- DATE:
- AUTHOR:
- The Transmit Security team
New Directions in Identity: B2B Orchestration, Geolocation Insights and More
This edition marks a major leap in how Mosaic supports real-world identity at scale. With the introduction of B2B Identity Orchestration, customers can now design complete journeys for business users, bringing enterprise-ready flexibility to the core of our platform. Paired with powerful geolocation features like mobile signals and a global risk map, this release deepens both visibility and control across fraud detection and identity flows. Together, these and other updates expand what’s possible with Mosaic and give you the tools to build more intelligent, context-aware and secure experiences across all user types.
Highlights
Orchestrate End-to-End B2B Identity Journeys
Mosaic now supports B2B Identity Orchestration, giving customers with B2B CIAM use cases the ability to design and manage full identity journeys for business users. This includes flows for inviting, authenticating and managing members across partner organizations, subsidiaries and enterprise customer accounts.
With Orchestration, teams can build tailored B2B journeys that meet specific business requirements, including:
Custom onboarding flows for invited members
Flexible login experiences for enterprise users
Org-level access policy enforcement
Scalable management of identities across companies
Journeys are built through the same drag-and-drop interface used for consumer flows, ensuring a consistent orchestration experience across all identity types.
* Available in sandbox
Auto Capture Now Available in Web and iOS SDKs
The Web SDK and iOS Mobile SDK for identity verification now support an auto-capture experience. This feature automatically detects and captures document and selfie images when framing, lighting and clarity meet optimal conditions. By reducing the need for manual taps, it improves image quality, increases verification accuracy and creates a smoother user experience, increasing conversion—even in challenging environments.
* Available in sandbox
Identity Verification
Detect Reused or Synthetic Profiles With Multi-Session Matching
A new Repeated Profile security insight helps detect synthetic or stolen identities during identity verification by analyzing patterns across multiple sessions. The system checks for similarities in key profile attributes such as full name and date of birth and identifies discrepancies in extracted data that may indicate manipulation or reuse.
* Available in sandbox
Fraud Prevention
Visualize Geolocation Risks With the New Fraud Prevention World Map
A new map visualization on the Fraud Prevention overview page highlights geolocation risks to help fraud teams spot where malicious or suspicious activity is most prevalent. Users can drill into specific regions for deeper analysis and trend exploration. The map is powered by IP-based geolocation, offering approximate regional context without exposing exact physical locations.
* General availability
Enhance Detection With Mobile Geolocation Signals
Our Fraud Prevention services now support mobile geolocation signals for more precise fraud detection. By collecting data from GPS, Wi-Fi and cellular sources, the system builds accurate geolocation profiles and identifies deviations that may signal risk. Detection scenarios include new location, impossible travel, trusted location, mismatches and spoofing.
The collection endpoint is configurable based on use case, desired accuracy and data freshness. This feature helps reduce friction by assessing location context automatically, offering high accuracy with minimal user effort. Availability for iOS is coming soon.
* Early availability (Android)
Customer Identity Management
Authenticate With PIN Code for Device-Based Login
A new PIN code authentication method is available, providing a simple and secure way for users to log in from trusted devices. This option improves flexibility while maintaining strong security, especially in mobile-first experiences where ease of use is key.
PIN Code authentication can be fully customized and integrated into your orchestration flows:
* General availability
WCAG 2.1 Accessibility Support for Hosted Experience and B2B Org Admin Portal
Both the Hosted Experience and the B2B Org Admin Portal now support WCAG 2.1 accessibility standards, improving usability for people with disabilities and aligning with modern accessibility best practices. With this update, we ensure that Mosaic experiences are more inclusive, compliant and user-friendly across the board.
* General availability
Stronger Security for PKI-Based mTLS Authentication
Two important enhancements have been added to improve control and trust in PKI certificate-based mutual TLS, strengthening authentication and policy enforcement for mTLS flows:
Certificate Chain Validation confirms that the client certificate is part of a trusted chain.
Subject DN Validation allows inspection of specific fields in the certificate’s Subject DN, such as Common Name (CN) or Organization (O).
* General availability
New SameSite Cookie Setting for OIDC and SAML Clients
A new SameSite configuration is available under Advanced Settings for both OIDC and SAML clients. By default, the setting is LAX, with None available as an additional option.
When set to None, cookies are marked as Secure and all redirect URIs must use HTTPS. Validation is in place to prevent insecure configurations. This update is essential for supporting cross-site login flows and embedded use cases—such as authentication within iframes or across domains—while preserving strong security standards.
* General availability
Stop Brute-Force Attempts with Lockout Controls for Passkey Authentication
Passkey authentication now includes configurable lockout settings to protect accounts from brute-force attempts or repeated misuse, strengthening account security while maintaining a seamless user experience.
* General availability
Access WebAuthn Public Keys via the User Authenticators API
WebAuthn public keys and related metadata are now available through the User Authenticators API, giving customers direct access to essential credential data. This improves authentication resiliency by enabling fallback handling in the event of a SaaS outage.
* General availability
Control Which Client Is Used for B2B Invitation Flows
A new setting lets you explicitly select the OIDC client used for B2B member invitations. This prevents failures caused by clients that require PKCE, which is not compatible with magic link flows. The setting appears just below the “Application URI for inviting members” field and ensures that only non-PKCE clients can be selected.
* General availability
Enhanced B2B Logging for Admin Actions
B2B logging has been improved to offer greater visibility into administrative activity across the Org Admin and Tenant Admin portals:
Tenant Admin actions on members are logged as Admin Activity, capturing both the acting admin and the affected member.
Org Admin actions on members or organizations are logged as User Activity, clearly identifying the actor and the target entity.
These updates strengthen auditing, support security investigations and improve transparency across B2B operations.
* General availability
Orchestration
Customize the User Experience After SSO Access Rejection
SSO journeys now support a configurable Access Rejected setting, giving you control over what users see when access is denied. You can display a custom rejection message with personalized title, message and button text, or redirect users to a specified destination with an error string passed in the URL.
* General availability
Pass Contextual Metadata From Web to Mobile Journeys
An “Additional Data” section has been added to relevant journey steps, making it easier to carry context across channels and improve decisioning on mobile. This allows you to pass metadata such as IP address or browser type from web to mobile journeys through a dedicated data object.
* General availability