For self-managed software and hybrid cloud customers, new enhancements address MFA prompt bombing, enable smooth integrations, and improve user experiences
Fully 82% of enterprises operate hybrid cloud environments1, meaning they run a mixture of on-premises software and cloud (public and private) services. Indications are that the hybrid cloud model will continue for many years to come. ForgeRock remains committed to helping organizations deliver advanced, unified identity and access management solutions, and to deploy and manage them within whatever environments work best. To that end, we are pleased to announce that the ForgeRock Identity Platform 7.3 software is now available.
The 7.3 release is the latest version of ForgeRock software for our self-managed customers. These include enterprises that for a variety of reasons — locus of control or regulatory reasons, for example — prefer to install and run the software themselves. The software can be installed on-premises, with a preferred cloud provider, or in a hybrid cloud mode. The software offers an abundance of deployment options to meet the needs of customers with the most complex IT environments.
It's worth noting that ForgeRock also offers the ForgeRock Identity Cloud for customers seeking a turnkey SaaS solution. ForgeRock's "cloud-first" strategy means that many of the features in the 7.3 software discussed below are already available to our cloud customers.
What's new in 7.3? The software covers a lot of ground, spanning four product areas:
- ForgeRock Access Management 7.3, with Web Agent 2023.2 and Java Agent 2023.2
- ForgeRock Identity Management 7.3
- ForgeRock Directory Services 7.3
- ForgeRock Identity Gateway 2023.2
New 7.3 features that enhance security and user experience
One of the most insidious authentication attacks of recent memory is known as MFA prompt bombing. This social engineering attack relies on inattentive users absentmindedly approving mobile push notifications set off by the bad guys, allowing the attackers to essentially defeat multi-factor authentication (MFA). The 7.3 release includes a push notification with number challenge in which the user validates the sign-in attempt by tapping the number on the mobile device that is shown in the browser sign-in instructions. If the user picks the correct number, the authentication succeeds. Details about where the sign-in attempt originated are provided below the number choices on the mobile authenticator app, providing an additional data point to verify to the user that the authentication attempt is legitimate.
To secure and deliver superior end-user digital experiences, server-side resources need to be aware of client-side data states and be able to take certain actions. In 7.3, a lot of work went into session enhancements that help address these needs. Logout by UserID enables an administrator to logout all users regardless of the session storage or token type. This means that if a bad actor is identified, an administrator can terminate all the compromised user's sessions so the bad guys can't simply jump to another open browser session to continue their attack.
Enhanced session tracking easily follows a client-side session from creation, to upgrade, to termination, giving better visibility to the server-side admins so they can detect and initiate a decision should an action need to be taken (see "Logout by UserID" above!).
Have you ever been engaging with a website, entered some information, and decided to register or log in only to have the information you entered disappear? This creates an intensely negative experience for users and often leads to users abandoning their interactions. Post login data preservation prevents pre-authenticated users from losing data they have already entered before they log in to an application. Data preservation helps to delight users instead of frustrating them and leading them to abandon their sessions.
And there is more:
- Logging out users in stateless client-side sessions
- Support for OAuth email authentication
- Group scalability that helps supercharge performance of directory services
- And dozens of other enhancements, features, and fixes
ForgeRock is dedicated to supporting our customers in whatever deployment configuration they prefer: as-a-service, self-managed, or hybrid cloud. You can find out more from the Release Notes and the full 7.3 product documentation, and you can download the software.
