09 April 2026 (v2.155)

Access Control (ABAC) updates

Our Attribute-Based Access Control (ABAC) feature is a dynamic and context-aware access control model that grants or denies user access to journeys based on attributes associated with users and their context.

We have made several updates to Access Control in this release, including:

Comprehensive endpoint protection

To ensure consistent security across all authentication methods, ABAC rules are now strictly enforced across all Identity API endpoints that handle registrations and logins. This guarantees that your access configurations cannot be bypassed by alternative authentication routes.

ABAC is now fully applied to the following endpoints:

Migrate to Access Control

If you were previously using the the legacy Block unverified login attempts feature, you’ll see the option in the Attribute-Based Access Control (ABAC) section of the ReachFive Console to automatically migrate your existing block on unverified logins configuration to an equivalent ABAC rule.

Migration process:

  1. Click Switch to Access Control in the ABAC section of the ReachFive Console if prompted.

    Screenshot of the migration prompt in the console.

  2. A dialog appears letting you know that your existing block on unverified logins configuration will be converted into an ABAC rule. It also informs you of API error format changes that are required if you were previously relying on the old error response for unverified logins.

    The error changes from error.unverifiedLogin to error.accessControl.login.forbidden.

    Click Proceed to migrate to Access Control.

    Screenshot of the migration dialog in the console.

  3. And voila! Your existing configuration is now an ABAC rule, and you can further customize it as needed.

    Screenshot of the migrated ABAC rule in the console.

Access tier downgrade behavior (full to basic)

We have introduced new safeguards and UI behaviors for accounts that transition their ABAC access level from full to basic. To prevent unintended enforcement of legacy rules while on a basic tier, the following logic now applies automatically:

  • Rules automatically disabled: All existing ABAC rules are immediately set to Disabled upon transitioning to Basic access.

  • Visibility to read-only: Your previously created rules will remain safely stored and visible in the ReachFive Console.

  • Actions restricted: While in Basic access mode, you can no longer edit existing rules, and the "Copy" functionality is disabled.

  • Manual Deletion: Brand and account owners retain full rights to manually delete any disabled rules to manage their workspace.

For more details, see Attribute-Based Access Control (ABAC).


Improved account suspension logic

We have adapted our account suspension algorithm to better handle use cases where a user has a second factor enabled. This enhancement prevents unnecessary account lockouts when a login attempt is successfully blocked by secondary authentication requirements like Multi-Factor Authentication (MFA) or Risk-Based Authentication (RBA).

For more details on this topic, see Risk-based Authentication.


email_verified event

The email_verified event is now emitted after any email verification, regardless of the verification method used. This ensures that the event is consistently triggered, providing better tracking and integration capabilities for applications relying on email verification status.

Some examples of when the email_verified event is emitted include:

  • After a user resets a password

  • After a user registers MFA credentials

  • After a user receives a Double opt-in consents

  • After a user completes a passwordless flow

  • After an admin updates the email_verified field of a user or bulk updates users

  • After a pre-event webhook updates the email_verified field

For more details, see User Events.


General improvements

  • We made some accessibility improvements in the Hosted Pages area of the ReachFive Console with better tooltips and screen reader labels.


Fixes

Item Fixed

The user attributes in the response of a pre-event webhook weren’t being properly validated. Now, these attributes are properly validated and an appropriate error is provided in the API response.

ReachFive Console

There was a small issue when enabling the Notify email update option in the Email update template.

R5 AI Assistant
The R5 AI assistant can make mistakes, verify answers.

Confirm Deletion