Product updates

This release delivers a major performance improvement to LiveID camera initialization and a comprehensive security hardening pass addressing critical vulnerabilities identified during third-party security assessment. Version 2.4.2.0 is validated across Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, and Windows Server 2025.

LiveID authentication: Camera initialization performance

LiveID login now loads significantly faster. Camera configuration is initialized upfront, eliminating the delays users previously experienced at the login screen.

What changed:

• Upfront camera initialization: Camera configuration is now handled at startup rather than at runtime, removing negotiation delays during login.

• Preloaded pipeline: Camera dependencies are cached for instant readiness when the login screen is presented.

• DSHOW fallback mechanism: A reliable fallback ensures consistent camera initialization across all device configurations and environments.

Note: This release covers camera initialization improvements only. Smartcard login latency and API response time optimizations are in progress and will be included in a future release.

Security hardening: Credential encryption, filesystem permissions, and log sanitization

This release addresses multiple critical vulnerabilities identified during a Bishopfox security assessment. The Credential Provider has been overhauled across credential storage, encryption, and logging.

Credential encryption upgrade (DPAPI):

• Replaced static key encryption: ECDSA encryption using a static key has been replaced with Windows OS-level DPAPI.

• Runtime-derived keys: Encryption keys are derived from machine credentials by the OS at runtime. No extractable key exists in the binary.

• Offline attack protection: Credential data copied off-machine is completely unusable on any other system.

Filesystem permissions:

• Stricter ACLs: Access controls are now enforced on credential files and directories.

• Per-user isolation: Each user's credential material is isolated with runtime-enforced access controls.

• Privilege restriction: Low-privileged users can no longer access other users' sensitive authentication material.

Log sanitization:

• Automatic redaction: An automatic log sanitizer redacts JWTs, passwords, tokens, certificates, PINs, and base64 blobs before writing to disk.

• Removed raw payload logging: Direct logging of decrypted payloads has been eliminated.

• Enabled by default: Log sanitization is active out of the box with no additional configuration required.

Prerequisites and upgrade notes

Online login required after upgrade:

• Users must complete one online login after upgrading before offline login will be available.

Release details

• Version: 2.4.2.0.69E9D43A

• Release date: May 8, 2026

• Validated on: Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, Windows Server 2025

1Kosmos rebranding: BlockID retired across the Credential Provider

All user-facing elements of the Windows Credential Provider now reflect the unified 1Kosmos brand identity. BlockID branding has been fully retired from login screens, dialogs, and configuration interfaces.

Changes:

• Login screens: All user-facing login UI now displays 1Kosmos branding.

• Dialogs and configuration interfaces: BlockID references have been removed across all CP dialogs and admin-facing configuration screens.

• Consistent experience: Branding is now uniform across the full product experience.

Smarter .EXE installer with automatic dependency handling

The .exe installer now automatically detects and installs missing .NET Framework 4.8 dependencies, eliminating the most common cause of failed deployments.

Changes:

• Automatic prerequisite detection: The installer identifies missing .NET Framework 4.8 dependencies and installs them without manual intervention.

• Reduced deployment friction: IT teams no longer need to pre-stage dependencies before running the installer.

Note: The MSI installer still requires manual prerequisite installation for environments that require full deployment control.

LiveID authentication: Early camera warm-up

LiveID biometric authentication is now faster. The camera is initialized earlier in the authentication process, resulting in noticeably quicker response times when facial recognition is presented.

Changes:

• Early camera initialization: Camera warm-up now begins before the authentication prompt is fully loaded, reducing wait time at the login screen.

• Smoother user experience: Users see faster, more consistent biometric response times across devices.

Kerberos service ticket fix: Smart card ejection control

Resolved an issue where Kerberos service ticket retrieval failed following smart card ejection. Configurable registry settings have been added to control ejection behavior and maintain credential context.

Changes:

• Kerberos ticket retrieval fix: Service ticket retrieval no longer fails after a smart card is ejected.

• Configurable ejection behavior: New registry settings allow administrators to control smart card ejection handling to match their environment.

• Maintained credential context: Kerberos operations remain seamless across ejection events.

Bug fix: Offline PIN login with behavioral authentication

Resolved an issue preventing PIN-based login on devices configured with Behavioral Authentication when offline. Offline authentication now works as expected in this configuration.

Release details

• Version: 2.4.0.0.69CA2927

• Release date: March 30, 2026

MSI-based installation: Enterprise-scale deployment

The Windows Credential Provider now ships as an MSI package, bringing standardized, enterprise-grade deployment to organizations of any size.

Changes:

• MSI package: The Credential Provider is now distributed as an MSI, supporting both UI-guided and silent installation.

• Scalable deployment: The same installation method works for small pilots and full enterprise-wide rollouts.

Centralized registry configuration

All configuration settings are now managed through the Windows Registry, replacing the previous config.json approach.

Changes:

• Registry-based settings: Configuration is now centralized in the Windows Registry rather than managed through individual config.json files.

• Group Policy support: Settings can be pushed and updated centrally via Group Policy across your entire deployment.

Flexible deployment options

Administrators can customize deployments to fit their existing workflows and environment requirements.

Changes:

• MSI Transforms (MSTs): Use MSTs to apply environment-specific configurations without modifying the base installer.

• Single packaged installer: Bundle configuration into a single installer for streamlined distribution across environments.

Silent installation and uninstallation

The Credential Provider can now be installed, upgraded, and removed silently, with no interruption to end users.

Changes:

• Silent deployment support: Compatible with SCCM, Intune, and other enterprise deployment tools for fully automated, zero-touch rollouts.

• Silent uninstallation: Removal is equally silent, giving IT full lifecycle control without user disruption.

Release details

• Version: 2.3.0.0.69B96FE5

• Release date: March 18, 2026

Helpdesk passcode fallback: Zero lockouts

Users who exceed authentication attempts can now recover access instantly through a secure helpdesk-issued passcode, without requiring an IT escalation or workstation reimaging.

Changes:

• Passcode-based recovery: When authentication attempts are exceeded, users can recover access via a helpdesk-issued passcode rather than waiting for manual IT intervention.

• In-session factor reset: The fallback journey also allows users to reset enrolled authentication factors on the spot, reducing follow-up support tickets.

Offline PIN authentication: Secure access without connectivity

Users can now authenticate with a locally cached PIN when network connectivity or mobile devices are unavailable, expanding secure access to restricted and disconnected environments.

Changes:

• Locally cached PIN: Authentication is handled on-device using a cached PIN, with no network or mobile app required.

• Intelligent attempt limits: Enterprise-grade attempt limits are enforced locally to maintain security in offline scenarios.

• Expanded deployment scenarios: Supports manufacturing floors, secure facilities, and any environment where mobile devices are restricted or unavailable.

Release details

• Version: 2.2.0.0.69B2DFE7

• Release date: March 13, 2026