Auth0 Changelog

What’s Changing:

We are improving the user experience when adding or updating identifiers (email, phone number, or username) in profiles.

Key Updates:

1. New Identifier: When a new identifier type (email, phone, or username) is added to a user profile where one does not already exist, the user’s session will not be terminated. This allows for a smoother progressive profiling experience, where users can add new identifiers without disruption.
2. Changing Existing Identifier: When an existing identifier is modified, the user’s session will terminate, and the user will have to re-authenticate. This ensures security best practices are followed when updating key account information.

Why This Matters: Previously, any update to an identifier (whether adding or changing it) would terminate the user’s session. This could lead to a poor experience, especially during progressive profiling, where users are expected to update or add information without being logged out. With this update, customers can offer a seamless experience for users adding new identifiers while maintaining strict security for changes to existing identifiers.

Rollout Timing: This change will be rolled out progressively over the next 1-4 weeks. Customers can expect to see the updated session handling behavior in their environments during this period.

Action Required: No immediate action is required from customers, but it is recommended to review any user flows that involve the addition or modification of identifiers to ensure they align with this change.

We have introduced Email OTP Verification as a new method for email verification, available in Early Access. Expect to see the feature in your environments within the next 1-4 weeks.

With Email OTP Verification, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens before account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts.

Key Highlights:

• Synchronous Email Verification: Prevents account creation or password reset until users verify their email via OTP.
• Improved Security: Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links.
• Applicability: Available for both email verification during signup and password reset challenges.

Prerequisites:

• Must be using Universal Login.
• Connection must have Flexible Identifiers enabled.
• Email OTP is only compatible when using the Identifier First Authentication Profile.

To enable this feature, navigate to the Attributes tab on any connection and change the Verification Method under the Email attribute settings from Verification Link to OTP.

Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the guidelines for the EN 301 549 standard. We have updated our VPAT to include this information and it is available on Okta.com. By ensuring that Universal Login is accessible to all users, we enable our customers to confidently secure their applications with accessible authentication.

See our online documentation for more details.

We are happy to announce that we just added two new endpoints to our Session Management APIs:

POST /api/v2/users/{id}/revoke-access – This endpoint allows you to revoke sessions for a user and decide if you want to revoke the associated Refresh Tokens.

POST /api/v2/sessions/{id}/revoke – This endpoint will revoke the session and all its related Refresh Tokens.

Please refer to the Auth0 Management API for more information.