Axiad Conductor Release Notes

June 30, 2025

Confirm

Introducing Axiad Confirm

Identity Assurance for Credential Issuance

We’re excited to announce the launch of Axiad Confirm, a powerful new identity verification solution built into the Axiad Conductor platform. Axiad Confirm protects the “front door” to your enterprise credentials by ensuring that every credential—whether a smart card, certificate, or passkey—is issued only after the user’s identity has been verified with confidence.

Why it matters

Most identity attacks don’t start at login, but instead they start when credentials are issued or reset. Axiad Confirm stops these threats at the source by verifying user identity before any credential is created or reissued. It uses biometric liveness detection, government-issued ID validation, and identity attribute matching to ensure the right person is behind every request.

Seamless experience on any device

Axiad Confirm delivers a browser-based, mobile-friendly workflow that works across both professional and personal devices—no app installation required. It integrates directly with your existing infrastructure, including Microsoft Entra ID for Temporary Access Pass (TAP) issuance.

Built for trust

Whether onboarding new employees, resetting credentials, or verifying help desk callers, Axiad Confirm ensures you can confidently answer: “Who is this person, and can we trust them?”

Features

• Operators can confirm an employee’s identity before granting secure access to Axiad Conductor for phishing-resistant authenticator enrollment

• Help Desk operators can verify an employee’s identity with confidence before assisting with credentialing or access issues

• A new user status now tracks identity confirmation state, showing whether a user is unconfirmed, confirmed, or failed verification

• Browser-based identity verification workflows enable users to confirm their identity using a government-issued ID or a selfie matched against a previously captured facial hash and obtain an Entra ID Temporary Access Pass (TAP)

• During identity verification, the system extracts key attributes—such as name, date of birth, and postal code—from the scanned government-issued ID and compares them against the corresponding identity attributes configured in the system (e.g., Entra ID) to ensure consistency and to validate the claimed identity

Known Limitations

• Entra ID Only: Axiad Confirm currently supports only Microsoft Entra ID. Support for additional identity providers (IdPs) will be introduced in future versions.

• Active Directory Not Supported: Deployments relying solely on Active Directory are not supported. Our Customer Success team can assist you in migrating to SCIM to take advantage of Axiad Confirm’s capabilities.

• Cloud Edition Required: Axiad Confirm is designed for Axiad Conductor Cloud. It can technically be used with Axiad Conductor for Airgap, but this requires enabling external access to the Conductor instance, as identity verification relies on a cloud-hosted service.

• TAP Support Only: Axiad Confirm currently supports the issuance of Microsoft Entra ID Temporary Access Pass (TAP) following a successful identity verification. Additional outcomes will be supported in upcoming releases.

• Confirm Again: The Confirm Again action is available but will not succeed until the current confirmation transaction expires. By default, transactions expire after 5 days for Onboard and 15 minutes for Verify, though these durations can be configured.

• Mobile OS Requirements:

  • iOS 17 or later is required for the identity verification process on iPhones.

  • Android 15 or later is required for identity verification on Android devices.

• TAP Display Timeout: If a user leaves the Temporary Access Pass (TAP) screen open for more than 10 minutes, an error message may appear.

• Address Matching: When address matching is enabled between the government-issued ID and Axiad Confirm, only the postal code is used for validation.

• Post-Verification Message: If the identity verification process has already been completed, clicking the “Confirm Identity” link again will display the message: “Success. Thank you. You may now close your browser.”

Learn more about Axiad Confirm

Get Axiad Confirm Today!

Axiad Confirm is an optional add-on to Axiad Conductor and requires a separate license to activate. For more details, please contact your Axiad reseller or your Axiad representative.

If you have any further questions, feel free to reach out to us at productmanagement@axiad.com.

June 17, 2025

Conductor Human Identities (HI)

Features

Support for Provisioning FIDO2 Security Keys (passkeys) for Microsoft Entra ID

With this enhancement, Entra ID customers can now manage a broad range of authentication credentials—including passkeys and PKI-based X.509 certificates—through a single unified platform. By consolidating credential management and streamlining onboarding and self-service workflows, Axiad Conductor empowers organizations to deploy phishing-resistant authentication across their entire Microsoft Entra ID environment.

Important

To enable this functionality, version 1.8.0+ of both the Axiad Conductor Browser Extension and Axiad Conductor OS Bridge binaries is required

For more information, please refer to the following links:

• Axiad Conductor Browser Extension (Previously Axiad Portal Extension)

• Axiad Conductor OS Bridge (Previously WebPCSC)

Included as part of the feature:

• New option for end users to register a Passkey in Microsoft Entra ID via the Axiad Conductor Unified Portal

• Users can view all Passkeys registered to their Microsoft Entra ID account in the Axiad Conductor Unified Portal

• Operators can view all the Passkeys associated with their organization's Microsoft Entra ID user accounts via the Axiad Conductor Unified Portal

Coming Soon

A new version of Axiad Conductor OS Bridge (previously WebPCSC) will allow Passkey registration capabilities on Apple macOS. Currently Passkey registration is only available on Microsoft Windows.

Known limitations

• PM-8754 A future release will introduce support for FIDO2 Enterprise Attestation

• PM-8754 A future release will include support for displaying the serial number of the device associated with the registered Passkey, provided the device supports FIDO2 Enterprise Attestation

• PM-8856 A future release will enable automatic removal of FIDO2 credentials when a device is repurposed for another user

• PM-7663 A future release will introduce user-initiated passkey revocation capabilities

• PM-13905 When an operator unassigns a user's passkey, it is removed from Entra ID and marked as revoked in the Axiad Conductor portal; however, the associated passkey device remains listed in the user's account within the portal

• PM-13903 When a Passkey is deleted in Entra ID, its automatic revocation in Axiad Conductor may not occur reliably

• PM-13902 The Revoked Devices report does not display Passkeys that have been revoked

• Maximum number of active devices does not apply to Passkeys

• PM-14572 A future release will introduce support for Platform-bound FIDO2 Passkeys on macOS

Browser Extension 1.8.0

Availability

Axiad Conductor Browser Extension 1.8.0 has been published to both the Google Chrome and Microsoft Edge Add-ons Web Stores and will update automatically or can be updated manually, depending on your browser settings.

Enhancements

Added support for provisioning FIDO2 security keys (passkeys) for Microsoft Entra ID in conjunction with Axiad Conductor platform and Axiad Conductor OS Bridge.

OS Bridge 1.8.0

Prerequisites

Install the latest version of Microsoft Visual C++ Redistributable downloads

Enhancements

• Added support for provisioning FIDO2 security keys (passkeys) for Microsoft Entra ID in conjunction with Axiad Conductor platform and Axiad Conductor Browser Extension

• Official support of Windows 11

Bug Fixes

PM-12998 NPE on GlobalPlatformCard.loadGlobalPlatformKeySet

May 1, 2025

Conductor HI

Enhancements

PM- 13596 Axiad Conductor now supports YubiKey 5 Series devices with firmware versions up to 5.7.4.

ADFS Adapter 1.3

Bug Fixes

PM-13782 Following the upgrade of the Axiad Conductor Authentication service, an error occured in PINless Mobile Authentication with the message: Failed to login. Please try again.

Known Limitations

PM-13866 If a user has both an HOTP token and an Axiad ID assigned, then ignoring a push notification on Axiad ID increments the failed attempt counter of the HOTP token

April 15, 2025

Conductor HI

Enhancements

PM-13546 / TUTI-12954 When fetching users, SCIM APIs can now optionally return membership information, i.e what SCIM group(s) the user belongs to. The following settings are available:

• None (default): The SCIM API User/get Users does not return any membership information (this is the historical behavior)

• Direct: The SCIM API User/get Users returns direct membership information

• All: The SCIM API User/get Users returns all direct and indirect (nested) membership information

  • Axiad recommends evaluating the performance when enabling this setting to ensure it satisfies your requirements

Configuration

Please reach out to the Technical Support team or your Customer Success representative to enable this option.

PM-13636 The /saml/sso endpoint for accessing the Axiad Conductor portal is now deprecated. End-users should now use one of the following supported endpoints to log in: / or /user

If any users or systems are experiencing issues, please verify they are using one of the supported endpoints: / or /user

March 21, 2025

Conductor HI

Features

PM-1380 Axiad Operators can configure an HTML template to use for all outgoing email notifications. Learn more about how to update your notification templates here.

PM-10467 Added support for SafeNet eToken Fusion 5300

PM-10193 Added support for Gemalto IDPrime MD930 cards with custom manufacturer key

Enhancements

PM-2788 When an Operator attempts to revoke a user’s device or credential, they are prompted to confirm the action before it is revoked.

New UI:

PM-9360 Expanded and clarified the language presented to users when creating a PIN

Before:

After:

PM-10171 Customers can include custom links in end-of-lifecycle operation messages

Note

To update your operation messages, reach out to Axiad Customer Success

PM-7653 New option allows a user to replace a device without reissuing certificates that are both escrowed and still valid

PM-11431 Each user project now has a Group attribute included when querying users through the SCIM endpoint

Security Fixes

PM-11246 Addressed vulnerabilities: CVE-2024-38819, CVE-2024-38820

PM-9936 Addressed vulnerabilities: CVE-2024-38809, CVE-2024-38808

PM-9347 Addressed vulnerabilities: CVE-2024-38816

PM-13182 Addressed vulnerabilities: CVE-2024-38828

PM-10194 Addressed vulnerabilities: CVE-2024-38821

PM-13236 / PM-13246 Addressed vulnreabilities: CVE-2025-24813

Known Limitations

PM-13076 Revoke confirmation message (PM-2788) does not display for imported service type credentials. Planned to resolve in future release.

PM-13368 Logging into UP does not work with /saml/sso as Axiad has deprecated this endpoint with this new version. Log in using / instead

January 28, 2025

Conductor HI

Security Fixes

PM-11175 Addressed the following security issues: CVE-2024-50379 / CWE-367, CVE-2024-56337 / CWE-367, CVE-2024-52316 / CWE-248

Bug Fixes

PM-11424 LDAPS now works with UCMS in FIPS mode

December 10, 2024

Conductor NHI 2.6

Enhancements

• Support for pagination on search SOAP API

• Support for Microsoft SID extension

• Enhanced SCEP server capabilities to support the "POST" method, the SHA0256 has algorithm, and the AES encryption

• Support for linking multiple workflows to a single profile

Upgrade Note

After this upgrade, you may need to clear the browser cache to access the Axiad Conductor NHI portal.

December 2, 2024

AirLock 2.4.0

Features

PM-8591 Operators can now define which authentication methods can bypass AirLock. By default, AirLock lets users in if they authenticated using Axiad ID (Push/OTP), a certificate, Windows Hello for Business, or the Microsoft Authenticator.

Enhancements

PM-8592 Users are automatically redirected to AirLock if any of the certificates on any of their authentication devices are within the renewal period and must be updated. Devices that contain multiple certificates can now be recognized and prompted for update via AirLock.

This applies to ANY inserted device, even if the user is not employing it for authentication. If the certificate is within the renewal window or expired, then the user will be redirected to AirLock to update it.

PM-8940 Operators can now allow specific users (in addition to groups) to bypass AirLock enforcement

PM-9942 All deployed executables are digitally signed

Bug Fixes

PM-7300 The correct AirLock version displays in Windows Program list

PM-6779 AirLock checks the Windows edition to ensure that it has the required features to work and will cancel installation if unsupported to avoid user errors after a failed installation

AirLock requires the Enterprise edition, and Axiad supports all versions of Windows currently supported by Microsoft

PM-4090 An empty "Immune Security IDs" list is allowed and will enforce AirLock for all users, as expected

PM-7949 AirLock successfully detects smartcard login over RDP

Known Limitations

PM-10109 WHFB login may fail if an empty VSC is present on the system. You can remove the empty VSC as a workaround.

November 19, 2024

Conductor HI

Enhancements

PM-10337 Update logging to show ERROR message instead of WARN when the connection to Luna 7 HSM Client becomes stale

Security Fixes

PM-10375 Addressed vulnerabilities: CVE-2023-44487, CWE-79, CVE-2024-4067, CVE-2024-52316

Bug Fixes

PM-10346 Local logout setting respected when portal.timeout.idle is hit

PM-10154 User is able to reauthenticate with UP after session times out

PM-9858 Users are no longer presented with a spinning wheel when accessing UP without using the login URL first

PM-8081 "Unassign" option appears only once for devices on UP

October 8, 2024

Conductor HI

Features

PM-8580 Users can log out of the Axiad Unified Portal without losing their IdP session

Enhancements

PM-7033 Add session identifier in logger extension for easier log traceability

PM-7697 On the Helpdesk > Users page, when opening the user Details, the field Username (UPN) is changed to Username

PM-8115 Login and logout events added to the audit log

Bug Fixes

PM-7576 CA connects successfully when configured with FIPS LunaHSM with updated Java version

PM-8125 Error message updated when issuance fails due to unsupported device or invalid PIN to be more helpful

Before

After

PM-7813 Updated notification verbiage if one of the credentials on an enrolled device has expired

Before: "Your device has expired, please renew now."

After: "One of the credentials mapped to device is expired, please renew now."

PM-8544 Enrolling a virtual smart card when there are no existing devices enrolled no longer leads to a loading loop

August 30, 2024

Axiad ID Mobile Application 2.1.2

Enhancements

Android Library Updates for Google Play API

Axiad completed various backend library updates to meet the necessary target API level requirements. This ensures the security and efficiency of the app usage.

No User Impact

This change is fully transparent to the user experience and does not include any functional changes in the mobile application.

Security and Performance Updates

This version includes maintenance updates to continually improve the security and performance of the Android and iOS Axiad ID mobile application.

Browser Extension 1.5.5

Enhancements

Support for Manifest v3.0

To support Google's deprecation of browser extensions using the Manifest v2.0 format, we've updated the Axiad Portal Extension to support this new Manifest v3.0 format.

WebPCSC Backward Compatibility

This version of the browser extension does not require a new version of Axiad WebPCSC. You can use this extension version with any version of the WebPCSC component, including the latest 1.5.5 version.

August 18, 2024

OS Bridge 1.5.5

Release Prerequisites

Install the latest version of Microsoft Visual C++ Redistributable downloads

Enhancements

Support for Manifest v3.0

To support Google's deprecation of browser extensions using the Manifest v2.0 format, we've updated WebPCSC to support the Axiad Portal Extension in this new Manifest v3.0 format. This will be the baseline version for all Windows and macOS endpoints going forward.

July 17, 2024

Conductor HI

Features

Support for YubiKey Firmware 5.7

The YubiKey firmware version 5.7 brings a number of significant changes and improvements that are now supported by the personalization process that Axiad Conductor / UCMS uses to enable secure lifecycle management of the devices.

Axiad continues to support older YubiKey versions alongside the newer versions and this does not bring any breaking changes to your YubiKey experience.

Supported Versions

Currently, Axiad supports YubiKey firmware up to 5.7.1. Axiad will support newer versions of YubiKey in subsequent releases.

Enhancements

Device Expiration Notifications Options

Operators can now choose if they want Axiad to send notifications to expired devices or not.

Configuration Change

To disable Device Expiration Notifications, you must request the change. Please contact your Customer Service Representative or email customer.success@axiad.com.

Bug Fixes

PM-7334 Errors returned by an IdenTrust CA during issuance or revocation will now produce a more explicit message

PM-7495 You can now edit a workflow even if there is not an active credential profile is associated to it

PM-7497 / PM-7582 Migrating a user and renewing one of their devices will no longer result in duplicated device records

PM-7586 After upgrading from UCMS 4.13 to 4.17, searching for a user in the helpdesk or scanner will no longer result in UCMS.devices.internalError error

PM-7704 The UPN can now be included as a SAN extension in encryption certificates issued by MSCA

PM-7617 / PM-7321 / PM-7513 Update PIN settings to meet MD930 requirements

PM-7672 UCMS Operator email address can now include “-” and “_” following “@”

PM-7898 Reset PIN supported for Gemalto cards

PM-6594 SMTP support enhancements

PM-7335 / PM-7787 / PM-7788 Axiad displays a meaningful error message if backend services are unreachable

PM-7905 When configuration leads to a mismatch, Axiad fails the issuance and displays necessary information for the user

PM-8125 Error message updated when issuance fails due to unsupported device or invalid PIN to be more helpful

April 2, 2024

Conductor HI

Features

Support for Multiple AD Identities Mapped to a Single Authenticator

Axiad Conductor now supports the issuance of certificate-based authenticators mapped to multiple AD identities. This change allows Active Directory customers to issue multiple identities (for instance a regular and a privileged account) to a single device, while remaining compliant with the security requirements introduced by Microsoft in their KB5014754 patch.

Please contact your customer success representative or customer.success@axiad.com if you’d like to use to this feature, and read more about the experience here.

Bug Fixes

PM-6010 API endpoint GET /api/v3/users/{uid}/notifications updated to support group transition. Return message displays “renewTransition” upon completion.

PM-6857 NULL pointer exception no longer displays during PIN reset and card details retrieval

PM-6803 User can successfully update existing Windows Hello for Business certificates via Axiad

PM-6801 User can revoke Windows Hello for Business credential from Unified Portal

PM-7152 Username data consistently updated in Axiad via SCIM

PM-5643 User stays on logout page or is redirected to configured logout page when they click “logout” from the UP