IAM 1.5 Features Reference
On September 18, 2023 on eu-west-2, a new version of IAM has been released. This page summarizes all the new features and updates.
Two new multi-factor authentication (MFA) methods have been added to Cockpit v2:
A security key, or device biometrics, using WebAuthn. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP > WebAuthn.
A one-time password (OTP) using an authentication application. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP > One-Time Password.
For more information, see About Authentication.
The existing Trusted Env feature has been updated. This can impact your authentication on Cockpit v2.
RequireTrustedEnv parameter of the
UpdateApiAccessPolicy method is activated, it is now required for all EIM users of the root account to log in to Cockpit v2 using multi-factor authentication (MFA). More specifically, it is required that they set up the WebAuthn authentication method. They can then authenticate using either the WebAuthn method, or the OTP method. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP.
As a reminder, activating Trusted Env allows you to activate a trusted session. Trusted sessions provide an additional layer of security to a root account and all its users. For more information on trusted sessions, see About Your API Access Policy > Trusted Session.
To activate a trusted session, a root account needs to meet the following requirements:
All their access keys must have expiration dates.
All their API access rules must specify a CA.
As a result of the new MFA feature, the MFA method based on x509 certificates will be deprecated at the end of October 2023. On that date, all the x509 certificates in your API access rules will be obsolete and deleted.
As a result of the new version of IAM, you can no longer reset your password in Cockpit v1 and via the
ResetAccountPassword API methods.
You can now only reset your password via the reset password button on Cockpit v2. For more information, see Modifying Your Personal Information and Password.
It is now possible for Elastic Identity Management (EIM) users to create their own password that they can then use to log in to Cockpit v2. For more information, see Creating a Password as an EIM User.
EIM users do not have their own email addresses, so if an EIM user needs to reset their password, the reset password email will be sent to the email address of the root account.
Corresponding API Method