This release delivers a major performance improvement to LiveID camera initialization and a comprehensive security hardening pass addressing critical vulnerabilities identified during third-party security assessment. Version 2.4.2.0 is validated across Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, and Windows Server 2025.
LiveID authentication: Camera initialization performance
LiveID login now loads significantly faster. Camera configuration is initialized upfront, eliminating the delays users previously experienced at the login screen.
What changed:
Upfront camera initialization: Camera configuration is now handled at startup rather than at runtime, removing negotiation delays during login.
Preloaded pipeline: Camera dependencies are cached for instant readiness when the login screen is presented.
DSHOW fallback mechanism: A reliable fallback ensures consistent camera initialization across all device configurations and environments.
Note: This release covers camera initialization improvements only. Smartcard login latency and API response time optimizations are in progress and will be included in a future release.
Security hardening: Credential encryption, filesystem permissions, and log sanitization
This release addresses multiple critical vulnerabilities identified during a Bishopfox security assessment. The Credential Provider has been overhauled across credential storage, encryption, and logging.
Credential encryption upgrade (DPAPI):
Replaced static key encryption: ECDSA encryption using a static key has been replaced with Windows OS-level DPAPI.
Runtime-derived keys: Encryption keys are derived from machine credentials by the OS at runtime. No extractable key exists in the binary.
Offline attack protection: Credential data copied off-machine is completely unusable on any other system.
Filesystem permissions:
Stricter ACLs: Access controls are now enforced on credential files and directories.
Per-user isolation: Each user's credential material is isolated with runtime-enforced access controls.
Privilege restriction: Low-privileged users can no longer access other users' sensitive authentication material.
Log sanitization:
Automatic redaction: An automatic log sanitizer redacts JWTs, passwords, tokens, certificates, PINs, and base64 blobs before writing to disk.
Removed raw payload logging: Direct logging of decrypted payloads has been eliminated.
Enabled by default: Log sanitization is active out of the box with no additional configuration required.
Prerequisites and upgrade notes
Online login required after upgrade:
Users must complete one online login after upgrading before offline login will be available.
Release details
Version: 2.4.2.0.69E9D43A
Release date: May 8, 2026
Validated on: Windows 10, Windows 11 (24H2 & 25H2), Windows Server 2016, Windows Server 2025
