Behavioral Authentication enrollment enforcement
The "Skip Enrollment and Login" option has been removed from the Credential Provider screen during Behavioral Authentication enrollment flows. Users can no longer bypass enrollment to complete OS login without finishing setup, closing a compliance gap in enterprise rollouts.
Changes:
Skip option removed: The "Skip Enrollment and Login" option no longer appears on the CP screen during Behavioral Auth enrollment.
Community-level configuration: Enrollment enforcement is available as a tenant-level setting, giving admins flexible control without requiring custom builds per deployment.
Note: AdminX configuration for this feature does not require a CP build update.
Bug fix: Offline PIN authentication with case-insensitive username resolution
Offline PIN authentication now works correctly regardless of username casing differences (e.g. JohnDoe vs. johndoe).
Changes:
Case-insensitive vault key lookup: Usernames are now normalized to lowercase before hashing during vault key derivation, ensuring casing differences between credential storage and retrieval no longer cause lookup failures.
"Other User" tile fix: When authenticating offline via the "Other User" tile with winuserattribute mapping (UPN mapped to platform username), offline PIN now resolves correctly. The username window previously lacked the winuserattribute fallback lookup available on the known-user tile, causing PIN failures when the typed username did not directly match the stored platform username.
TPM-accelerated smart card login
The 1Kosmos Credential Provider now supports Microsoft's TPM Virtual Smart Card as an accelerated login path, reducing repeat login times from approximately 20 seconds to 9 to 11 seconds.
Changes:
Admin configuration: Enable via LoginMode = 1 in the registry or via deployment config.
First login: The user's certificate is imported onto the hardware TPM chip (approximately 12 seconds).
Subsequent logins: The cached certificate is retrieved directly with no re-import needed (9 to 11 seconds).
Automatic fallback: If anything fails, the system falls back to the standard 1Kosmos reader login flow.
Multi-user support: One TPM reader per machine; each user gets their own key container on the chip.
Certificate renewal: System checks certificate expiry on every login; renewal window is configurable (default: 28 days before expiry).
Note: A TPM chip is required for this feature.
Multi-language support: CP UI and Behavioral Authentication
The 1Kosmos Credential Provider UI and Behavioral Authentication phrases are now available in four additional languages: Spanish, Portuguese, French, and German.
Changes:
Full localization: All CP UI labels, instructions, prompts, and error messages are localized into all four languages.
Natively generated phrases: Behavioral Authentication phrases are generated natively in each language, not translated from English, ensuring linguistic accuracy and biometric suitability.
Auto-detection: Language is auto-detected from the Windows OS locale with no manual configuration required for end users.
Admin override: IT admins can enforce a specific language via registry key or Group Policy for fleet-wide consistency.
English fallback: Any unsupported locale falls back to English.
Single build: All four languages are delivered in one CP build, reducing versions in circulation and minimizing pre-rollout validation overhead.
Note: If a user's OS locale differs from their enrollment language, the CP continues serving phrases in the original enrollment language. Switching languages requires re-enrollment via the AdminX self-service portal or admin action. This feature also requires the latest platform changes to be deployed to serve phrases in additional languages.
Release details
Version: 2.4.3.0 and 2.4.4.0
Release date: June 5, 2026
