Home
Release notes
Support homeSupport requestsSystem statusTrust centerTry for free
Back to All

Geneva

January 5th, 2026

The Geneva release strengthens session security and improves authentication flexibility.

Important: This release includes breaking changes affecting:

  • Auto verification of e-mail/phone identifiers:
    For identity stores where activation is required, this change means:
    • Activation emails will no longer be sent if the identifier becomes verified through MFA enrollment, so any existing flows that rely on the activation email being sent (custom messaging or hooks) may behave differently.
  • MFA persistence with “Keep me logged in”:
    • When “Keep me logged in” is enabled, MFA authenticators are now treated as both kept and remembered, which may reduce how often customers are prompted for MFA across multi-step authentication flows. Customers relying on strict MFA re-authentication intervals should review their Adaptive Access and session policies.

Please check with your Customer Success representative before upgrading.

New features and enhancements

Authentication and sessions

  • Absolute refresh timeout for tokens
    You can now configure a maximum refresh period. Once the period expires, silent refresh stops, and a full login is required, ensuring that long-lived sessions eventually require re-authentication.
  • Seamless SSO without “Keep me logged in”
    Device session refresh combined with short-lived authenticators enables cross-application SSO without requiring user opt-in.
  • “Keep me logged in” for passwordless flows
    Users can now choose to “keep me logged in” during passwordless sign-ins, so they won’t be asked for MFA again on that device until the security policy says it’s time to re-verify.

Identity verification and risk

  • Contact risk evaluation (email/phone)
    Run identity fraud risk checks before persisting contacts used as identifiers, authenticators, or attributes across the login flow, the Admin Console, My Account, Organization Portal, and API integrations.
    • Block suspicious targets (for example, disposable email, risky phone number).
    • Allow configurable retries; do not re-evaluate in the same session.
    • Full policy traceability and audit logs.
  • Automatic identifier verification during MFA enrollment
    Strivacity now automatically verifies an email address or phone number when a user successfully enrolls the same contact method as a multi-factor authentication (MFA) method. This update helps reduce unnecessary verification steps and simplifies the user experience during registration and login.
  • Expanded Self-service account unlock
    Self-service account unlock now supports both temporary and permanent password locks. Previously, permanently locked accounts required administrator intervention, even when self-service unlock was enabled. This update allows users to recover access through the self-service unlock flow for all password-based lockouts, reducing admin overhead and improving account recovery.

Administration

  • Automatic CORS Configuration for Native Web Clients
    Native web clients no longer require manual DevOps intervention to enable CORS access. Strivacity now automatically configures the appropriate CORS headers based on each client’s SDK configuration, streamlining onboarding and reducing operational overhead.

Bug fixes

  • Chart legends now render correctly outside their container for dashboards using hoverable legend charts.
  • Fixed an issue where the phone identifier validator did not properly validate pre-filled values when saving user changes in the Admin Console.
  • The Admin Console now correctly marks phone number identifiers as required when configured as mandatory in the identity store.
  • Resolved an issue where admin account update notification emails were only partially translated due to an incorrect locale fallback.
  • Fixed an issue where identity store names were not displayed correctly on the Edit Application page when more than 25 stores existed.
  • Corrected how native claims are displayed in Journey input steps after applying changes.

If you have questions about upgrading or want help validating your custom branding or dashboards against these changes, please reach out to your Customer Success contact.