What's New in Imprivata Enterprise Access Management 25.3

Shared workstations on Windows now support multi-factor authentication using a proximity card and face recognition:

• Face recognition remains a secondary factor, and a badge tap is always required for all authentications.

• An Imprivata Admin can enable face recognition with a grace period. This requires proximity card + (face recognition or password), while allowing badge-only during the grace period.

Additional guidance is provided for enterprises that use mixed endpoints. For more information see, Face Authentication and Mixed Environments.

The following improvements have been made:

• Enrollment—Users can now enroll their face as an authenticator using the Imprivata enrollment utility. Previously, users could only enroll their face when accessing their desktop.

• Grace period—On a single-user workstation, when combining face recognition with another authentication method, you can now define a grace period. After the initial login, and during the specified period of time, the grace period lets users use face recognition as a single factor.

• Offline experience—If the workstation is unable to communicate with the Imprivata Cloud Platform, users are notified that face recognition is unavailable and are prompted to use an alternative authentication factor. This enhancement lets users use another authentication factor without delay. Once the connection is restored, the ability for users to use their face as an authenticator is automatically restored.

• Update a username when authenticating—Before authenticating with face recognition, users can now choose which account to authenticate with by changing the username. By default, the Imprivata login screen defaults to the username of the last known user. This enhancement helps to prevent confusion with a failed login attempt due to an incorrect username.

Additional guidance is provided for enterprises that use mixed endpoints. For more information see, Face Authentication and Mixed Environments.

EAM now supports secure MIFARE DESFire EV1 and EV2 proximity cards, and specifically the French national CPS card. Support for EV3 was released in EAM version 25.2. These enhancements provide secure, contactless authentication.

This release also adds support for MFA workflows using contactless MIFARE DESFire cards, complementing existing desktop access workflows. MIFARE DESFire is now also available in ProveID Web for third-party, Technology Alliance, integrations.

For more information, see Secure Proximity Cards.

Supervised enrollment of authenticators is now available for eIDAS Substantial compliant workflows in France and other countries. Customers can now perform supervised enrollment of users with strong, eIDAS-compliant authenticators, such as FIDO2 security keys, MIFARE DESFire badges, and Imprivata ID, for remote users.

For more information, see Supervised Enrollment for Strong Authentication.

For more information on new 25.3 qualifications and certifications, see Imprivata Enterprise Access Management with MFA Supported Components.

The Classic Windows login is deprecated and will no longer be supported after Q1 2026.

Imprivata is committed to innovation and is focusing efforts on the Imprivata login. It is recommended that you begin planning a migration to the Imprivata login. For more information about the Imprivata login and next steps, see the FAQ.

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

As part of Imprivata's continuing effort to increase our security posture, this release includes two modes of API access through the Confirm ID and ProveID API:

• Full

  Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

  • Clinical Workflows

  • EPCS

  • Imprivata Connector for Epic Hyperdrive

  • When Imprivata Confirm ID needs a password.

• Restricted

  In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

By default, Confirm ID access is disabled and ProveID API access is set to restricted. The settings to manage API access are on the API access page in the Imprivata Admin Console.

Face authentication is a new modality and is supported on Windows.

• If your enterprise uses mixed endpoints (thin clients, medical devices, etc.), test to verify that they continue to work after enabling Face recognition.

• If you encounter issues on non-Windows platforms, disable multiple second factors using computer policy overrides and reach out to your vendor and Imprivata representative.

Imprivata has identified limited cases where Imprivata agents running on non-Windows platforms are unable to authenticate depending on user policy configuration. Limiting the second factor options in your environment is recommended to resolve this.

For enhanced protection against sophisticated attacks, pair Face Authentication with a strong second factor like device-bound passkey or proximity card.

Beginning with 25.2, you can no longer directly run the Imprivata agent installer. This includes:

• Double-clicking the MSI.

• Right-clicking the MSI and running as an administrator.

Launching the installer directly requires you to execute the MSI from an elevated command prompt. Directly running the MSI results in an error message stating that you do not have the required permissions. This behavior occurs even if you are logged into the Windows endpoint with administrator credentials.

Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations.

For more information, see Configuring Imprivata Secure Walk Away