Headline features

Secrets and variables management

Strivacity now provides brand developers secret and variable management, enabling flexible use of these across the platform. You can define variables and secrets at the global level and use them in any Strivacity code editor. You can also define variables at the Journey or Lifecycle Event Hook level to leverage variables and secrets local to just that code base. Finally, you can set variables and secrets that are applied when hooks and journeys are attached to an application, allowing you to promote environmental configurations between applications on the same or different product instances.

IdP initiated SAML support

Strivacity now supports Identity Provider (IdP) initiated SAML2, which expands Strivacity’s federation capabilities by enabling brands to start a SAML2-based authentication journey with Strivacity directly from a third-party IdP without first receiving an authentication request from the Service Provider (SP). This facilitates smoother user experiences, especially in federated identity environments, by enabling organizations to centralize authentication and maintain user control within their own domain. This feature is configurable via an External login provider

Custom telephony provider

In addition to the four native telephony providers supported today, Strivacity now lets you create your own custom telephony provider integration. This feature allows brand developers to write code that sends Strivacity SMS messages to whatever telephony provider or messaging service you choose. This is configurable via the Telephony provider configuration .

Before password reset extensibility point

We now support a Before Password Reset hook, allowing brands to add custom journeys to a password reset link password reset. Want to put MFA in front of a password reset? How about asking for additional confirmation, or doing a third-party risk assessment before letting a user update that password? All of these are now possible using the Before Password Reset extensibility point along with the Strivacity Journey Builder.

Synchronous capabilities for the After Password Change extensibility point

Brand developers now have the ability to stop the flow after a password change has occurred to ensure synchronizations with 3rd party data stores are successful before changing the password locally. We've also changed the name from "After password change" to "Before password persist". Lifecycle event hooks

Additional client context values available in hooks

Brand developers now have a seamless way to send information from the browser to the back-end context of Lifecycle Event hooks. This allows for better integration with security tools and other products that need to handle sensitive browser-gathered information.

Expose the Strivacity token endpoint to all configured domains

Previously, Strivacity’s token endpoint was only exposed to the primary DNS domain configured in the Strivacity.. Now, you can access the token endpoint from any of the domains configured to be used in Strivacity.

Enhanced MFA Journey Step: “Remember this device” support

The MFA Authentication custom journey step now supports dual behavior: it can function as an “always require MFA” step or as an MFA step that respects the “Remember this device” setting. This allows for greater flexibility in balancing security and user convenience.

Simulated password and forgotten password steps to mitigate account enumeration

To help counter account enumeration attacks, Strivacity’s custom journeys can now simulate a successful user identification when no matching account is found. When used at the “At failed identification” extensibility point, these new steps mimics a legitimate identification flow and triggers standard account recovery options—helping to obscure account existence from malicious actors.

Authenticator app setup: manual code entry option

During MFA registration using Google Authenticator-style apps, users can now opt to manually enter a setup code in addition to scanning a QR code. This provides an accessible alternative for users who can’t scan QR codes.

Input masking support for sensitive fields

In brand policies, the sty-input-text selector now supports input masking for sensitive data types, such as national ID numbers. For details on how to implement this, see the Strivacity brand policy documentation available inside the brand policy configuration of a Strivacity product instance.

Other stories

• Account management now indicates if a phone number identifier has been confirmed
• You can now link to the list of notifications associated with an account event
• We renamed the Strivacity Bridge components to be more clear about their purposes. The Strivacity Bridge for Header-based Authentication is now the Strivacity Login Gateway. The Strivacity Bridge for On-premises Directories is now the Strivacity Directory Connector.
• We’ve added additional notification templates to notify customers when a user has unenrolled an MFA method and when an identifier has been changed
• Passcode and OTP attempts against the lockout count are now exposed in the user account records

Bug fixes

• Fixed an issue where admin console account event date filter was handling timestamps incorrectly STY-6204
• Fixed a broken link in the brand policy developer docs STY-6177
• Fixed an issue where deleting an Adaptive Access policy was impossible if the Custom MFA method was enabled STY-6123
• Fixed an unnecessary warning when enabling identifiers in an identity store STY-6134

Stream account events to external data aggregators

You can now stream Account events and Audit logs to third-party data aggregators in real time. Out of the box, the Buffalo release supports Splunk and Elasticsearch.

Directory connector password syncing

Our Strivacity Directory Connector now synchronizes password changes made in Strivacity to your on-premises directory. This means fewer manual updates and more consistent account credentials across environments.

Bring your own telephony provider

You can configure your own telephony provider for SMS and voice calls. Use the same provider for both, or separate providers for each. Once set up, these configurations apply to all applications within your Strivacity instance.

Account notifications lists in account management

Customer support teams can now see a comprehensive list of notifications sent to account holders, including the recipient’s email or phone number and a preview of the message. This helps support quickly track and troubleshoot any notification-related inquiries.

Bulk account update API

We’ve introduced a new API that updates the attributes or disabled state of up to 1,000 users at once, making large-scale user management changes easier and more efficient.

Bulk customer invitation

Our Bulk customer invitation feature now supports uploading a CSV list of up to 200 users to invite. You just download a CSV file containing the identity store schema, fill in each user’s invitation email (required) and any attributes (optional), then click submit to send them all at once.

Connector statistics on the dashboard

Strivacity Strivacity Directory Connector statistics now appear on the Strivacity Dashboard. You can monitor uptime, response times, and error messages right from your admin view.

In-journey Account Activation for phone/email identifiers

We’ve added a new capability to our Account activity feature that allows you to provide an in-registration account activation experience, requiring a one-time passcode sent to the email or phone identifier during the registration process.

Searching for accounts by email domain

When filtering in the Account Management portal, you can now search specifically by an email domain. Just start your query with “@” to filter by the domain portion of the email address.

JWTs for client authentication

Strivacity now supports JWT authentication for OAuth2 clients, giving you another secure method to validate and authorize client requests.

Other features

• Create an account without a password in the Admin Console (STY-5845)
• Independently control “Remember me” and “Remember my device” (STY-5856)
• Add password maximum length to the password requirement indicator (STY-5879)
• Support JWTs that are missing a trailing dot character (STY-5974)
• Rearrange the account create/invite form in the Admin Console (STY-6010)

Bug fixes

We resolved several issues in this release, including:

• Clicking “Back to login” on the password reset page resulted in an unexpected error (STY-5457)
• Sending a password reset email from the Admin Console failed in some cases (STY-5833)
• Date filters on the dashboard sometimes returned unexpected results (STY-5978)
• Multiple consent steps in a journey incorrectly shared state (STY-6002)
• MFA authentication journey step did not always follow attached policy (STY-6006)
• Dashboard registration duration widget layout issues at certain browser sizes (STY-5503)
• Broken tooltips in the Admin Console (STY-5950)
• PDF generation failing in Firefox (STY-5969)

Customer self-service APIs

Build custom user management experiences directly within your brand’s portal using Strivacity’s My Account APIs. These APIs eliminate the need to use admin APIs for users making account changes on their own behalf. The same APIs power our My Account no-code component, enabling you to manage identifiers, attributes, passwords, consents, and personal data downloads.
Explore the API reference

Editing identifiers in My Account and self-service APIs

Users can now update their own identifiers directly within the My Account portal or through our self-service APIs.
Learn more about My Account

Configurable brute-force attempt limits

Brute-force limits for both password and MFA authenticator challenges are now configurable on a per-session basis via Adaptive Access policies, giving you more control over security thresholds. Previously, brute-force limits were hard-coded to 3 attempts.

Granular username requirements

Username requirements can now be configured with minimum and maximum length settings. You can also enforce specific formats using regular expressions and define custom error messages for invalid inputs.

Enhanced password policy options

Password policies now include options to set maximum length requirements and disallow specific special characters.
Learn more

Search for OIDC client IDs in applications list

You can now search for OIDC client IDs directly on the Applications page. This makes it easy to locate applications by client ID.

"Remember my device" on MFA passcode screen

The “Remember My Device” setting is now available on the MFA passcode screen, in addition to the MFA method chooser screen.

“Back to login” button on MFA screens

We’ve added “Back to Login” buttons to all MFA screens, including MFA method selection, MFA passcode, and MFA enrollment screens, improving the user experience.

Support for additional telephony providers for SMS

Strivacity now supports additional telephony providers, including Sinch and Infobip, for sending SMS messages.

---

Other features

• Description field for policies
  Add descriptions to policies for easier management and documentation.

• Sensitive customer input in Journey Builder
  Input steps set as “sensitive” within Journey Builder will display information inputted by customers as masked in logs, enhancing privacy for sensitive user data.

• Date attribute indexing and filtering
  Attributes with date values can now be indexed and filtered for streamlined data queries.

• Error messages based on HTTP error codes in brand policies
  Customize error messages triggered by HTTP error codes in brand policies.

• New language support
  We added support for the following additional languates:

  • Arabic (Egyptian)
  • Creole (Cape Verdean)
  • Creole (Hatian)
  • Norwegian (Norway)
  • Polish (Poland)
  • Somali (Somalia)

---

Bug fixes

• Fixed an issue where the account engagement widget incorrectly displayed an empty state.
• Resolved an issue preventing spaces from being typed in dropdown filters.
• Fixed an issue where the ‘&’ character was not allowed in email subject lines.
• Corrected a problem where MFA options were not displaying in the self-service portal when logging in via an external account.

Released: July 2024

AI Assist

Strivacity AI Assist is an intelligent helper embedded directly within the Strivacity product, including the admin console, organization portal, and My Account portal. It leverages the latest advancements in large language models (LLMs), meticulously trained on our comprehensive product documentation and use cases. This allows AI Assist to provide contextually relevant advice, instructions, and explanations as you interact with the product. Talk to your Customer Success manager to set up AI Assit in your environment.

AI Assist

Passkeys

Strivacity has expanded its FIDO2 support (we are a FIDO2 certified server now through the full support of passkeys. Passkeys makes logging in easy and secure for customers by utilitizing their device's biometric features, enabling multi-factor authentication in a single, easy to use step. We even include optional Passkey promotion pages to encourage users to upgrade to Passkeys when they create or change their passwords.

Passkeys

A/B Testing

Ever want to make a small change in your CIAM experience to see what happens without disrupting your entire user base? Do you want to understand how business objective achievement changes if you make a change to your customer’s experience?

With Strivacity’s A/B Testing feature, you can now create experiments, target customers for those experiments, and view the results. And our robust dashboard capabilities makes gaining deep insight on how these experiments could affect your bottom line. Strivacity’s A/B testing makes testing alternative workflows for your brand a snap.

A/B Testing

Automated account lifecycle management

Automated account lifecycle management allows customers to do automatic operations on accounts based on account activity/non-activity or if an account has certain group/role memberships or attributes. These actions happen automatically in the background and are captured and auditable, as always, inside of our Account Events. Automated Account Lifecycle Management

Journey builder

Journey builder

We continue to build out our Journey Builder feature, enabling brands to construct custom journeys for their customer without the need to write any code. In this release we add:

🌟NEW🌟 Journey library: Strivacity now has an ever expanding list of pre-build custom journeys for you to add to your applications. Using Journeys

🛠️UPDATE🛠️­­ Condition step: You can now create conditions based on group, role memberships, and time-based conditions. Condition step

🛠️UPDATE🛠️ Persist data step: You can now update a customer’s identifier in the persist data step Persist data step

🛠️UPDATE🛠️ Consent step: You can now present a selected consent to a user inside this new journey step Consent step. We also have a new dasboard widget to see your consent acceptace and revocation rates.

🛠️UPDATE🛠️ Custom code step: You can now author custom code as a journey step. It's like having a lifecycle event hook inside of your journey. Custom code step

🛠️UPDATE🛠️ Set cooke step: You can now drop a cookie and populated it with context, account, or other local variable data.

Custom multi-factor authenticator

You can now create a customer authenticator integration that seamlessly embeds into the Strivacity policy-driven workflows. Once you’ve coded up your custom integration, this new authenticator becomes available inside any adaptive access policy. Works great for setting up integrations with Firebase and social providers such as WhatsApp or even Slack.

Custom multi-factor authenticator

Code editor snippets

Lifecycle Event Hooks now have an expanding list of code snippets available right inside of Strivacity IDEs. These code snippets are curated specifically for each Lifecycle Event Hook type. Developers can use these as a quick start to customizing their brand’s customer journeys.

Using the IDE

Other stories

• Added the ability to define tags and apply them to applications and policies
• You can now copy and clone journeys
• Our account create and password change API endpoints now support an "ignorePasswordPolicy" flag when creating passwords via API.
• Improved filtering experience for account management, policies, and other filter intensive administrative experiences
• MFA change notifications are no longer sent if they are performed during an initial registration flow for an account.
• Account locks are now distinctly called out inside of account events and can be tracked on the dashboard https://docs.strivacity.com/docs/account-events
• Improved the user experience of assigning organization roles in the admin console
• Added support for PageUp and PageDown buttons when viewing lists of things, such as policies
• Added the ability to see the organization associated with an invitation inside the list of invitations
• Added “?” as one of the specified special characters in the password quality policy https://docs.strivacity.com/docs/password-quality-settings
• We’ve updated our bot risk scoring behavior to minimize false positives. https://docs.strivacity.com/docs/adaptive-rules
• We doubled the size of our brand policy limits from 16k to 32k. https://docs.strivacity.com/docs/branding-visualizer
• Account identifier information is now available inside of hook contexts.
• The "skip mfa if there is only one method available" configuration in Adaptive Access policies is now available for registrations as well.
• We now support Infobip as a telephony provider.

Bug fixes

• Fixed an issue where a restricted character, the apostrophe ( ‘ ), was not causing the proper error (STY-5091)
• Fixed an issue where an invalid secret would return a 500 error instead of 401 (STY-5377)
• Fixed an issue where updating an organization role would populate the role list incorrectly (STY-5509)

Released April, 2024

Dashboard

https://docs.strivacity.com/docs/dashboard-overview

Our reimagined dashboard ensures brands get the data they need to make informed decisions about how to configure the product to achieve business outcomes. In this release you will see:

• Login and registration successes, failures, and abandonment metrics as trends over time, rather than single counts
• A list of failure reasons and the screen name of step the failure occurred
• The median duration per step in a login/registration flow
• Trends over time for forgotten username request (requests vs. failures), password resets, MFA authentications and MFA registrations
• Detailed Adaptive Access statistics, showing authentication step-up, step-down, and blocking action trends
• Tracking of identity verification transactions
• Tracking of SMS and SES email resend requests
• Ability to create multiple custom dashboards
• Ability to create multiple widgets of the same metric filtered differently
• Ability to filter per-widget by dates and application clients
• Easy PDF export of dashboards

These dashboard updates come with the added benefit of having more verbose account events, including more information about failure reasons, drop-off steps, and adaptive access outcomes.

Journey builder

https://docs.strivacity.com/docs/journey-builder

We continue to add new features and capabilities to our journey builder to make it easy to drop custom journeys into our existing policy-driven configuration.

New journey steps:

• Password authentication step
• Persist data collected to the users account
• Identity verification - insert any identity verification policy workflow as a journey step and branch based on the verification outcome.

Journeys can now be launched from additional hooks

Lifecycle event hook context can now be passed to a custom journey for use in conditions.

Local variables can be collected as data input and be used in conditional statements.

Condition statements now have a preview on the condition list screen.

Email and physical address risk

https://docs.strivacity.com/docs/email-and-physical-address-risk

Fraudulent accounts can costs brands money. Account onboarding is your first line of defense against fraudsters using false information to create accounts for nefarious purposes.

Strivacity’s email and physical address risk step allows brands to evaluate information submitted during onboarding for risk signals. Higher risk accounts can either then be blocked or further vetted to ensure authenticity.

Strivacity Bridge for on-premises directories

Brands can now connect to an on premises LDAP connector to sync identities into the Strivacity identity store. Much like our Bridge for headers-based authentication, Strivacity’s Bridge for on-premises directories provides a path for organizations with legacy systems to adopt modern authentication approaches before they’ve shed their dependancies these older technologies.

Account impersonation

https://docs.strivacity.com/docs/account-impersonation

Sometimes, the easiest way for a customer service representative to help a customer is to log in on their behalf and see exactly what the customer is seeing. With Strivacity’s Account Impersonation feature, customer service can temporarily login as the customer using a time-limited access link.

Physical document verification updates

https://docs.strivacity.com/docs/document-verification

Brand admins can now map attributes captured from a physical documents into native claims, allowing storage of that information in the user’s account, which can improve the customer onboarding experience.

Support for Web Application Firewalls

Brands can now put their own web application firewall in front of the Strivacity product to augment Strivacity security features and provide deeper control over access to the Strivacity product.

Account events updates

https://docs.strivacity.com/docs/account-events

More Account Event detail

Account events now contain:

• Adaptive MFA results
• Account locks that appear as failed authentications
• Information received from external identity providers

Organization admin portal

https://docs.strivacity.com/docs/delegated-administration

B2B administrators can now view per-user account events so B2B administrators can monitor access and troubleshoot issues.

Clear session of account after admin delete

Now when an administrator deletes an account, the users sessions are cleared automatically, ensuring deleted accounts lose access immediately after deletion.

External login provider experiences

We’ve added external login buttons to the password screen so the external identity users can quickly login if they have a remember account

We’ve also added a pre-external registration hook to allow customization and orchestration during external login registrations

Developer experience

We’ve added character counters to all IDEs so developers can keep an eye on their character limits for code editors

You can also now view a 10 minute/5000 line subset of lifecycle event hook logs by specifying a time stamp at the time of the log request.

Email sender address override for admin console notifications

You can now override the local-part of the sender email address for admin notifications.

Token lifespan and type configuration for OIDC clients

Each application client can now have its own, configurable, refresh, ID, and access token lifespans. You can also choose whether the access token format is opaque or uses JWT.

Other stories

• Support for failover SMS/Telephony providers
• Alphabetical organization and group ordering
• Deploy "Password requirements indicator" as a default setting
• Small table performance optimizations
• Updated default Adaptive Access policy setting
• Added monthly query option for existing statistic APIS
• Custom upstream server path for bridge clients
• Detect blocked cookies in login page

Released January, 2024

Journey builder

A journey starts with a single step. 

We are pleased to announce the initial release of Journey Builder, a hub and spoke graphical interface that lets you design and implement custom sign-in, sign-up, and self-service journeys. This feature enhances the existing policy-driven configuration by dropping custom journeys into various parts of the existing workflows.

The initial release includes:

• Ability to define the following types of journey steps:
  • Inputs - a native-claim-driven data collector step, for setting up multi-step registrations. This also supports displaying custom HTML in a journey step.
  • Conditions - a rule builder to perform conditional branching based on the value of native claims
  • MFA authentication - add an MFA step that maps to an existing adaptive access policy
• Build multiple journeys
• Trigger journey via lifecycle event hooks

Faster account searching with the ability narrow results via filtering

We’ve updated and optimized our user data stores to support faster and more flexible searches. Expect to see:

• Account filtering speed increase
• Filtering on multiple fields to further narrow searches for accounts
• Ability to filter accounts by created and last-login dates

Improved phone input field

We’ve updated our phone number input field to better support international phone number usability for all browsers and platforms.

New passcode input option

Our one-time passcode component now supports an additional segmented digit view, allowing you to make that authentication step just a bit more pleasant for your customers.

Email sender domain override 

If you use your own SMTP server with Strivacity, you can now override the email domain with a custom value.

Organization portal customization 

We’ve added features to make it easy to modify your customer service representatives' view into your customer’s accounts. Hiding and showing identity store attributes, as well as conditional invite forms are now possible.

Search all users in a organization hierarchy branch

For orgnization structures that have the unique identifier setting enabled, organization admin can now do a single search for accounts across all of the organizations in the hierarchy they have administrative rights for. 

Password change Lifecycle Event Hook

Developers can now write code that triggers after a user’s password has been changed. This can be used to sync passwords to an external identity store. 

Support for login hints for SAML clients

We now allow SAML clients to consume OIDC-style login hints. This facilitates sending various parameters from a brand’s web portal to the login and registration flow. These parameters can then be used to alter the customer journey in many useful ways. Welcome to the party, SAML!

Simplified login API

We've introduced a streamlined authentication solution with our new client type, OAuth2/OIDC - Simplified. This feature offers simplified access via API, supporting password authentication exclusively.

Other stories

• Added NameID from authentication results to external metadata
• Introduced a maximum password length

Released September, 2023

Password history, age limits, and sequential characters

https://docs.strivacity.com/docs/password-quality-settings#password-history
Strivacity now allows you to add password history, age limits, and sequential character restrictions to your password policy to ensure brands keep compliant with their internal security policies.

Account lockout

https://docs.strivacity.com/docs/account-lockout
A customer’s account can now be locked automatically based upon a configured number of failed login attempts. Locked accounts can be re-enabled by customer support via the Account Management feature or via API.

Password strength indicator

Brand administrators can now provide their customers real-time visibility into password requirements as they are typing their password.

Support for different password hashing algorithms

We’ve introduced flexibility in password hashing methods, allowing administrators to specify alternatives. Supported methods include Argon2, bcrypt, and more. Our identity store service offers a standard hashing option, with administrators able to set a "current" method. During validation, if the stored method differs, the authenticator is updated accordingly to the new method. 

Single logout support for SAML 2

Brands can now implement both IdP (identity provider) initiated and SP (service provider) initiated single log-out for in SAML 2 clients.

New identifier configuration options

Our identity stores now support granular controls for username and email identifiers. With this feature you can easily migrate and support legacy username identities while at the same time require new accounts to register with email addresses. 

Localization language selection updates

https://docs.strivacity.com/docs/translations#display-language-precedence
We now support different methods of determining which localized language is shown to the user, including specifying the language preference coming from the brand portal via login hints.

Lifecycle event hook updates

• Added Organization and Group context into the After Failed Identification and Pre-Registration Lifecycle Event Hooks
• The Before ID Token Generation hook can now add custom values into the access token

Organization support enhancements

We now include more information about organization inside of the LifeCycle Event Hook context, including the customer’s organization membership and the organizational roles assigned.

Other stories

• Geo-location selection improvements in adaptive rules
• Support for message-level encryption for external login providers
• Ability to enroll email MFA via magic link
• Audit log entries for translation-related actions
• Seamless Lifecycle Event Hook assign/unassign
• Allow "&" character for brand names in the brand policy
• New hook to customize SAML assertions
• Expose last login information to Lifecycle Event Hook contexts
• Increase invite link max age to 30 days
• Increase the max "Keep me logged in" session length to a full 2 years
• Added minute precision for the "Session inactivity timeout" setting

Released April, 2023

Organization management

Strivacity’s improved organization management capabilities allow you to provide unique sign-in and sign-up journeys to specific populations of customers. And, as usual, we do it in a way that provides a high amount of flexibility using no-code configurations. This allows brands to support many B2B and B2B2C use cases, including offering enterprise SSO to your business customer or white-labeling your product to other vendors. We now support the ability for multiple organizations to log into multiple application clients, creating even more flexibility and ease of configuration for your complex situations.

Document verification

Is KYC (know your customer) on your list of requirements? Need to establish a high level of assurance that your prospective customer is who they say they are? We now offer native support for document verification, which requires prospective customers to prove their identity using a drivers license or passport. Again, we do all the heavy lifting for you here, including managing the relationship with the ID verification vendor and providing hosted components for all of the verification journeys. All achieved using our low-code, configuration-first approach.

Conditional notification content

Have a welcome email that needs to be personalized for a specific user segment? We have the solution for you: conditional notification content. You can now put conditional logic (IFs, ELSEs, etc.) into notification templates that key off native claims or group memberships, allowing you to put that special touch on each notification you send to your customers.

Multi-factor authentication enhancements

Does your customer only have one MFA method registered? Then why are you asking them to choose an MFA method when signing in? Oh right, we didn't support that before. Now we do!
Want to give your users more options for MFA? You can now show both mandatory and optional methods of MFA during the sign-up process.
We've also added MFA capabilities for external login providers, so you can add multi-factor authentication to enterprise and/or social logins.

Identity store-based access control

We've amped up our brand administrator role-based access control (RBAC) to include restriction of access to specific identity stores. This can come in handy if you have to restrict user management between multiple business units. We also made the RBAC controls a bit easier to use by grouping related permissions together.

OIDC backchannel logout

When you absolutely, positively, have to make sure that session has been killed. OIDC backchannel logout informs your brand portal when a session has been revoked, whether that session has been invalided by an administrator or by the customer themselves. You'll have to do a little work on your brand portal to make it work, but trust us: you'll be glad you did.

Keep me logged in and remember my device available during registration

You can now offer "remember my device" and "keep me logged in" during the registration process ensuring that sign-ups have the least amount of friction possible. It's like seamless, only with less seams.

Social account linking during login

Did your customer sign up for your service with an email address associated with one of their social accounts? Now, if they try to use the social login button to log in, you can offer to link the social and local account together instead of asking them to create a new account.

Language support

• Localize all of your custom admin console content, including notifications, consents, custom attribute display names and error messages, identity verification content, and brand policy additional text
• Ensure customers get the right language experience
• Admin can select language when inviting or creating a new customer
• Customer’s can select their language preference during login, registration, and when using the my account portal. That preference is stored in the account record and used to determine which language version to show to the user in customer journey steps and in notifications

SMTP/Email servers

Brands can either use Strivacity’s built in SMTP server, or configure their own enterprise SMTP server to send email notifications

New admin console design and navigation

• New visual design
• Better usability
• Better use of white space - full width screens, multi-column layouts, collapsable left navigation
• Updated navigation - better categorization of menu items
• Split up long configuration pages into smaller chunks

Custom favicon support

Add a custom favicon to a brand policy

Organizations

• Provide a different customer journey to a use based upon membership in an organization
• Allow for self-service creation of organizations
• Support B2B and B2C customers accessing the same application

Multi-stage registration hook

• Break up registration flows into multiple steps
• Provide different steps based on information gathered during registration

External login for admin console

• You can use your own enterprise log in to the Strivacity admin console

Released: February, 2023

Strivacity’s newest product release, version Kyiv, introduces additional support for complex B2B use-cases, new identity verification methods, and many other improvements that make delivering forgettable sign-in and sign-up journeys for your customers a snap.

Enhanced organization management

Strivacity’s improved organization management capabilities allow you to provide unique sign-in and sign-up journeys to specific populations of customers. And, as usual, we do it in a way that provides a high amount of flexibility using no-code configurations. This allows brands to support many B2B and B2B2C use cases, including offering enterprise SSO to your business customer or white-labling your product to other vendors. We now support the ability for multiple organizations to log into multiple application clients, creating even more flixibility and ease of configuration for your complex situations.

Document verification

Is KYC (know your customer) on your list of requirements? Need to establish a high level of assurance that your prospective customer is who they say they are? We now offer native support for document verification, which requires prospective customers to prove their identity using a drivers license or passport. Again, we do all the heavy lifting for you here, including managing the relationship with the ID verification vendor and providing hosted components for all of the verification journeys. All achieved using our low-code, configuration-first approach.

Conditional notification content

Have a welcome email that needs to be personalized for a specific user segment? We have the solution for you: conditional notification content. You can now put conditional logic (IFs, ELSEs, etc.) into notification templates that key off native claims or group memberships, allowing you to put that special touch on each notification you send to your customers.

Multi-factor authentication enhancements

Does your customer only have one MFA method registered? Then why are you asking them to choose an MFA method when signing in? Oh right, we didn't support that before. Now we do!

Want to give your users more options for MFA? You can now show both mandatory and optional methods of MFA during the sign-up process.

We've also added MFA capabilities for external login providers, so you can add multi-factor authentication to enterprise and/or social logins.

Identity store-based access control

We've amped up our brand administrator role-based access control (RBAC) to include restriction of access to specific identity stores. This can come in handy if you have to restrict user management between multiple business units. We also made the RBAC controls a bit easier to use by grouping related permissions together.

OIDC backchannel logout

When you absolutely, positively, have to make sure that session has been killed. OIDC backchannel logout informs your brand portal when a session has been revoked, whether that session has been invalided by an administrator or by the customer themselves. You'll have to do a little work on your brand portal to make it work, but trust us: you'll be glad you did.

Keep me logged in and remember my device available during registration

You can now offer "remember my device" and "keep me logged in" during the registration process ensuring that sign-ups have the least amount of friction possible. Its like seamless, only with less seams.

Social account linking during login

Did your customer sign up for your service with an email address associated with one of their social accounts? Now, if they try to use the social login button to log in, you can offer to link the social and local account together instead of asking them to create a new account.

Resolved issues

Released: May, 2022

The Vienna release is our largest release yet. It combines industry standard identity affirmation features, sophisticated fraud detection and mitigation, and bleeding edge FIDO-based authentication protocols. We also continue our “clicks not code” approach with a visual brand editor as well as an expanded list of pre-canned integrations with social, identity, and analytic providers. We’ve also made it easier for your customers to integrate their social login accounts, reset their password without an email address, and launch the applications they have access to right from the My Account portal.

There is a lot to cover, so let’s get started.

Identity verification

It is important to know your customers are who they say they are. This can greatly reduce the level of fraudulent transactions to your service and keep your customer’s accounts safe.

We make this easy by integrating with 3rd party phone carrier providers and credit agencies while offering pain-free registration workflows that make it easy for a customer to verify their identity.

In the Vienna release, we implement a highly configurable customer journey builder that allows you to control your customer’s experience when verifying their identity. You have full control over what your customers see, how their data is collected, which verification techniques are used, and how the customer is handled if they fail to verify their identity. Balancing registration friction and fraud prevention has never been easier.

See: Identity verification

Fraud detection

No one wants fraudulent activity to occur on their platform. Fraud risks your customer’s accounts and your brand’s reputation. We make it easy by providing out-of-the-box fraud mitigation tools that reduce the risk of your brand becoming a headline.

Bot detection

Our Vienna release adds an IP-based bot detection feed to stop consumer bots in their tracks. We’ve also added network analysis, allowing you to block or step-up connections that come from Tor or other anonymous proxies.

See: Bot detection

Phone fraud

We can also detect if a phone number being used as an authenticator has been recently ported or is associated with VoIP phone types that are often used by scammers.

See: Phone fraud documentation.

Improbable travel

Can you travel faster than a commercial airline? If you can, you might be a bad actor. We can compare the time and location of recent logins and determine that traveling that far in that amount of time would be…well…improbable. You can then configure the system to require MFA on the questionable authentication to reduce the risk of fraudulent activity.

See: Adaptive rules: an overview

Behavior analytics

Finally, we can check a customer’s login time, day, and location and compare that to past behaviors to determine whether to require MFA for that customer. This makes your customer’s normal login behavior as friction-free as possible while maintaining the security everybody expects.

See: Adaptive rules: an overview

Adaptive MFA

FIDO2

We continue to our list of authenticator options to ensure your customers have an easy and safe authentication experience. In this release, we’ve added support for FIDO2 platform and roaming authenticators. Your customers can now access your site using their face or fingerprint from a mobile or desktop/laptop device. Security has never been easier!

See: Multi-factor methods: an overview

Mobile SDK

We are also expanding that authentication and biometric support to your brand’s iOS and Android mobile app. When you integrate our new mobile SDK into your brand’s app, you allow customers to quickly and securely authenticate across all the platforms your brand live.

See: Mobile SDK overview

Visualize your brand with our brand policy visualizer

Getting that pixel perfect representation of your brand in a 3rd party service can be cumbersome and time consuming. Strivacity’s new visual brand editor makes this process a snap. Our editor shows you each piece of the customer journey and allows you to make real-time updates to the experience. When you change a color, you instantly see the effects of that change. No more going back and forth between the admin UI and a test customer account trying to get the experience just right. You’ll have confidence the changes you made are the right ones because you’ll see the changes right when you make them.

See: Using your logos and color schemes

Plugin library

We’ve moved our Lifecycle Event hook repository to a new place in the Admin Console. We’ve created a plugin library where you can now find off-the-shelf event hook templates that allow you to

• improve existing customer lifecycle capabilities,
• customize features,
• or integrate with external systems.

See: Setup and manage lifecycle event hooks

Integrations

More clicks, less code. That’s our mantra. We introduce a slew of new integrations in our admin experience to make 3rd party support super easy.

In the Vienna release we now natively support:

Identity providers

• Azure Active Directory
• PingFederate
• Okta

Passwordless vendors

• HYPR
• Transmit BindID

Web analytics

• Google Analytics
• Google Tag Manager
• Amplitude
• Mixpanel

Social logins

• LinkedIn
• Amazon
• Apple

Your customer’s experience, only better

Your customer’s success is our success. We do whatever we can to make your customer’s experience easier and more secure.

Password reset via phone

We now support resetting your password without the need of an email address. If a customer has a valid phone authenticator, they can now use it to reset their password.

See: Password reset

Application launcher

If you have multiple apps that a customer can access, they can now see the applications they have access to and launch them right from the My Account portal.

See: Application launcher

Account registration via invitation

Administrators can now send an email invite to a customer (or another administrator) to sign up for an account.

See: Customer invitation
See: Inviting administrative accounts

But wait, there’s more!

There are too many great features to wax poetic about, but you can also look forward to:

• Consent versioning
• Remembered users can skip the identifier screen if only one session exists
• Application specific paths so customers can bookmark your login page
• Group membership restrictions for access to applications
• Expanded account event capabilities, allowing admins to get better insights into what happens when a customer creates an account and signs in.
• Added localization support for 🇫🇮Finnish and 🇺🇦Ukrainian

Resolved issues