Block Known Fraudsters, Gain Flexibility and Improve Journeys with New Steps

Providing a seamless and efficient journey building experience

This edition of our Mosaic Release Notes introduces key enhancements in fraud prevention and journey customization. Features such as Multi-Session Detection strengthen identity verification by identifying synthetic identities and known fraudsters across sessions, while new orchestration steps simplify actions like sending emails and managing authentication flows, improving the journey-building experience for developers. Additionally, token binding for MTLS further enhances security by ensuring tokens are cryptographically tied to client certificates, preventing misuse and unauthorized access.

Highlights

Unmask Fraudsters with Multi-Session Detection

We're excited to announce that our Identity Verification solution now includes a powerful Multi-Session Detection to combat advanced fraud tactics. This feature is the first step in a broader cross-matching capability, initially focusing on biometric similarity to detect synthetic and stolen identities. It identifies repeated selfies and discrepancies across documents by analyzing connections between sessions. When anomalies are detected, a security insight is raised for review, giving admins the flexibility to block suspicious sessions or mark them as false positives.

Key capabilities include Generative AI models for uncovering fraud patterns, link analysis for detecting document similarities or discrepancies, and advanced face matching to flag deepfakes and synthetic identities. This enhancement complements real-time verification by providing actionable insights for more comprehensive fraud prevention.

Synthetic IDs using the same face with different personal information.

New Form Builder Replaces JSON Schema

Our new Form Builder provides a streamlined and user-friendly way to create forms, replacing the previous JSON schema approach. This intuitive interface simplifies form configuration, making it easier to design and manage forms within your journeys.

Orchestration

Enhanced Messaging Capabilities for SMS and Email

New customization options for SMS and Email bring greater flexibility to authentication and notification flows. The Send Email journey step allows businesses to automate email notifications within orchestration flows, such as alerting users of suspicious login attempts. Additionally, custom messaging for SMS and Email OTP enables businesses to tailor authentication messages, ensuring a more personalized and consistent user experience.

Support for Custom Action Types in Risk Recommendation

The Risk Recommendation journey step now supports custom action types, allowing businesses to tailor their fraud response strategies when assessing risk. Organizations can define custom actions such as requiring step-up authentication, blocking transactions, or triggering fraud investigations based on the assessed risk level. These actions can be configured in the Admin Portal, enabling more adaptive and precise fraud prevention measures.

Enhanced UX for Documenting Journey Steps

Step titles and descriptions in Journey Tiles are now fully editable, allowing for better customization and clarity when designing journeys.

GenAI Expression Builder Now Uses Journey Context

The Gen AI Expression Builder now leverages journey variables, enhancing its ability to generate more accurate results and recommendations. For example, if a journey includes a variable for a user’s risk score, the builder can now suggest expressions that dynamically adjust authentication requirements based on that score. This improvement ensures better alignment with the specific context of each journey, making expressions more relevant and effective.

Identity Orchestration Is Now Supported in Canada

Identity Orchestration can now be deployed in the Canada (CA) region, giving organizations the option to host their services locally. This update supports businesses that require regional deployment for compliance or  performance needs.

Customer Identity Management

Strengthening Client Access Control & Role Management

We are introducing granular access control for client tokens. Currently, client tokens provide unrestricted API access, which can lead to potential security vulnerabilities. This update empowers customers to define client roles by grouping specific API permissions and assigning them to app clients, ensuring secure and controlled access.

Tailored Network Security with IP Allowlisting in Mosaic

We've introduced IP Allowlisting for the Mosaic Admin Portal, a new feature designed to enhance security by allowing customers to control access to their tenants based on trusted IP ranges. Admins can now configure IP ranges or CIDR notations directly in the Settings tab, giving them tailored access restrictions to ensure only authorized networks can connect to the Admin Portal.

To further enhance transparency and troubleshooting, all IP validation attempts are logged with key details such as the tenant name, admin email, user’s IP address and whether the attempt was successful or denied. This log helps admins monitor access and investigate any issues quickly.

Support for Multiple Domains per B2B Organizations

Organizations can now associate multiple domains with a single app, simplifying domain management for businesses with complex structures, such as those resulting from mergers or acquisitions. This enhancement (also available via API) allows greater flexibility by supporting multiple corporate domains within the same organization while maintaining domain uniqueness across different apps. Existing functionality for domain validation remains unchanged, ensuring seamless integration with current configurations.

New API for Retrieving User Organizations and Roles

A new API is now available to help customers view and manage user roles across their organization and its hierarchical child organizations. Designed for enhanced organization management, this API allows applications to fetch all associated organizations for a given user, along with their assigned roles. Admins can use this to enable tailored role-based management and visibility across organizational structures.

More Control with SMS Custom Gateway Configuration

A new UI is now available in the Mosaic Admin Portal, enabling admins to configure SMS delivery for user authentication and phone verification. While Mosaic's service remains the default option, this update allows seamless integration with third-party SMS providers like Twilio or Salesforce Marketing Cloud, offering greater flexibility for managing SMS delivery.

Token Binding Support for mTLS in OIDC

Token Binding for mTLS client authentication is now available as an optional feature in OIDC, offering enhanced security for token usage. This feature cryptographically binds tokens to client certificates, preventing token theft and misuse, and is particularly beneficial for highly regulated sectors like Open Banking.

When mTLS is selected in client authentication settings, admins can enable Token Binding via a new toggle in the Mosaic Admin Portal. When enabled, issued tokens will include a cnf (confirmation) claim containing the certificate thumbprint, ensuring the token cannot be reused without the original certificate. Resource Servers must validate this binding during token usage, and updated documentation is available to guide customers on implementing these validations effectively.

Support for SAML HTTP POST Binding in ACS URL

SAML HTTP POST binding is now supported for Assertion Consumer Service (ACS) endpoints, enhancing our SAML integration capabilities. This update allows customers to securely receive SAML assertions from Mosaic via POST requests, fully compliant with the SAML 2.0 specification. The metadata XML has also been updated to reflect this enhancement, ensuring seamless configuration for customers implementing POST binding.