Workday Integration for Self-Service Password Reset

Add Workday as an employee data source option for your SSPR workflows. Community administrators can now configure Workday as the trusted source of employee data for identity verification during password reset workflows.

Key benefits:

• Trusted Source: Use Workday as the authoritative employee directory for more current employee details

• API Integration: Configure Workday endpoints with multiple authentication options

• Enhanced Auditing: Detailed event logging tracks password reset success and failure reasons

How it works:

• Configure Workday API endpoint and authentication in AdminX under Authentication > Reset Password

• Set up transformation scripts to map Workday employee data (first name, last name, date of birth) to 1Kosmos attributes

• Test attribute mapping before deployment to ensure accurate data retrieval

• Users follow the same password reset flow as with identity document verification, now powered by Workday employee records

AI-Based Behavioral Biometric Authentication for Windows Workstations

We’re introducing an additional authentication method for Windows workstations: AI-powered behavioral biometrics that analyze unique patterns in how users’ type. This innovative approach provides enterprise-grade security without requiring additional hardware, users simply authenticate by typing displayed phrases into their Windows workstation.

New capabilities:

• Typing Pattern Enrollment: Users register their unique typing rhythm by typing 4-word phrases multiple times during initial setup

• PIN Authentication: Optional PIN setup for high-assurance authentication scenarios

• Flexible Configuration: Administrators control enrollment preferences through Windows MFA settings

• Adaptive Authentication: System evaluates context (user role, device, IP, location) and applies risk-based policies to determine authentication requirements

User experience:

• Windows workstation login screen presents “Behavior Auth” option alongside traditional methods

• Users type displayed phrases (system analyzes keystroke dynamics in real-time)

• Enter enrolled PIN if configured for high-assurance scenarios

• Administrative reset available if typing patterns drift significantly over time

One-Time IAL2 Identity Verification (Kantara Certified)

We’ve introduced Identity Assurance Level 2 (IAL2) verification, certified by Kantara, to meet compliance and assurance requirements for high-security environments. This feature performs a one-time, robust identity proofing process and securely retains the verification result for future compliance checks.

How It Works

• Two-Document Verification: Users submit two government-issued identity documents (e.g., passport + driver’s license) for cross-matching.

• Biometric Capture: Users complete a live selfie check to confirm document ownership and prevent impersonation.

• SSN Validation: Social Security Number is collected and cross-checked against authoritative sources (name, date of birth, address).

• API-Driven Sessions: Administrators initiate verification requests via API, embedding them into existing workflows (e.g., onboarding flows).

• Cross-Device Support: Users can start verification on desktop and complete steps on mobile using a QR code handoff.

Interface & Experience Improvements

Login Options Enhancement The “Devices” tab under My Profile has been renamed to “Login Options” for clearer navigation and better reflects the expanded authentication methods available.

Behavioral Authentication Management

• View enrolled typing patterns and PINs in centralized Login Options interface

• Community administrators can delete/modify user PINs

• Users can self-manage typing pattern enrollment

• Comprehensive audit trail for all authentication method changes

Enhanced Error Handling Improved error messages and user guidance for:

• LiveID authentication failures with retry options

• Typing pattern enrollment issues

• PIN setup and validation problems

• Workday integration troubleshooting

Security & Platform Enhancements

Enhanced Event Logging Expanded audit capabilities with new event types:

• Track method used at each password reset event

• Behavioral authentication enrollment and removal events

• PIN management activities

• Enhanced failure reason tracking for troubleshooting

Authentication Improvements

• Improved OTP handling for rapid authentication requests (such as Fortigate VPN clients)

• Enhanced session management with new response status parameters

• New admin permissions for login options management

Need help implementing these new features? Contact our support team or check out our updated documentation for detailed configuration guides and best practices.

Self-Service Password Reset with Identity Documents

Users can now reset their passwords by submitting a valid identity document for verification. This feature uses advanced matching technology to compare the name on your submitted document with your account information.

How it works:

• Submit a valid identity document during password reset

• System performs intelligent name matching with fuzzy logic

• Supports common name variations and aliases for accurate verification

LDAP Directory Password Reset Support

Added support for password reset operations for users in LDAP v3 compliant directories, expanding self-service capabilities across different authentication systems.

Document Verification Enhancements

Manual Document Capture

When automatic document capture fails, you now have additional options to complete your verification:

• Manual Capture button: Switch to manual capture mode if auto-detection doesn’t work

• Retry Auto button: Return to automatic capture to try again

• Flexible capture options: Choose to capture document back side or skip based on your document type

Camera optimization: Desktop devices use front-facing cameras while mobile devices use back-facing cameras for optimal document capture.

Better Session Tracking

New status indicators for document verification sessions:

• Expired: Session was never started

• Abandoned: Session was started but not completed within the time limit

Users receive clear notifications when sessions expire and guidance to start a new verification journey.

Security & Platform Improvements

Enhanced Password Visibility

Users can now toggle password visibility during onboarding and authentication using the eye icon.

Platform Updates

• Android support: Now compatible with Android 14 and Android 15

• Enhanced development support: Updated Flutter and React Native plugin support to version 1.20.30

Security Enhancements

• Removed encrypted error codes from unauthorized access messages for clearer user communication

• Updated cross-origin request handling for AdminAPI

• Added signature tokens to prevent response tampering

Bug Fixes

• Fixed user profile access issues when usernames contain underscores

• Resolved navigation problems when editing user profiles

• Improved report generation accuracy in Analytics

• Fixed document capture camera detection issues

• Resolved selfie capture button responsiveness

• Enhanced Azure AD user synchronization for complete directory listings

Need help with these new features? Contact our support team or check out our updated documentation for implementation guides and best practices.

Mobile App Improvements

Smarter Login Experience

The mobile app now dynamically shows only your enrolled authentication methods on the login screen. If you have both PIN and TouchID/FaceID enrolled, both appear. If only one method is available, only that option is displayed.

Enhanced Home Screen

• Multi-account visibility: Both primary and secondary accounts are now shown on the home screen

• Improved layout: Account actions like Reset Password and Remove Account are organized in an accessible card format

• Easy account switching: Tap any secondary account to set it as your primary account

• Better organization: Workstation OTP now appears in a dedicated card below your account OTP

• Enhanced QR scanning: Improved Scan QR code button for better user experience

Smarter Authentication Memory

The app remembers your preferred authentication method (PIN or Touch/Face ID) for 1 minute. If an authentication request occurs within this window and matches the initial method, you won’t be prompted for re-authentication.

iOS Biometric Intelligence

Automatic re-enrollment detection: The app now automatically detects when your device’s TouchID or FaceID settings have changed and prompts you to re-enroll your biometrics to maintain security.

Improved Error Handling

Added clear, actionable error messages when scanning QR codes for accounts that aren’t set up: “No accounts found. Contact your administrator to onboard your account.”

Self-Service Support

New Issue Resolution Screen helps you resolve issues faster before reaching out for support.

Hardware OTP Token Support

We’ve introduced support for HOTP-based authentication using hardware tokens. This event-driven authentication method generates unique one-time passwords only when triggered by user action, making it ideal for environments where time synchronization may be challenging.

Key benefits:

• Reliable authentication without time dependency

• Enhanced security for offline environments

• Simple, scalable solution for secure access

Enhanced SAML Security

SAML applications now support assertion encryption in addition to signing. Administrators can configure encryption settings under Advanced Options when setting up or modifying SAML applications.

Supported encryption:

• RSA and AES 256 CBC encryption algorithms

• RSA OAEP key transport algorithm

Accessibility Improvements

WCAG Compliance for ID Verification

Our ID Proofing Templates now meet Web Content Accessibility Guidelines (WCAG) standards, making identity verification more accessible to users with disabilities.

What’s improved:

• Enhanced screen reader support with voiceover functionality

• Better keyboard navigation throughout the verification process

• Clearer visual indicators and improved button designs

• Updated language selection display for better localization

Notable changes:

• Selfie capture now uses a “Take Selfie” button instead of an overlapping icon to improve screen reader access

• Consent notices are displayed as standalone links for better accessibility

• Enhanced instruction messages for passport scanning

Security Enhancements

reCAPTCHA Integration

To prevent automated attacks, we’ve added reCAPTCHA verification to key areas:

• Self-service passwordless onboarding for enterprise users

• Verification journey creation when sending text to users

API Security Updates

Platform Improvements

Improved User Experience

• Updated color schemes and visual design for improved accessibility

• Enhanced language support with proper localization

• Streamlined verification workflows

Developer & Integration Updates

• New API endpoints for enhanced reCAPTCHA configuration

• Improved logging structure for better troubleshooting

• Enhanced OTP template language support for international users

Need help with these new features? Contact our support team or check out our updated documentation for implementation guides and best practices.

Orion Desktop Authenticator

Security fixes

• Fixed an issue where sensitive user data and internal system information were being displayed in the logs of the Orion Authenticator.

• Fixed an issue where sensitive device information was displayed when accessing the /systeminfo API, potentially leading to unauthorized access.

Mobile App Improvements

Streamlined Authentication Experience

The mobile app login screen now intelligently displays only your enrolled authentication methods. If you have both PIN and TouchID/FaceID enrolled, both options appear. If only one method is enrolled, only that option is shown.

Enhanced Home Screen Design

• Multi-account support: Both primary and secondary accounts are now visible on the home screen

• Improved layout: Account actions like Reset Password and Remove Account are displayed in an easy-to-access card format

• Account switching: Tap any secondary account to set it as your primary account

• Better organization: Workstation OTP is now displayed in a card layout below your account OTP

Smarter User Experience

• Authentication memory: The app remembers your preferred authentication method (PIN or Touch/Face ID) for 1 minute

• Better error messaging: Clear guidance when scanning QR codes for accounts that aren’t onboarded

• Self-service support: New Issue Resolution Screen helps you troubleshoot common problems before contacting support

iOS-Specific Enhancements

Automatic Biometric Re-enrollment: The app now detects when your device’s TouchID or FaceID settings have changed and prompts you to re-enroll your biometrics to maintain security.

Document Verification Updates

New session status tracking for document uploads:

• Expired: Session was never started by the user

• Abandoned: Session was started but not completed within the time limit

Users will be notified if their verification session expires and guided to start a new one.

Platform Support

• Android compatibility: Now supports Android 14 and Android 15

• Enhanced security: Password visibility toggle during onboarding and authentication to reduce input errors

• Developer improvements: Updated Flutter and React Native plugin support

Log into Windows machines using one-time codes sent via email, SMS, or voice call. This feature introduces robust two-factor authentication (2FA) capabilities for any organization that is currently only using a single factor to authenticate into the workstations.

Why One-Time Codes for Windows Login?

Passwords alone are no longer sufficient to protect sensitive data and systems. They can be guessed, stolen, or phished, leaving accounts vulnerable to unauthorized access. By integrating one-time codes into the login process, we add an extra layer of security that ensures only authorized users gain access.

Here’s how it works:

• Step 1: Administrator sets up a policy to allow a select set of users, or users matching certain conditions to authenticate with one-time codes.

• Step 2: During a Windows login, a user enters their username and password.

• Step 3: User chooses how to receive their passcode.

• Step 4: A unique one-time code is sent to their registered email, phone (via SMS), or through a voice call depending on the chosen factor.

• Step 5: The user retrieves the code and enters it to complete the login process.

• Step 6: User is logged into their Windows workstation.

Benefits

1. Enhanced Security: Even if attackers gain access to a user’s password, they cannot log in without the second factor—making it significantly harder for cybercriminals to breach endpoints.

2. User-Friendly Implementation: One-time codes are easy to deploy and use, ensuring minimal disruption for employees who are not carrying their phone or onboarding for the first time. It is also beneficial in scenarios where users need to log in to a remote workstation and require 2FA for enhanced security.

3. Well-suited for Asia-Pacific (APAC) region: OTP based authentication has become deeply integrated into the digital economy in India making adoption easier.

4. Consumer Education: Authentication with OTP’s is a familiar pattern making it a preferred choice for first time users.

The downside of E-mail / SMS Passcodes

It’s important to note that while Email, SMS passcodes are widely supported, many security experts recommend using more secure methods like authenticator apps or hardware tokens, when possible, as SMS can be vulnerable to interception. Check out our other Passwordless authentication methods for Windows Workstations for a more robust implementation.