Skip to main content

CyberArk Identity 23.9 Release

CyberArk Identity 23.9 Release

With the 23.9 release, CyberArk Identity supports the following new features:

Multi-Factor Authentication (MFA)

Updated Behavior Change in Default Values for Authentication on ISPSS Tenants

CyberArk Identity features an authentication “deception mode” – ISPSS end users are always shown secondary authentication challenges even if they fail the initial one. For example, end users are prompted to pass an MFA challenge after incorrectly providing a username and password. This ensures that attackers can’t determine the validity of initial credentials and reduces the risk of brute-force password attacks.

With this release, the “deception mode” is now disabled by default to notify end users if the first authentication challenge is unsuccessful. While less secure , this update improves the end-user experience and reduces the need for IT helpdesk support by ensuring that legitimate users do not inadvertently lock their accounts after consecutive failed login attempts.

Default behavior change in default values for ISPSS tenants

Default behavior change in default values for ISPSS tenants

Learn more about configuring the login experience to notify the user of a failed MFA challenge.  

CyberArk Identity Splunk Add-on Upgraded to Version 3

CyberArk Identity now integrates with Splunk Add-on v3, which supports Splunk Enterprise 8.2 and above. This is based on Splunk’s recommendation to better support our security integration and event management (SIEM) integration capabilities. With this Splunk Add-on, you can categorize event log data captured from CyberArk Identity Next-Gen Access activity and normalize these events for Splunk Common Information Model (CIM) compatibility. This allows real time analysis and risk mitigation to identify a potential breach in progress. It minimizes the risk associated with user access, centralizes visibility across enterprise deployments and leverages existing investments in SIEM and alert tools without additional costs.

Splunk

Learn more about the changed default behavior for ISPSS tenants.  

Workforce Password Management

Secured Notes Import from Third-party Password Managers 

CyberArk Workforce Password Manager (WPM) provides extensive account and secure note import capabilities to simplify migration from your existing password managers. This release extends secure note import to third-party password managers, including KeePass, Google and Dashlane . CyberArk WPM users can securely store notes in their CyberArk Identity Cloud or the CyberArk Privileged Access Manager (PAM) Self-Hosted Vault. Using an intuitive interface, end users can export existing notes to a CSV file and import them into the solution. 

Workforce Password Management

Learn more about importing notes and credentials

Passphrase Generator

CyberArk WPM is designed to reduce the risk of weak, reused and easy-to-guess passwords for business applications. Previously, CyberArk WPM allowed users to create highly complex passwords using a password generator feature. Now, CyberArk WPM provides an option to create passphrases instead of randomly generated passwords. Passphrases can be easier to remember for humans and harder to crack for machines.

For example, instead of using an alphanumeric string, such as “L74$V6aY!^H2” as a password, end users can now generate a memorable yet hard-to-guess passphrase such as “Alpaca_denied<_shoe_loan!.” Both administrators and end users can configure   the number of words in passphrases and specify separators, symbols, numbers and cases to enhance security.

Passphrase Generator

The passphrase generator feature is available in the password generator tool within CyberArk Identity Browser Extension password. 

Learn more about generating passphrases

Credential Autofill for Apps not Present in the CyberArk App Catalog

CyberArk WPM allows end users to import applications that do not exist in the CyberArk App Catalog. Previously, these apps could be launched from the CyberArk WPM portal but required end users to manually copy and paste their credentials to log in  . Now, all apps, including applications not in the CyberArk App Catalog, support credential autofill. This provides a better user experience and enables seamless login to all applications protected by CyberArk WPM.

CyberArk App Catalog

Automatically insert end-user credentials for all apps

Learn more about managing web apps with Workforce Password Management

CyberArk Secure Web Sessions

Session Control Enhancements 

CyberArk Secure Web Sessions introduced the Session Control security layer in the CyberArk Identity 23.1 release. Session Control allows administrators to define notification and enforcement rules for specific text and number fields within web applications. With this release, administrators can now also block buttons and links within any web application protected by CyberArk Secure Web Sessions. 

For example, administrators can now create rules to prevent users from clicking the “download” button for specific sensitive reports or blocking users from accessing hyperlinked services within apps. Session Control rules are easy to create for specific users, groups and roles and provide the option to enforce conditions, send push notifications to the CyberArk Mobile app or send alerts through email. 

Session Control rules

Learn more about Session Control rules

Create Session Control Rules Directly from the Session Timeline

CyberArk Secure Web Sessions records user activities within protected apps using a “stepper” approach. Actions like mouse clicks and keystrokes trigger a screenshot of a user’s browser window and relevant metadata. Administrators can audit user activities by reviewing a Session Timeline, which provides context and a step-by-step breakdown of the actions taken before, during and after a security event. Administrators can create and modify Session Control rules directly from the session timeline tab with this release. For example, suppose an administrator auditing a session for a cloud management console notices the addition of a user with a non-company email domain. In that case, they can define a Session Control rule that only allows users with a specific email domain to be created. This simplifies the Session Control rule creation and provides administrators the flexibility to define preventive controls from specific steps in the timeline.

Session Control

Learn more about creating a rule from the session timeline

Read more about the CyberArk Identity 23.9 release in the release notes.