Product updates

Behavioral Authentication enrollment enforcement

The "Skip Enrollment and Login" option has been removed from the Credential Provider screen during Behavioral Authentication enrollment flows. Users can no longer bypass enrollment to complete OS login without finishing setup, closing a compliance gap in enterprise rollouts.

Changes:

Skip option removed: The "Skip Enrollment and Login" option no longer appears on the CP screen during Behavioral Auth enrollment.

Community-level configuration: Enrollment enforcement is available as a tenant-level setting, giving admins flexible control without requiring custom builds per deployment.

Note: AdminX configuration for this feature does not require a CP build update.

Bug fix: Offline PIN authentication with case-insensitive username resolution

Offline PIN authentication now works correctly regardless of username casing differences (e.g. JohnDoe vs. johndoe).

Changes:

Case-insensitive vault key lookup: Usernames are now normalized to lowercase before hashing during vault key derivation, ensuring casing differences between credential storage and retrieval no longer cause lookup failures.

"Other User" tile fix: When authenticating offline via the "Other User" tile with winuserattribute mapping (UPN mapped to platform username), offline PIN now resolves correctly. The username window previously lacked the winuserattribute fallback lookup available on the known-user tile, causing PIN failures when the typed username did not directly match the stored platform username.

TPM-accelerated smart card login

The 1Kosmos Credential Provider now supports Microsoft's TPM Virtual Smart Card as an accelerated login path, reducing repeat login times from approximately 20 seconds to 9 to 11 seconds.

Changes:

• Admin configuration: Enable via LoginMode = 1 in the registry or via deployment config.

• First login: The user's certificate is imported onto the hardware TPM chip (approximately 12 seconds).

• Subsequent logins: The cached certificate is retrieved directly with no re-import needed (9 to 11 seconds).

• Automatic fallback: If anything fails, the system falls back to the standard 1Kosmos reader login flow.

• Multi-user support: One TPM reader per machine; each user gets their own key container on the chip.

• Certificate renewal: System checks certificate expiry on every login; renewal window is configurable (default: 28 days before expiry).

Note: A TPM chip is required for this feature.

Multi-language support: CP UI and Behavioral Authentication

The 1Kosmos Credential Provider UI and Behavioral Authentication phrases are now available in four additional languages: Spanish, Portuguese, French, and German.

Changes:

• Full localization: All CP UI labels, instructions, prompts, and error messages are localized into all four languages.

• Natively generated phrases: Behavioral Authentication phrases are generated natively in each language, not translated from English, ensuring linguistic accuracy and biometric suitability.

• Auto-detection: Language is auto-detected from the Windows OS locale with no manual configuration required for end users.

• Admin override: IT admins can enforce a specific language via registry key or Group Policy for fleet-wide consistency.

• English fallback: Any unsupported locale falls back to English.

• Single build: All four languages are delivered in one CP build, reducing versions in circulation and minimizing pre-rollout validation overhead.

Note: If a user's OS locale differs from their enrollment language, the CP continues serving phrases in the original enrollment language. Switching languages requires re-enrollment via the AdminX self-service portal or admin action. This feature also requires the latest platform changes to be deployed to serve phrases in additional languages.

Release details

Version: 2.4.3.0 and 2.4.4.0

Release date: June 5, 2026

This release delivers a major performance improvement to LiveID camera initialization and a comprehensive security hardening pass addressing critical vulnerabilities identified during third-party security assessment. Version 2.4.2.0 is validated across Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, and Windows Server 2025.

LiveID authentication: Camera initialization performance

LiveID login now loads significantly faster. Camera configuration is initialized upfront, eliminating the delays users previously experienced at the login screen.

Changes:

• Upfront camera initialization: Camera configuration is now handled at startup rather than at runtime, removing negotiation delays during login.

• Preloaded pipeline: Camera dependencies are cached for instant readiness when the login screen is presented.

• DSHOW fallback mechanism: A reliable fallback ensures consistent camera initialization across all device configurations and environments.

Note: This release covers camera initialization improvements only. Smartcard login latency and API response time optimizations are in progress and will be included in a future release.

Security hardening: Credential encryption, filesystem permissions, and log sanitization

This release addresses multiple critical vulnerabilities identified during a Bishopfox security assessment. The Credential Provider has been overhauled across credential storage, encryption, and logging.

Credential encryption upgrade (DPAPI):

• Replaced static key encryption: ECDSA encryption using a static key has been replaced with Windows OS-level DPAPI.

• Runtime-derived keys: Encryption keys are derived from machine credentials by the OS at runtime. No extractable key exists in the binary.

• Offline attack protection: Credential data copied off-machine is completely unusable on any other system.

Filesystem permissions:

• Stricter ACLs: Access controls are now enforced on credential files and directories.

• Per-user isolation: Each user's credential material is isolated with runtime-enforced access controls.

• Privilege restriction: Low-privileged users can no longer access other users' sensitive authentication material.

Log sanitization:

• Automatic redaction: An automatic log sanitizer redacts JWTs, passwords, tokens, certificates, PINs, and base64 blobs before writing to disk.

• Removed raw payload logging: Direct logging of decrypted payloads has been eliminated.

• Enabled by default: Log sanitization is active out of the box with no additional configuration required.

Prerequisites and upgrade notes

Online login required after upgrade:

• Users must complete one online login after upgrading before offline login will be available.

Release details

• Version: 2.4.2.0.69E9D43A

• Release date: May 8, 2026

• Validated on: Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, Windows Server 2025

1Kosmos rebranding: BlockID retired across the Credential Provider

All user-facing elements of the Windows Credential Provider now reflect the unified 1Kosmos brand identity. BlockID branding has been fully retired from login screens, dialogs, and configuration interfaces.

Changes:

• Login screens: All user-facing login UI now displays 1Kosmos branding.

• Dialogs and configuration interfaces: BlockID references have been removed across all CP dialogs and admin-facing configuration screens.

• Consistent experience: Branding is now uniform across the full product experience.

Smarter .EXE installer with automatic dependency handling

The .exe installer now automatically detects and installs missing .NET Framework 4.8 dependencies, eliminating the most common cause of failed deployments.

Changes:

• Automatic prerequisite detection: The installer identifies missing .NET Framework 4.8 dependencies and installs them without manual intervention.

• Reduced deployment friction: IT teams no longer need to pre-stage dependencies before running the installer.

Note: The MSI installer still requires manual prerequisite installation for environments that require full deployment control.

LiveID authentication: Early camera warm-up

LiveID biometric authentication is now faster. The camera is initialized earlier in the authentication process, resulting in noticeably quicker response times when facial recognition is presented.

Changes:

• Early camera initialization: Camera warm-up now begins before the authentication prompt is fully loaded, reducing wait time at the login screen.

• Smoother user experience: Users see faster, more consistent biometric response times across devices.

Kerberos service ticket fix: Smart card ejection control

Resolved an issue where Kerberos service ticket retrieval failed following smart card ejection. Configurable registry settings have been added to control ejection behavior and maintain credential context.

Changes:

• Kerberos ticket retrieval fix: Service ticket retrieval no longer fails after a smart card is ejected.

• Configurable ejection behavior: New registry settings allow administrators to control smart card ejection handling to match their environment.

• Maintained credential context: Kerberos operations remain seamless across ejection events.

Bug fix: Offline PIN login with behavioral authentication

Resolved an issue preventing PIN-based login on devices configured with Behavioral Authentication when offline. Offline authentication now works as expected in this configuration.

Release details

• Version: 2.4.0.0.69CA2927

• Release date: March 30, 2026

MSI-based installation: Enterprise-scale deployment

The Windows Credential Provider now ships as an MSI package, bringing standardized, enterprise-grade deployment to organizations of any size.

Changes:

• MSI package: The Credential Provider is now distributed as an MSI, supporting both UI-guided and silent installation.

• Scalable deployment: The same installation method works for small pilots and full enterprise-wide rollouts.

Centralized registry configuration

All configuration settings are now managed through the Windows Registry, replacing the previous config.json approach.

Changes:

• Registry-based settings: Configuration is now centralized in the Windows Registry rather than managed through individual config.json files.

• Group Policy support: Settings can be pushed and updated centrally via Group Policy across your entire deployment.

Flexible deployment options

Administrators can customize deployments to fit their existing workflows and environment requirements.

Changes:

• MSI Transforms (MSTs): Use MSTs to apply environment-specific configurations without modifying the base installer.

• Single packaged installer: Bundle configuration into a single installer for streamlined distribution across environments.

Silent installation and uninstallation

The Credential Provider can now be installed, upgraded, and removed silently, with no interruption to end users.

Changes:

• Silent deployment support: Compatible with SCCM, Intune, and other enterprise deployment tools for fully automated, zero-touch rollouts.

• Silent uninstallation: Removal is equally silent, giving IT full lifecycle control without user disruption.

Release details

• Version: 2.3.0.0.69B96FE5

• Release date: March 18, 2026