Centrify 19.6 Release: Password Reconciliation, Passwordless Authentication and More

February 27, 2020

A great benefit of Centrify’s Privileged Access Service (PAS) is that, as a native SaaS service, there’s an agile development process behind the scenes. This is a boon for customers, since we’re able to respond more quickly to customer-driven enhancement requests, Centrify-driven innovations, and bugs (yes, we all have them).

In this blog, we’ll highlight a few enhancements and innovations in the recent 19.6 release. We trust you’ll find them more than just academically interesting, but something that translates into real business value.

AUTO PASSWORD RECONCILIATION

In 19.6, we introduced the first iteration of a capability that will be delivered in multiple phases. Automatic password reconciliation for local accounts ensures that a local account password being managed by Centrify PAS is always the single source of truth. If, for example, a user with admin-level rights on a system changes a managed local account password, Centrify can automatically change it back to a known value.

Another related capability is automatic account unlock. This is useful to ensure that a local account is always available for login via Centrify PAS. For example, should a local account password be changed and subsequently locked by the operating system due to a number of failed login attempts, PAS can be configured to automatically unlock the account and then reconcile the password to a known value.

I mentioned that our SaaS solution benefits from a phased delivery. This initial release in 19.6 supports reconciliation for Windows systems that are domain-joined, using a PAS-configured domain administrative account to login and perform the change. Over the coming quarters we will support standalone Windows systems, Linux/UNIX systems, and the option of password reconciliation using a host-based Centrify Client (from Centrify Privilege Elevation Service) as a more secure and functional alternative to the shared privileged account described above.

PASSWORDLESS AUTHENTICATION WITH FIDO2 SUPPORT

Another feature in 19.6 is support for FIDO2 as a new multi-factor authentication (MFA) option to customers.

This is an open standard (from the FIDO Alliance) and an extension of FIDO U2F – developed by Yubico and Google – that Centrify has supported since April 2019. FIDO2 offers the same PKI-based crypto for high security as FIDO U2F, but with expanded authentication options that notably includes strong single-factor authentication (i.e., passwordless) and support for on-device or external second factors such as Apple’s Face ID and Touch ID, Windows Hello, and Yubico’s YubiKey.

As customers, you can replace weak static password-based credentials with a stronger alternative that is hardware-backed. For any of you subscribing to NIST 800-63 and their Authenticator Assurance Levels (AAL), this will give you an AAL3 level of assurance. The private key and other sensitive information never leave the FIDO2 device. They can’t be reused or replayed and they’re not subject to attacks such as Man in The Middle.

In addition, when a user signs up with a FIDO-enabled service, the enrollment process results in the FIDO2 device generating a cryptographic key pair unique to that service. As a result, they can’t be used to track user activity across sites.

MORE GOODIES IN 19.6

Finally, 19.6 includes a number of other capabilities that I’ll simply list here:

  • Update to the latest FreeRDP libraries including a security fix for Microsoft’s CredSSP issue
  • Ability to rebuild and generate a new cluster configuration file for customers using the on-premises PAS
  • Local RDP and SSH client support on MacOS for remote session initiation via Centrify PAS
  • Added the ability for administrators to perform bulk actions on systems and accounts in the PAS UI
  • PAS now extends its support for generic LDAP servers with the ability to customize LDAP attributes and schemas. Validated initially with Radiant Logic’s RadiantONE Federated Identity service with more validations to come

That’s all for now. Stay tuned here for more information about future updates!