29 January 2025 (v2.128)

ReachFive v2.128 introduces several improvements and needed bug fixes.

You are now able to use MFA for phone numbers without SMS enabled. You can also now create a user password hash with the Management API. Additionally, we have introduced a new hashing algorithm. And finally, we removed PayPal permissions from the provider configuration in the ReachFive Console.

As always, we made some general improvements and fixed a few items for you.

MFA for phone numbers without SMS enabled

We have introduced the ability to use a phone_number as a second factor for Multi-factor Authentication without enabling the SMS feature. This change lets you maintain duplicate phone_number values while configuring MFA.

Key changes

These changes only apply when the SMS feature is disabled. Existing rules remain in effect if the feature is enabled.

Phone number verification: When the SMS feature is disabled, phone_number_verified is always false, even if the same number is used as an MFA credential.
SMS provider configuration: You can configure an SMS provider, but templates unrelated to Passwordless or MFA remain disabled.
Independent MFA credentials:
- Updating a phone_number does not update the associated MFA credential.
- Adding a phone_number as a credential does not automatically mark it as verified.

Create a user password hash with the Management API

You can now create a user password hash through the Management API. To do this, you should use the /users endpoint and pass the following as part of the request body:

{
...
    "password_hash": {
       "value": "$2b$12$KIXwPlj7FZ9dTjph4GxGhu3ofk1KFe.KjLw6gNlD72zyGIBlIL7H6", (1)
       "algorithm": "plaintext" (2)
  }
...
}

1	Pass the hashed password.
2	Specify the encryption algorithm, such as `bcrypt`. See Allowed algorithms for more details.

New hashing algorithm

In order to further support you, we have added an additional hashing algorithm to our supported list for importing passwords, bcryptSha1.

For more details, see Import user passwords.

PayPal permissions

PayPal permissions configured in our ReachFive Console had no effect on retrieved user data. Instead, the scopes set in the PayPal app determine access. To avoid confusion, we removed the PayPal permissions section from the provider configuration on the ReachFive Console.

You should configure PayPal scopes directly in your PayPal developer portal.

For more on PayPal provider configuration, see Paypal Connect.

General improvements

We have officially deprecated the Facebook Likes and Insights feature.
We have improved the security around Twilio provider configuration ensuring no sensitive information is displayed.

Fixes

Item	Fixed
The Compromised profiles page on the ReachFive Console wasn’t correctly displaying the total number of compromised profiles.	✓
When the Google Cloud Platform (GCP) reported issues that affected our Pub/Sub hooks, it caused the ReachFive app to become unavailable. We have resolved this in a way that prevents future disruptions if GCP has any issues affecting Pub/Sub hooks.	✓
In some limited instances, session cookies weren’t being deposited for custom domains in the RBA flow.	✓

Item

Fixed

The Compromised profiles page on the ReachFive Console wasn’t correctly displaying the total number of compromised profiles.

✓

When the Google Cloud Platform (GCP) reported issues that affected our Pub/Sub hooks, it caused the ReachFive app to become unavailable. We have resolved this in a way that prevents future disruptions if GCP has any issues affecting Pub/Sub hooks.

✓

In some limited instances, session cookies weren’t being deposited for custom domains in the RBA flow.

✓