General Features

• FIPS 140-2 Compliance – (All services and servers are FIPS compliant, except CA service.)
• RLS for PostgreSQL
• Event Logging Service
• RabbitMQ for Message Queuing
• Support for Oracle 19c Enterprise Edition Database

User Management

• Onboard Users:
  • Onboard Users with PIV ID for derived credential issuance
  • Removed the Assign to Role field. Role assignment is now handled at the group level with a new feature that enables assigning roles to groups.
• Enrollment:
  • Fingerprints preview during enrollment
  • ANSI support for fingerprints
  • Investigation – Background and Biometrics Investigation
• Express Enrollment – full and partial bulk enrollment with a preview of the enrollment records and results.
• Issuance
  • Support to issue PIV-I, Derived Mobile Credentials
• Granular credential issuance –
  • PIV, CIV, PIV-I, FIDO2, DPIV, DFIDO2
  • Issuance in single instance works
  • PIV+FIDO2, DPIV+DFIDO2 - Granular issuance FIDO2 application (credentials) not working
• Granular Lifecycle Management for operators and users – Identities, Applications, and Credentials.
  • When multiple devices are connected during PIN reset, PIN change, device update, certificate renewal, PIV card activation, support for the following validations:
    • validate the connected devices.
    • if the selected device that the user/operator is trying to perform one of the above-listed actions is not connected, display alert to connect the selected device to continue.
    • if the selected device is connected, remove all the other connected devices from the connected readers list and show only the reader which has the selected device.

Authentication

• Authentication using OTP authenticators - Unifyia ID Wallet, Google, Microsoft, Okta Verify, Others
• Authentication using PIV-I, CIV IDs, derived mobile identities
• CBA authentication for domain joined systems with Entra ID.

Configurations

Passkey (FIDO2) Policy

• Supports creating or managing FIDO2 passkeys policies for other relying parties such as Entra ID and Okta.

Groups

• Provision to add groups and assign roles to the groups.
• Provision to edit the group name and assigned roles.
• Support to view the list of groups with the option to view the number of users assigned to a group.

Device Profile

• Support clearing containers before issuance
• Support for setting maximum PIN retries
• Support for setting maximum PUK retries
• Support to configure application interfaces (Interface Control for USB, NFC) for ZTPass on NXP P71D600, Arculus Authentikey, and YubiKey 5 Series devices.
• Support to securely lock with a code the selected interfaces to prevent unauthorized access or use.
• Support to reset the device to factory settings using the Manufacturer Master and/or Admin keys
• Support to store device profile keys in HSM (Utimaco Cryptoserver)
• Support for Yubikey 4 Series for PIV issuance.
• Support for Aruculus Authentikey and Swissbit iShield Key for PIV+FIDO2 Issuance
• Category based device profiles
• Support for Identities type category:
  • PIV-I
  • PIV+FIDO2
  • DPIV+DFIDO2
  • Derived Mobile Identities (DMobile ID)

Workflows

• Support for new identity types that enable the issuance of multiple credential:
  • PIV-I ID
  • PIV + FIDO2, Mobile ID
  • FIDO2, Mobile ID
  • Derived Mobile Identities (DMobile ID)
  • DPIV + DFIDO2
  • DPIV + DFIDO2, DMobile ID
  • DPIV, DMobile ID
  • DFIDO2, DMobile ID
• Define certificate validity
• Define device and certificate update policy
• Define device certificate reissuance policy
• Support to add Subject DN
• Support to issue Card Authentication, Digital Signature and Key Management certificates for ID Wallet
• When an external CMS is integrated, provision in the workflow to establish a separate process for the external CMS. If the option is canceled, the system will proceed with creating a workflow for the platform.
• Issuance of PIV ID for integrated external credential management systems (External CMS)
• FIDO2 Registration for the platform users and/or relying parties.
  • Separation of options for issuance of Passkeys (FIDO2) for platform users and relying party (RP) users. Organizations can select either one of the options or both.
  • Provision to enable/disable the issuance of FIDO2 passkeys for platform users
  • Provision to enable/disable FIDO2 passkeys provisioning for relying parties. Provision to select multiple relying parties.
  • Currently supported for the Entra ID and Okta applications.
• Provision to define a format for the common name in the SubjectDN of the certificates. Available formats are:
  • CN=firstname lastname, e.g., Jane Smith
  • CN=firstname lastname intended usage short,e.g., Jane Smith Auth
  • CN=firstname lastname intended usage, e.g., Jane Smith Authentication
  • CN=firstname lastname (Affiliate), e.g., Jane Smith (Affiliate)
  • CN=firstname initial. Lastname, e.g., Jane A. Smith
  • CN=firstname middlename lastname, e.g., Jane Alex Smith
  • CN=lastname.firstname.middlename, e.g., Smith.Jane.Alex
  • CN=firstname lastname - intended usage – expiry, e.g., Jane Smith - Signature - Expires 01/15/2025
  • CN=firstname lastname - intended usage - agency identifier, e.g., Jane Smith - Signature – 123456
  • CN=firstname lastname - intended usage - SKI identifier, e.g., Jane Smith - Authentication – 123456
• Support to search the user either by UPN and Email to writeback the issuance status to the selected active directory.
• Removed the PIV Credential Verification and Derived Credential Lifecycle configurations sections from under the Smart Card/Security Key Credential Issuance section and moved it to a separate panel in the workflow under the Mobile ID configuration panel. This panel is displayed at the end of the workflow page.

Notifications

Below is the list of new notifications:

• Registrar Notifications:
  • Users with Expired Biometrics
  • Users with Expiring Biometrics
• User Notifications:
  • Account Suspended Due to Expired Biometrics
  • Enrollment Verification Status
  • Enrollment Verification Successful
  • Biometrics Update Request
  • Certificate Expired Notice

General Settings

• Configurable PIV, PIV-I, CIV profile - Subject DN and FASC-N
• Policies and Settings: The following are the new policies and settings available under the General Settings menu:
  • General
    • Read Name from Certificate Common Name during Onboarding with PIV ID
    • ITAR Country List Check
    • Enable Digital Signing
  • Session Sign Out
    • Support to configure the session sign-out policy with a warning to the user
  • Subscriber Agreement
    • Enable/Disable the Display Subscriber Agreement During Activation option
    • Add organization specific text for the subscriber agreement
  • Enrollment Policy
    • Biometrics Validity Expiration
    • Select Expiration Days
    • Notify operators of biometric expiration set to expire in (days)
    • Email Notification Frequency
    • Biometrics Expiry Check Scheduler
  • Card Expiration Policy
  • Card Expiry Check
• PIV Verification Policy
  • Allowed OIDs for Verified

Security Audit

• A new feature to configure security audit events.
• Support to enable/disable the events that must be logged and/or signed with the digital signature certificate of the logged-in user.

Conditional Access

• Define a set of IP addresses to be whitelisted for administrator access.

Integrations

Configure Directories

• A new option to sync all the users from a directory is implemented.

External Credential Management Systems (External CMS)

• Add, edit, and delete External CMS
• List integrated external credential management systems
  • A page to set the connection parameters to connect to an external CMS
  • Card Production Request (CPR) for PIV, PIV-I, CIV
  • Define policies for issuance to be linked to the selected ID (PIV, PIV-I, CIV).
• Supported external CMS - HID CMS

External Credential Management Systems

• Provision to securely store the device profile keys in a HSM by integrating an HSM
• Add, edit, and delete HSM
• List HSMs
• Supported HSM – Utimaco CryptoServer
• Generate a tenant key for encrypting the factory keys (Manufacturer Master and/or Admin keys) before saving them in the database if the option Enable Factory Reset is active.Top of Form

Passkeys (FIDO2) Provisioning

• Provision to configure parameters to add RPs for passkeys (FIDO2) provisioning to enable issuance of passkeys to relying party users.
• Support to add provisioning APIs.
• Add, edit, and delete Relying Parties (RPs)
• List Relying Parties
• Supported RPs – Entra ID and Okta

Reports

The following are the new reports supported in this version:

• Background Investigation Pending Report
• Credentials About to Expire Report
• Users Pending Approval Report
• Revoked PIV Credentials Report
• Card Applicant Status Report
• Event Log Report

User Management

• Issuance
  • When multiple readers are connected with authenticators during issuance, support for the following validations:
    • Validate the connected authenticator status.
    • If all the connected authenticators have been already issued (personalized + printed or personalized), then alert the operator to connect a new, unassigned authenticator to continue issuance.
    • Next, display the card reader and the new authenticator’s name after verifying the product name of the selected device profile.  

• During the personalization of the PIV + FIDO credentials, the progress bar displays more than 100% progress.
• Bulk Enrollment:
• During bulk enrollment, if the template exceeds 20 users, a "Gateway Timeout" error occurs. However, user records are saved, and a success message is displayed upon selecting "Save."
• After enrollment, the user status is incorrectly set to "Ready for Issuance" instead of "Pending Investigation" when the enrollment approval option is selected in the workflow.
• Enrollment:
• Single and dual fingerprint capture are not supported by the HID Crossmatch Guardian 100 fingerprint scanner.
• Reports:
• In the Clients and Apps report, sorting is incorrect, and records are not displaying properly. The application version field search is also not functioning.
• Sorting on the Application Name Column is not working.
• Reports for Authentication, Client and Apps, and Issued Credentials fail to generate data and cannot be downloaded.
• The "Revoked PIV Credentials Report" includes users with expired credentials.
• The "Background Investigation Pending" template displays no data.
• The Event Log report fails to download in both PDF and CSV formats. Sorting by columns Event Message and Event Details is not functional.
• PDF downloads for the User Status, User Enrollment Details, User Issuance Details, and Issued Devices reports are poorly aligned due to missing data.
• The report generated when the frequency is set to one time, field names(labels) are missing and sorting functionality is not available.
• UI issues, including date filters and sorting-related problems, are present in every report.
• Notifications: Identity Credential Expiration Warning notification is not triggered.
• ZTPass P71D600 Card Issues:
• Once the user changes the PIN for the ZT Pass P71D600 card (PIV+FIDO issuance), he is unable to log in with the changed PIN. 
• Reset PIN with PUK is not working for the ZT Pass P71D600 card for PIV+FIDO2.
• After scanning the QR code on a mobile device during FIDO credential login, the system does not request a PIN and logs the user in automatically. The PIN should be prompted for. In Android mobile devices, the support for PIN is not available. Hence, the login is successful without a PIN. On iOS devices, the user is prompted for PIN before login.
• After the admin resets the user’s device PIN post-issuing PIV+FIDO credentials, the PIN is reset for both PIV and FIDO credentials. However, the FIDO credentials' PIN should remain unchanged.
• Granular PIV reset PIN available for PIV application.
• FIDO PIN reset support for the Arculus AuthentiKey is available but only in the NFC mode