a good thing!
The new version of PingID includes a security enhancement related to optimal asymmetric encryption padding for offline authentication. Additionally, the new release of Mac login (v1.1) requires multi-factor authentication, not just for the initial login, but also for logging in when the lock screen is displayed.
The new enrollment page simplifies administration while providing admins with additional customization and branding capabilities. This will allow for a smoother onboarding experience for end users in order to increase MFA adoption across your organization. On July 1st, customers who haven’t moved will be automatically migrated.
The latest version of the PingID mobile application (1.15) adds support for the upcoming release of Windows Passwordless Login, Ping Identity's first Windows machine passwordless solution for your workforce. Additionally, One Time Passcodes now support the use of letters as well as numbers during certain Windows login passwordless flows. Improvements to performance, security and reliability have also been made.
Low risk activity? Let employees keep working uninterrupted. Administrators can now configure MFA policies that reduce friction and only trigger action when it makes sense, based on a risk score calculated by PingOne Risk or other supported third-party risk services. Admins specify an MFA action for each of the three risk levels: high, medium, and low. This feature can be enabled via integration with PingFederate and requires version 2.11 of the PingID adapter which is included in the PingID Integration Kit 2.13 along with a separate license for the integrated risk service.
The latest version of the PingID mobile application (1.14 for iOS and 1.14.1 for Android) now greets first-time users with a new welcome screen of helpful “how-tos” so that they waste no time getting started with the app. Furthermore, when opening the PingID mobile app, a valid OTP now appears more rapidly, saving even more of your end users’ precious time! Improvements to performance, security and reliability have also been made.
Android release notes
We've made applying device management policies in PingID easier with a new feature which allows admins to choose the 'all models' option from a particular device manufacturer (e.g. Apple, Samsung). This simplifies device management as admins no longer have to select each model under every manufacturer, but can instead apply policy to all models from a certain manufacturer available today and in the future.
Admins can now enable one-click access to PingID from the PingOne unified admin console for workforce use cases. This will be the first step of the PingID integration with PingOne in an effort to further unify our solutions. More features related to PingID integration with PingOne are planned for the next coming quarters.
PingID has added support for users to leverage multiple FIDO biometric devices for authentication. An enhanced FIDO device identification process prevents failed authentication attempts by clearly distinguishing among the FIDO devices a user has enabled.
PingID supports authentication using OATH tokens, which can become out of sync due to infrequent use. PingID now supports resynchronization of these tokens during the authentication flow or through the PingID API. This update provides a self service resynchronization option on the device page, removing the need for end users to call the helpdesk to resynchronize or replace their OATH tokens.
The latest version of the PingID mobile application (1.13) has added support for the most recent releases of iOS and Android operating systems. Updates include enhanced photo and location permissions for iOS, improved location and camera settings for Android and more. Improvements to performance, security and reliability have also been made. See iOS release notes, Android release notes.
Your workforce can now leverage Apple's FIDO2 platform authenticators (TouchID, FaceID) for a more seamless and secure login experience. Employees with iOS, iPadOS and MacOS devices can use these authentication methods for passwordless login and MFA to any web based application. Additionally, support has been added for the binary PingID SSH integration package for the SUSE operating system.
Your workforce can now leverage FIDO2 security keys to login without the need to enter a username or password. For additional security, users can be asked to enter a pin code or provide a fingerprint during the login process. These added security measures are automatically enforced for FIDO2 biometrics and passwordless flows.
You can now leverage PingID to enforce MFA for employees when they log onto Apple Macintosh devices, including when those devices are offline. When signing on to Mac laptops or desktops, employees can be asked to authenticate using any PingID supported authentication method as a second factor.
The anonymous network detection rule allows admins to enforce MFA when authentication attempts from an anonymous network are detected. This new capability analyzes the IP address of a user's device to identify anonymous networks such as an unknown VPN, proxy or anonymous communication tools such as TOR to provide a higher level of assurance when anonymous networks are in use. Contact sales to activate this feature.
PingID now uses machine learning to learn normal behavior patterns unique to your users and organization to detect anomalies as they occur, and assign a low, medium or high risk score to them. You can then specify an appropriate rule action for each risk score category, so you can provide frictionless experiences for your trusted users, while enforcing more restrictive authentication actions if a high risk behavior is detected. Contact sales to activate this feature.
The new PingID dashboard delivers a continuously updated view of MFA activities including enrollments, enrollments by device type, user status and devices, authentications, SMS usage and more. Dashboard charts are interactive, and provide admins the ability to sort, filter, and drill down into their organization’s MFA usage.
In cases where users are authenticated using risk based mechanisms which don't require their interaction, administrators can now hide authentication approval screens. This enables users to continue working without disruption while promoting broader and more frequent use of risk based authentication across the enterprise.
PingID is now available in AWS Marketplace, which is an online store that makes it easy for AWS customers to find, select, buy and deploy software that runs on AWS. Plus, AWS customers can use a portion of their AWS Enterprise Discount Program (i.e. annual committed AWS spend) toward purchases of apps, like PingID, in AWS Marketplace.
Customers leveraging the PingID MFA adapter for Active Directory Federation Services (AD FS) are advised to upgrade to the latest version (v1.3.2), which includes support for TLS 1.2. This upgrade ensures PingID's continued alignment with industry best practices and standards for security and data integrity. Versions of the adapter which only provide support for TLS 1.1, including versions 1.3 and earlier will be deprecated on March 31, 2020.
You can now offer additional flexibility to users when MFA is required with added support for 3rd party Time-based One-Time Passcodes (TOTP) authenticator apps. This update includes support for authenticator apps from Google and Microsoft, which can be used for a range of MFA use cases spanning single sign on, VPN, SSH, Windows Login, and more.
During registration and authentication, PingID now enables localization and customization of SMS messages containing one-time passcodes. Enabling localization ensures that the SMS message will appear in the language selected on a user’s device browser. Administrators can easily edit the messages their users will receive in all PingID’s supported languages.
In addition to supporting FIDO authentication as PingID’s out of the box solution and an API-based solution, PingID now supports FIDO authentication with a hybrid UI where a custom UI is used for registration and PingID's out of the box UI is used for authentication.
Passwordless web authentication is now available with added support in PingID for FIDO certified authenticators such as Windows Hello. The solution allows users to login using Windows Hello's PIN or biometric options, eliminating the need to enter a username or a password. It improves user experience by simplifying the login process and enhances security by limiting the instances when a password could be used to compromise an account.
To prevent compromised devices from gaining access, customers that embed the PingID SDK’s MFA capabilities into their mobile applications can now deny access to resources when a mobile device is detected as rooted (Android) or jailbroken (iOS). When a rooted or jailbroken device is detected, organizations can also reduce that user's permissions based on company policy.
The IP reputation rule uses intelligent identity to categorize IP addresses as low, medium or high risk, while allowing administrators to create specific authentication outcomes based on the level of risk. Additionally, the Impossible Travel Velocity rule evaluates the time and distance from a user's login attempt against subsequent login attempts in a different location to detect and block fraudulent activity. For example, if a user logs in from New York and then attempts to log in from Moscow 30 minutes later, the fraudulent login attempt would be detected and the user could be denied access.
PingID SDK Provisioning Connector 1.2.1 improves username validation and URL encoding to support recent PingID SDK API updates.
The PingID mobile app version 1.9.1 supports the latest Android Q operating system. This continues the enablement of authentication flows for device and identity security for a variety of use cases.
PingID now supports OTP generating OATH hardware tokens for use cases where USB connectivity and other methods are unavailable, adding to a wide range of supported authentication options. Additionally, organizations with users on shared devices can improve the depth at which policies can be enforced. For example, if a "recent authentication policy" is in place, this policy can now be applied on a per-user basis, rather than a per device basis.
Administrators can now apply a full range of PingID policies to the StartAuthentication and AuthenticateOnline workflows, supporting increased security granularity for organizations leveraging the PingID APIs.
Organizations can take advantage of the security and user experience benefits provided by the FIDO standard. PingID now supports additional FIDO compliant authentication methods including Windows Hello, Mac TouchID and Android biometrics. To further support FIDO and WebAuthn authentication flows, a broader range of user details is available which include email address, First Name + Last Name + Organization Name, and User + Organization Name.
PingFederate Bridge is a newly developed light-weight approach to integrate PingID with VPN services and others using the RADIUS protocol, dramatically reducing set-up time and simplifying administration.
In use cases where mobile phones and USB devices cannot be used due to enterprise security policies, OATH tokens are now a supported authentication factor. Administrators are now able to define OATH tokens as an authentication method and upload seed files so that users will be able to pair their device and authenticate with them.
In addition, PingID now supports SSH for Ubuntu 18.04 and openssl-1.1.x increasing the number of use cases where MFA can be applied for administrator logins.
PingID and PingID SDK SMS authentication service now supports a higher One-Time-Passcode message delivery throughput to end-users. This is enabled by increasing the pool of SMS dispatching phone numbers. As a result, some users may receive OTP messages from new telephone numbers.
A new PingFederate PingID SDK Connector v 1.2 has been released which is part of PingFederate PingID SDK Integration Kit v 1.4, and PingID SDK Package v 1.5. The new Connector release helps admins to reduce the risk of human errors by supporting the upload of PingID SDK properties file as part of the configuration. In addition, the release includes improvements to reliability. Additional information can be found in PingID SDK Release Notes and in PingFederate PingID SDK Connector Guide 1.2.
A new PingID SDK Adapter v 1.4 has been released which is part of PingFederate PingID SDK Integration Kit v 1.5, and PingID SDK Package v 1.6. It offers an enhanced proxy configuration which relies on PingFederate’s proxy configuration in order to get the PingID SDK server address dynamically. Additional information can be found in PingID SDK Release Notes and in PingID SDK admin documentation.
PingID policy evaluation compatibility changes for Windows Login
July 1, 2019
As part of improvements to PingID's policy evaluation for Windows Login, starting July 1st 2019, it is no longer recommended to use Windows Login V2.1 when the following policy rules are evaluated:
recent authentication from company network
recent authentication from office
In cases where those rules are evaluated, it's recommended to use Windows Login V.2.2. Windows Login V.2.1 will continue to be operational for all other policy evaluations, and for Windows login implementations where policy is not evaluated.
PingFederate PingID SDK Integration Kit 1.4 includes updates to make the configuration process quick and easy.
PingID SDK now provides the admin with enhanced flexibility to decide how many OTP retries a user can have during an authentication attempt, as well as what should be the lock (cool down) duration after the max OTP limit has been reached. This configuration is per application and per authentication method - for SMS, Email, Voice, and mobile separately.
PingID policy now only permits use of backup authentication where the rule action is authenticate. As a result, the ‘Forgot your device?’ link only appears as an option when the authenticate rule action or a rule action with a fallback (such as fingerprint with OTP fallback) is applied.
PingID now supports FIDO2 and U2F security keys for authentication with Windows login. FIDO2 and U2F compatible security keys enable relying parties to offer a strong cryptographic second factor option for end user security. Admins can also now configure PingID Integration with Windows login to allow users to log in to domains which were not specified during installation.
PingID has enhanced its integration with Azure AD Conditional Access by adding group membership mapping so that administrators can use Azure groups for PingID policies.
Additionally, the Azure AD group synchronization can also be used for PingID.
The latest version of the PingID SDK Package includes a new PingID Mobile SDK v1.3, a new PingID SDK Adapter v1.3, and new PingID SDK sample code. This includes adding additional context to PingID SDK HTML Template and supporting new PingFederate features.
We are pleased to announce that PingID now supports FIDO2 Security Keys as one of its many strong authentication methods. Support of FIDO, a new standards-based, strong authentication method, increases your enterprise security by protecting users from phishing, man-in-the-middle and replay attacks.
We have extended PingID’s pairing APIs, which allow admins to enforce device uniqueness during the pairing process by verifying a single device is not paired more than once within the organization.
PingID and PingID SDK recently added support for public computer (kiosk mode) and QR-based login flow, respectively, to optimize the user experience upon login and move toward a zero-login, passwordless world. PingID also announced the beta of FIDO2 token support to move toward a zero-login. To expand its adaptive MFA use cases, PingID now supports Windows Login.
To improve the user experience, the PingID SDK now supports voice authentication, in addition to mobile SDK, SMS, and email authentication methods. This feature is available as a part of the of the new PingID SDK Integration Kit 1.1.
The PingID desktop app 1.5.2 includes new features to improve admin configuration of proxies. The addition of the Proxy Auto Configuration (PAC) file makes it easy for admins to manage networks with multiple proxies. And the added support of Kerberos proxy authentication configuration enables the PingID app to authenticate to the organizational proxy using the Kerberos protocol.
PingID now supports user authentication via a backup authentication method, which enables users to authenticate securely without interruption and reduces helpdesk calls when users don’t have their trusted authentication devices and/or methods. To improve our localized user experience, we also added Turkish language support. To increase user privacy, we hardened the masking scheme of user presented phone numbers for PingID voice and SMS one-time passcodes. Plus, PingID admins can map Azure AD user attributes to PingID attributes to increase customization of the PingID and Azure AD integration.
Ping Identity released a new version of the PingID Integration Kit (IK) 2.4, which provides offline MFA for mobile-only users. This feature enables users to manually authenticate and access resources directly from their mobile devices. Download the new Integration Kit.
PingID’s policy configuration flow now supports assigning multiple authentication methods by application and user group, making it easier to assign or restrict various authentication methods to a specific application or user group. The improved policy configuration flow eliminates the need for admins to create and layer multiple, adaptive MFA policies on top of one another. With the addition of this feature, PingID provides admins more flexibility since they can apply policy-allowed methods for user authentications.
The messaging on PingID’s customizable registration page can now be localized, with administrators able to define their own registration content and present it to their users in all of the 13 languages supported by PingOne. The localized text can be updated directly in PingOne Admin Console or by uploading a localization file.
The Ping ID SDK now supports voice, in addition to SMS and email, as an alternative method for user authentication and transaction approval, which improves the user experience by providing yet another way to authenticate.
PingID and PingID SDK now provide detailed SMS and voice authentication transaction information, such as interim delivery status, transaction price, and more; which increase the admin’s visibility for audit and support purposes.
PingID now supports configurable device timeouts and the option for users authenticating with the PingID mobile app to immediately go to a one-time passcode (OTP) entry, which provides greater admin flexibility to support multiple authentication scenarios and minimizes user frustration in the case of slow network response.
The latest version of the PingID Mobile App, which includes improvements to performance and reliability, is now available on the Apple App Store. Version 1.8.3 only supports iOS platforms. The new version has added support for iPhone X and deprecated support for platforms older than iOS 9 and WatchOS 2.
PingID has extended support of localized one-time passcode (OTP) voice messages, which includes the following additional languages: Dutch, French (Canadian), German, Italian, Japanese, Korean, Portuguese (EU) and Russian.
The latest PingID Desktop App release provides support for future 64-bit application releases. The latest version is available to download (for Mac and Windows) from the PingID Download page.
The latest version of the PingID Integration Kit (IK) includes a new PingID RADIUS password credential validator (PCV), which allows administrators to more easily define groups that they want to exclude from multi-factor authentication.
A new PingFederate PingID SDK connector is now available to enable automatic provisioning, updates and deprovisioning (disabling or deleting) of PingID SDK users.
The new PingID SDK Integration Kit provides an out-of-the-box integration to PingFederate, making it easier for enterprises to implement authentication within customer-facing mobile applications. This integration kit also includes customizable user interface templates to make it simpler for enterprises to provide a seamless, branded customer experience while maintaining a strong security posture.
The PingID SDK now supports SMS subaccounts, giving enterprises the option to have a subaccount with dedicated, country-code specific phone numbers for SMS one-time passcodes (OTPs). A dedicated SMS subaccount enables your enterprise to send end users OTPs from familiar phone numbers, ultimately improving the user authentication experience.
The PingID Integration Kit 2.2 is now available, which includes a new PingID RADIUS PCV, a new PingID Adapter and bug fixes. We recommend customers upgrade to the new release.
The PingID policy has been extended to include a new authentication rule for users that have recently authenticated from within your company network. This new rules provides more customization of MFA policies by using network context and improves the user experience. The rule allows you to specify the authentication action required if a web accessing device is within a specific IP range, and a user has authenticated within a defined time period. You can also require the user authentication device to be located within a company office in order for the user to authenticate.
The PingID out-of-the box UI now uses asynchronous calls to the PingID server when performing authentication. This capability further increases PingID's capacity to support high volumes of simultaneous authentication requests, and strengthens the resiliency of the PingID service.
You can now define policies for enterprise directory user groups PingFederate and PingID. This includes the ability to create web authentication policies and apply them to one or more applications, one or more user groups, or both.
The newly launched PingFederate Connector for PingID enables user life cycle management within the PingID service, including updating, disabling and deleting users. For additional details, please refer to PingFederate PingID Connector Guide 1.0 and release notes.
The PingID Windows Login for Workforce capability is now generally available. Organizations can now further enhance security by extending MFA to end users logging into Windows desktops and laptops. This includes a new client key limiting end users to authentication actions, and the ability to authenticate even when end user devices are offline using the PingID mobile application. Additionally, the PingID integration for Windows now supports Windows operating systems running in FIPS mode for added security.
The PingID SDK “Users API” has been extended to support updating first and last names when a user is inactive. Additionally, you can now suspend user activity across all applications in the organization and remove users from a suspended state. These extensions improve user management functionality across the organization; and backwards compatibility is supported where older endpoints and parameters are used.
You can now disable collection of user location at the organizational level. If disabled at the organizational level, users of the PingID Mobile app v1.8.1 or higher won’t receive requests for location collection when pairing a new device, and location collection will cease upon the next online authentication. This enhancement provides greater flexibility for administrators and facilitates compliance with various privacy regulations such as GDPR.
The PingID SDK REST API now supports email as an alternative method for authentication and transaction approval, including fully customizable and multilingual email text. These enhancements address security concerns by providing another authentication method and support a seamless, on-brand customer experience.
The PingID Adapter 2.1 now allows for multiple phone numbers to be used to pre-populate or restrict the destination for voice and SMS one time passcodes when enrolling a new device. To ease administration, administrators now can associate multiple groups to a single user. Additionally, error handling capabilities have been improved for the cases when the adapter is misconfigured.
PingID beta users can now extend MFA to end users logging into Windows desktops and laptops. This update includes the ability to authenticate even when end-user devices are offline. Contact email@example.com to join our beta user program. Use the button below for a demonstration of offline authentication.
The PingID Mobile SDK now allows administrators to restrict authentication methods during registration to push notifications or one-time passcodes only. Administrators can also allow active users to add a new device without verifying the change on their primary device. Bug fixes to the mobile SDK and the Moderno sample application are also included in this release.
PingID now provides a properties file with client keys with reduced permissions for SSH users. If you would like to limit user permissions to authentication actions only, use this new properties file to implement these restrictions.
PingID now provides a properties file with client keys that have reduced permissions for users of PingID for Windows Login. If you plan to distribute your properties file widely to Windows Login clients that are not directly within your control, leverage the new Windows Login properties file to limit user permissions to authentication actions only.
Offline multi-factor authentication enables PingID customers to continue to authenticate users, even if they lose internet access or experience other network connectivity issues. With this new feature, customers can ensure services leveraging PingID remain secure and available at all times.
The updated PingID RADIUS PCV 2.0 now supports offline MFA for VPN use cases. Additionally, administrators can now easily run multiple PingID PCVs on the same PingFederate machine pointing to different PingOne tenants.
The updated PingID Adapter 2.0 includes offline MFA support for applications using PingFederate for single sign on, allowing users to authenticate when network connectivity is unavailable.
The PingID Authenticator now supports Content Security Policy (CSP) to prevent unverified scripts from running in the PingID environment. CSP-supported browsers will not be able to execute custom scripts in the PingOne admin portal Enrollment screens, or the Admin message field.
For product updates prior to 2018, please visit documentation.pingidentity.com.
PingID now offers a customizable enrollment page template for seamless end user experiences during MFA rollouts. This customizable template is able to leverage your organization's brand assets including logos, background images, color schemes and more. Administrators can also customize messaging on the page, including the multi-language support.
Your employees can now log in to a Windows computer without having to enter a password, using the PingID mobile app. It includes support for multiple use cases such as: Windows login, remote desktop login, and elevated users' authentication. The current release supports the PingID app with support for Security Keys coming later.
PingID currently supports several offline use cases, when users don’t have access to the internet or cell service. Offline use cases include: Windows Login, Windows Login Passwordless, and Mac Login. With the new release of PingID SSH client, we've added support for offline use cases for the SSH client. In addition, this release introduces security enhancements and support for additional Linux releases.