. This also supports displaying custom HTML in a journey step.
  • Conditions - a rule builder to perform conditional branching based on the value of native claims
  • MFA authentication - add an MFA step that maps to an existing adaptive access policy
• Build multiple journeys
• Trigger journey via lifecycle event hooks

Faster account searching with the ability narrow results via filtering

We’ve updated and optimized our user data stores to support faster and more flexible searches. Expect to see:

• Account filtering speed increase
• Filtering on multiple fields to further narrow searches for accounts
• Ability to filter accounts by created and last-login dates

Improved phone input field

We’ve updated our phone number input field to better support international phone number usability for all browsers and platforms.

New passcode input option

Our one-time passcode component now supports an additional segmented digit view, allowing you to make that authentication step just a bit more pleasant for your customers.

Email sender domain override 

If you use your own SMTP server with Strivacity, you can now override the email domain with a custom value.

Organization portal customization 

We’ve added features to make it easy to modify your customer service representatives' view into your customer’s accounts. Hiding and showing identity store attributes, as well as conditional invite forms are now possible.

Search all users in a organization hierarchy branch

For orgnization structures that have the unique identifier setting enabled, organization admin can now do a single search for accounts across all of the organizations in the hierarchy they have administrative rights for. 

Password change Lifecycle Event Hook

Developers can now write code that triggers after a user’s password has been changed. This can be used to sync passwords to an external identity store. 

Support for login hints for SAML clients

We now allow SAML clients to consume OIDC-style login hints. This facilitates sending various parameters from a brand’s web portal to the login and registration flow. These parameters can then be used to alter the customer journey in many useful ways. Welcome to the party, SAML!

Simplified login API

We've introduced a streamlined authentication solution with our new client type, OAuth2/OIDC - Simplified. This feature offers simplified access via API, supporting password authentication exclusively.

Other stories

• Added NameID from authentication results to external metadata
• Introduced a maximum password length

Released September, 2023

Password history, age limits, and sequential characters

https://docs.strivacity.com/docs/password-quality-settings#password-history
Strivacity now allows you to add password history, age limits, and sequential character restrictions to your password policy to ensure brands keep compliant with their internal security policies.

Account lockout

https://docs.strivacity.com/docs/account-lockout
A customer’s account can now be locked automatically based upon a configured number of failed login attempts. Locked accounts can be re-enabled by customer support via the Account Management feature or via API.

Password strength indicator

Brand administrators can now provide their customers real-time visibility into password requirements as they are typing their password.

Support for different password hashing algorithms

We’ve introduced flexibility in password hashing methods, allowing administrators to specify alternatives. Supported methods include Argon2, bcrypt, and more. Our identity store service offers a standard hashing option, with administrators able to set a "current" method. During validation, if the stored method differs, the authenticator is updated accordingly to the new method. 

Single logout support for SAML 2

Brands can now implement both IdP (identity provider) initiated and SP (service provider) initiated single log-out for in SAML 2 clients.

New identifier configuration options

Our identity stores now support granular controls for username and email identifiers. With this feature you can easily migrate and support legacy username identities while at the same time require new accounts to register with email addresses. 

Localization language selection updates

https://docs.strivacity.com/docs/translations#display-language-precedence
We now support different methods of determining which localized language is shown to the user, including specifying the language preference coming from the brand portal via login hints.

Lifecycle event hook updates

• Added Organization and Group context into the After Failed Identification and Pre-Registration Lifecycle Event Hooks
• The Before ID Token Generation hook can now add custom values into the access token

Organization support enhancements

We now include more information about organization inside of the LifeCycle Event Hook context, including the customer’s organization membership and the organizational roles assigned.

Other stories

• Geo-location selection improvements in adaptive rules
• Support for message-level encryption for external login providers
• Ability to enroll email MFA via magic link
• Audit log entries for translation-related actions
• Seamless Lifecycle Event Hook assign/unassign
• Allow "&" character for brand names in the brand policy
• New hook to customize SAML assertions
• Expose last login information to Lifecycle Event Hook contexts
• Increase invite link max age to 30 days
• Increase the max "Keep me logged in" session length to a full 2 years
• Added minute precision for the "Session inactivity timeout" setting

Released April, 2023

Organization management

Strivacity’s improved organization management capabilities allow you to provide unique sign-in and sign-up journeys to specific populations of customers. And, as usual, we do it in a way that provides a high amount of flexibility using no-code configurations. This allows brands to support many B2B and B2B2C use cases, including offering enterprise SSO to your business customer or white-labeling your product to other vendors. We now support the ability for multiple organizations to log into multiple application clients, creating even more flexibility and ease of configuration for your complex situations.

Document verification

Is KYC (know your customer) on your list of requirements? Need to establish a high level of assurance that your prospective customer is who they say they are? We now offer native support for document verification, which requires prospective customers to prove their identity using a drivers license or passport. Again, we do all the heavy lifting for you here, including managing the relationship with the ID verification vendor and providing hosted components for all of the verification journeys. All achieved using our low-code, configuration-first approach.

Conditional notification content

Have a welcome email that needs to be personalized for a specific user segment? We have the solution for you: conditional notification content. You can now put conditional logic (IFs, ELSEs, etc.) into notification templates that key off native claims or group memberships, allowing you to put that special touch on each notification you send to your customers.

Multi-factor authentication enhancements

Does your customer only have one MFA method registered? Then why are you asking them to choose an MFA method when signing in? Oh right, we didn't support that before. Now we do!
Want to give your users more options for MFA? You can now show both mandatory and optional methods of MFA during the sign-up process.
We've also added MFA capabilities for external login providers, so you can add multi-factor authentication to enterprise and/or social logins.

Identity store-based access control

We've amped up our brand administrator role-based access control (RBAC) to include restriction of access to specific identity stores. This can come in handy if you have to restrict user management between multiple business units. We also made the RBAC controls a bit easier to use by grouping related permissions together.

OIDC backchannel logout

When you absolutely, positively, have to make sure that session has been killed. OIDC backchannel logout informs your brand portal when a session has been revoked, whether that session has been invalided by an administrator or by the customer themselves. You'll have to do a little work on your brand portal to make it work, but trust us: you'll be glad you did.

Keep me logged in and remember my device available during registration

You can now offer "remember my device" and "keep me logged in" during the registration process ensuring that sign-ups have the least amount of friction possible. It's like seamless, only with less seams.

Social account linking during login

Did your customer sign up for your service with an email address associated with one of their social accounts? Now, if they try to use the social login button to log in, you can offer to link the social and local account together instead of asking them to create a new account.

Language support

• Localize all of your custom admin console content, including notifications, consents, custom attribute display names and error messages, identity verification content, and brand policy additional text
• Ensure customers get the right language experience
• Admin can select language when inviting or creating a new customer
• Customer’s can select their language preference during login, registration, and when using the my account portal. That preference is stored in the account record and used to determine which language version to show to the user in customer journey steps and in notifications

SMTP/Email servers

Brands can either use Strivacity’s built in SMTP server, or configure their own enterprise SMTP server to send email notifications

New admin console design and navigation

• New visual design
• Better usability
• Better use of white space - full width screens, multi-column layouts, collapsable left navigation
• Updated navigation - better categorization of menu items
• Split up long configuration pages into smaller chunks

Custom favicon support

Add a custom favicon to a brand policy

Organizations

• Provide a different customer journey to a use based upon membership in an organization
• Allow for self-service creation of organizations
• Support B2B and B2C customers accessing the same application

Multi-stage registration hook

• Break up registration flows into multiple steps
• Provide different steps based on information gathered during registration

External login for admin console

• You can use your own enterprise log in to the Strivacity admin console