Skip to main content

Known issues

SecureAuth Identity Platform release 20.06 has the following known issues. Where possible, use the described workaround until we can apply the fix in a later release.

20.06 known issues

Ref ID




On the Self-Service page, the user cannot update their account information because it requires KBA (even though it not set as required).

Set the Number of answers field value to "0" (zero).


Knowledge based questions and answer entries are missing from the Web.config file. This occurs when you set the Profile Connection Settings to No Data Store, saving it and then going back in and selecting a data store.

Go to the Web Configuration Editor and add the fields back in.


Device Recognition works with Internet Explorer 10+, but will not function properly in Compatibility View.

If the Compatibility View setting is required, then change the realm configuration to not use Device Recognition.


This issue exists in realms that have the following conditions:

  • Application integration created in the New Experience

  • Policy assigned to the application integration has KBQ / KBA and/or PIN enabled as multi-factor authentication (MFA) methods

  • 2016 Light theme selected on the Overview tab (legacy realm)

If you have realms with the above conditions, the PIN and KBQ methods do not display on the One-Time Registration Code delivery method page to end users.

Option 1: Change the application realm to use the 2019 Theme.

Option 2: If you must keep the 2016 Light theme, do the following:

  1. In the affected application realm, go to the Multi-Factor Methods tab (Classic Experience), and scroll down to the Multi-Factor Method Order section.

  2. Reorder the multi-factor method by moving one up or down.

  3. Save your changes.


On the Multi-Factor App Enrollment realm, when OATH Seed (Single) is selected for mobile app enrollment, the Time-based Passcode does not display on the pick list to the end user to enroll in the Authenticate app.

Option 1: The recommended workaround option is in the App Enrollment realm, use the OATH Token option instead of OATH Seed.

Option 2: In order to use the OATH Seed option, both the OATH Seed and OATH Token must be mapped in the Directory Property mapping in a legacy realm in order for the Identity Platform to convert the Authenticate App (OATH Seed) to a token. See the KB article: How to convert an OATH Seed to OATH Token .

And then use a workflow that includes second factor (for example, Username | Second Factor | Password) for the default workflow login and enable Time-based Passcode in the Multi-Factor Methods configuration. Once the end user has successfully authenticated with Passcode in the legacy realm, the Passcode option can be used in any realm.


On the Portal Page Builder page, when you change the Portal Page Authorization from one form of authorization to "Not Available", all of the realm check boxes are not enabled for selection.

As a workaround, select any option other than "Not Available", then select the "Not Available" option, and click Save.


Unable to receive certification on the Revoke Certification page.

As a workaround, update the web.config file from the Tools menu.


Cloud data store latency issue with service account update.



TRX logging enabled on data realms creates redundant traffic.

For a workaround, contact Support.


The realm (for example, Create User) is not able to send a confirmation email (which is set in the Overview tab > Content and Localization link). This issue occurs in cloud deployments.

For a workaround, be sure the correct default email addresses set in the emailfrom fields (for example, createuser_emailfrom:) to something other than a address. For example, change it to "".






On the Account Management (Help Desk) page, Using Reset All Registrations does not reset YubiKey. This issue occurs with Active Directory cloud, Azure AD cloud, LDAP, NetIQ eDirectory, and Oracle DB data stores.

To reset the YubiKey registration, do it manually


You cannot register both roaming and bound FIDO2 authenticators on the same Android mobile device.

Register either a roaming or bound FIDO2 authenticator on an Android mobile device


When upgrading from an earlier version of Identity Platform to 20.06, it overwrites the globalsettings.json file.

Back up the globalsettings.json file before doing the upgrade.


On the Dashboard in the MFA Methods view, when authregmethod contains an empty value or an invalid MFA method value, the label for the MFA method name is blank (or contains the name of the invalid value).

If you're adding the parameter to the API call, be sure to use the right MFA method name so it shows up correctly on the dashboard.

For Identity Platform hybrid deployments, FIDO2 as a login authenticator is not supported on the following:

  • Android using Microsoft Edge browser

  • Android using built-in Face Recognition

  • Apple Safari on desktop/laptop using Touch ID/Password

  • Microsoft Windows with any browser using YubiKey NFC