16 March 2023 (v2.89)

ReachFive v2.89 further strengthens our attack protection policy, introduces two new scopes for our MFA endpoints, and improves the audit logs. We deprecated one feature, and we also fixed a few issues.

Identity fraud protection

We have further improved our attack protection policy by automatically flagging and blocking suspicious signup requests. All user profiles created by suspicious signup requests will now be flagged with the signup_compromised event type.

For more on the Identity Fraud Protection module, see our dedicated IFP page.

MFA scopes

We have added two new scopes related to Multi-factor Authentication.

Scope Endpoints


Allows you to manage (start the flow, update, verify, delete) MFA credentials.


Allows you to read MFA endpoints.

Audit logs

We added a new action (settings:update) for audit logs so that whenever a setting is altered on the user lockouts configuration page, an audit log is produced.

For more on audit logs, see Audit logs.


We have deprecated the use of the fields query parameter on the following endpoints:


Item Fixed

It was impossible to remove the external_id or the custom_identifier of a user from the ReachFive Console.

You were briefly unable to use query parameters in whitelisted redirect URLs.

It was impossible to accept a consent group that contained an archived standalone consent.

In some cases, you would receive an unexpected error when changing the consent grant via the ReachFive Console.

There was a small issue with pagination on the ReachFive Console.