With every authentik release, we highlight our commitment to delivering new features that focus on providing solutions for all of our users and the identity management challenges that they face.

Our 2025.4 release of authentik contains new features around increased configuration options for authentik Admins, with a new password history policy, the ability to pre-define a bundled set of permissions, setting reputation score limits to further harden access control, and a new "remember me" option.

This release also provides support for PostgreSQL connection pools, the Kubernetes Gateway API, and the ability to do lookups of LDAP group memberships based on user attributes.

Let's take a closer look at a few of these features.

The reason your identity provider (IdP) is so important is the same reason they can be so sticky.

Your IdP touches everything in the business: every user across your entire workforce and all your applications. Setting up access for the right people to the right applications takes time, so it’s natural, when considering moving to a new IdP, to fear an equal time commitment for the migration — not just for configuration, but for coordination and communication across the whole company.

Migrations typically involve a large-scale “Day 0” export of rules and accounts from one provider to another. You flip the switch and hope that everything works after manually setting it all up.

As if switching one IdP isn’t hard enough, it’s not uncommon for companies to have multiple solutions stitched together. Individual teams may have come up with their own solutions, or they could have inherited systems from acquisitions or organizational changes. This leads to scenarios where large organizations might even have three or four different IdPs, directories, or other solutions patched together. Each of these might be on its own contract renewal cycle, making it difficult to coordinate a switchover without incurring a cost.

On the one hand, migrating IdPs is intimidating and risky. On the other, you face the administrative cost of maintaining a host of separate identity solutions, plus the security risk of not having a single place for visibility or administration of access.

Many of the high-profile security breaches of the 2010s involved hackers gaining access to username and password pairs. Before multi-factor authentication (MFA) was commonplace, these breaches effectively gave bad actors the keys to the kingdom, since people tend to reuse passwords across platforms and there was no second line of defense against attacks.

Today we have a lot more options for additional authentication steps, which we’ll explore below, while also taking a look at the choices we have made for authentik.

Our first release of the new year, version 2025.2, includes something for everyone, with the addition of a major new provider (Shared Signals Framework), authentication checks for "impossible travel" using our GeoIP policy, and Remote Access Control now available as an open source feature! Let's take a closer look at the 2025.2 release.

We're making some updates to our open source and enterprise features and support. These changes allow us to scale with the demand we're seeing for authentik—both open source and enterprise—and maintain our commitment to open source as a Public Benefit Company.

TL;DR:

• Remote Access Control is free and open source!
• No minimum user counts are required for paid plans
• Ticket-based support is available for paid plans over $1,000
• Enterprise support is available for contracts over $20,000

Read more details below!

Our authentik 2024.12 release is compact, sweet, and packed with great goodies, just like the holidays ought to be!

We decided not to hold on to these new features and wait to release of them early next year; they are too good to keep to ourselves. And we all know that the holidays are the best times for escaping into some new code and functionality.

Let’s unpack the 2024.12 release and take a look.

Earlier this year, an open core project rejected a community contribution because it competed with the enterprise edition. A concern people often raise about monetizing open source is misaligned incentives: why would open core companies make the underlying open source project great when it could cannibalize their paid offering? Open core companies do need paying customers, but offering a substandard free product is hardly going to have people lining up to pay.

We’ve talked about alignment on this blog a lot, because we actually think it’s one of our biggest strengths:

• We’ve discussed how open core aligns company and community incentives.
• We argued that SaaS doesn’t actually align vendor and customer success, especially when it comes to identity management.

Today I want to talk about philosophical alignment with our customers and community, and how it benefits us all to have an open core and source-available enterprise version together with a culture that prizes transparency. We can collaborate closely with customers and potential customers, and everyone has greater visibility into how we respond to issues. But first, let’s look at when the open core model can fall flat.

Late last Friday, Okta released a security advisory: accounts with a username of 52 or more characters could authenticate with only the username under some conditions.

From their own description:

"The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password."

THIS IS CRAZY!

Bcrypt is a hashing algorithm. The way it is intended to be used is by concatenating a password with a random salt. Concatenating a user ID with a username with a password - this phrase alone should raise the hackles of any security professional - is definitely not a standard usage of Bcrypt.

At best, Bcrypt is a (now not-so-frequently chosen) password hashing algorithm, not a method for generating cache keys by throwing a bunch of user info into one big string. Passwords shouldn't go in cache keys. Public/guessable data like usernames shouldn't go in password hashes. This is more than a weird corner-case vulnerability; this is TERRIBLE security design.

Bcrypt has a maximum input length of 72 bytes. You can probably guess the rest of the issue from here: start with a user ID, then add a username, ...then a password, if there's room left. No room left? Guess we don't need to check if the password matches at all!

We are happy to announce that our 2024.10 release is ready, and it’s full of great new features and functionality. This release showcases a good balance of additional security hardening and improved usability with faster, smoother workflows.

Every Identity provider and SSO product should be constantly increasing the security and robustness of the code base and new features, and we think it is also important to continuously and explicitly look for ways to enhance our users’ experience and efficiency.

Release 2024.10 includes these major security features: Chrome Device Trust support, JSON Web Encryption, and enhanced CAPTCHA processing. Further highlights of the release include the ability to configure auto-selected 2FA devices, a new task-based structure for our Tech Docs, and a new highly customizable Invalidation flow that can be configured to prompt with multiple logout and redirect options.

This release highlights our commitment to delivering flexibility, security, and optimal user experience in every version of authentik. Take a look at the Release Notes for more details, and read on to learn more about the new features.

We recently updated our list of upcoming Enterprise features to more accurately reflect the requests we’ve been hearing from our customers and community. One of the changes you may notice: we are no longer spending precious cycles on brainstorming ways to inject AI into our product and user experience.

We had briefly considered ways that “AI” and specifically LLMs might enhance our platform, including an AI-based risk assessment option, as you see below on the left in our previous Enterprise features list. On reflection, we realized we could probably get most of the way to the same outcome with some custom expression templates and a few if statements, begging the question of whether it was worth the effort to pursue at all. So on our current website, you'll no longer see that mention of AI.

We did not want to push a feature just for the sake of being able to say we are AI-powered.