Introduction
The LogonBox team is pleased to announce the immediate availability of LogonBox SSPR 2.3.14. This release includes several bug fixes and an upgraded Credential Provider for Windows with a new security layer. There are also improvements to the LogonBox Authenticator, including a new set of APIs for integrating with external applications and support for registering multiple authenticators against a user’s account.
Credential Provider Security
In this release, we have introduced a new security mechanism for Desktop computers using the Credential Provider to protect the APIs it uses when determining account status.
After reviewing the Credential Provider framework, we discovered that it could be possible for an attacker with sufficient knowledge to gain information about user accounts, such as whether 2FA authentication is required or not.
This new security layer locks down calls to the server APIs to ensure only trusted computers can use them. The mechanism uses strong asymmetric keys to establish a trust mechanism and locks these keys in the Registry under an Administrative only registry key.
The security layer is optional; however, all new credential provider installs and upgrades to our 4.5 providers, available with this release, will use the new mechanism. Our next major release, 2.4, will enforce this security layer for all connections. If you want to turn this on now, you can enable the option under Authentication Flows->Authentication Options->Credential Provider.
LogonBox Authenticator Improvements
Users can now register multiple LogonBox Authenticator devices with their account, with the ability to select the device to use during Authentication. And the app now uses a new dedicated page that utilises your brand for a fresh new look when authenticating with the app.
We have also added support for using LogonBox Authenticator in external applications. Via our suite of APIs, you can create custom integrations to reuse the app’s credentials from a host of programming languages. With support for Java, PHP, Python and NodeJS already available at GitHub https://github.com/nervepoint. We also have a WordPress plugin due for imminent release.
Get in touch if you have a requirement, and our team will be glad to help.
Upgrade Instructions
To get the benefits of the VMCentre backup fixes and ensure you are running our latest support tunnel firmware, we recommend performing an apt update with this release. Open VMCentre and open a terminal to execute the following commands:
apt update apt upgrade
Our support team will be upgrading Cloud customers over the coming week.
Changes
Here is a summary of the changes in this release.
Features
- Added support for Active Directory State/Province attribute.
- License Details widget added in public cloud tenants to show your current license count. This widget is visible on the Server Status tab of the admin dashboard.
- Authentication Flows->Authentication Options will now only show options for features available on your license.
- Added integration with userstack.com for optional improved user agent detection. Requires a separate license key available from https://userstack.com/
- Added a ‘Banned Domains’ setting to Authentication Flows->Authentication Options->Email. This feature allows you to prevent users from registering email addresses in the specified domains (i.e., you don’t want OTPs to be sent to a corporate email as this would be the account a user is trying to reset).
- When unlocking an account, the system will automatically attempt to unlock any linked secondary accounts.
- Added an improved security layer for the credential provider.
- Added support to the credentials provider for 2FA over RDP.
- Users can now have multiple LogonBox Authenticator devices registered to their accounts.
- Added a new branded LogonBox Authenticator sign-in experience and support for Authentication by external applications via our suite of open-source APIs.
- The administrator can now generate a user profile for a user that has not logged in.
Bugs
- VMCentre backup scheduling UI issues resolved.
- You can now click daily without it switching back to hourly
- Custom schedule now also works as expected
- When changing the backup schedule, the backup remains enabled.