Log into Microsoft/Linux/Shared Workstations using 1Kosmos passwordless authentication.
Integration type
OS
Overview
1Kosmos is available on the Microsoft Azure Marketplace, allowing Azure customers to deploy passwordless authentication for Windows, Linux, macOS, and shared workstations directly through the Azure portal.
What we solve
Workforces using Windows, Linux, macOS, or shared workstations are increasingly exposed to phishing and credential theft, yet rolling out passwordless authentication at scale can be slowed by deployment friction and procurement hurdles. This Azure Marketplace listing simplifies adoption so Azure customers can deploy 1Kosmos passwordless authentication directly through their existing Azure processes to reduce password risk and improve user access experience.
The 1Kosmos Workforce Credential Provider replaces the default Windows login screen with biometric-backed options including QR code login, push notification approval, TOTP, FIDO2, and offline OTP for disconnected environments. The platform verifies government-issued credentials and matches them against a real-time biometric selfie with liveness detection, meeting NIST 800-63-3 IAL2/AAL2 standards and iBeta ISO/IEC 30107-3 certification.
Prerequisites
Active Azure subscription: The subscribing account must have permissions to procure third-party SaaS applications from the Azure Marketplace.
Microsoft Entra ID (Azure AD) tenant: Required for user directory integration.
Active Directory domain-joined workstations: Windows workstation login requires machines to be joined to an Active Directory domain. Local accounts are not supported.
1Kosmos admin portal access: Provisioned by 1Kosmos after subscription. Contact 1kosmos.com/contact to coordinate setup.
Device compatibility: Windows 8.1 and higher is supported. For Linux, a separate PAM module is provided from the admin portal.
Integration steps
Step 1: Find the listing In the Azure portal, navigate to Marketplace and search for "1Kosmos" or "BlockID Workforce". Alternatively, go directly to marketplace.microsoft.com.
Step 2: Subscribe Select the BlockID Workforce listing, click "Get It Now", and review the plan details. Accept the terms to initiate the subscription.
Step 3: Configure the SaaS account After subscribing, you will be redirected to 1Kosmos to complete account setup. Provide your tenant domain and primary admin contact. A 1Kosmos representative will confirm provisioning and send your admin portal URL.
Step 4: Deploy the Credential Provider Download the BlockID Credential Provider installer (blockIdSetup..exe) from the 1Kosmos admin portal. Install on each domain-joined Windows workstation, or automate deployment via SCCM or GPO using the BlockIDInstaller.bat script with the -configure directive. Full installation and registry configuration details are at docs.1kosmos.com under Workstation Login → Windows.
Step 5: Configure authentication methods In the 1Kosmos admin portal, enable the login methods appropriate for your environment: QR login, push notification, OTP, FIDO2, or offline OTP. To enforce passwordless-only login, enable the "Disable Windows Password Provider" option in the Credential Provider Advanced Tab.
Step 6: Enroll users Users install the 1Kosmos mobile app and enroll their biometric. Enrollment can be self-service via QR code or smart link, or admin-initiated through the 1Kosmos portal.
Step 7: Test Enroll a single test user and verify all configured login methods on a workstation before enabling for the broader user base. Retain one admin account with direct access as a fallback during rollout.
Integration notes
Shared workstation scenarios (kiosk mode, shop floor, or lab environments) require additional configuration via the CyberArk PAM Proxy integration to manage shared account credential retrieval. See the Shared Account documentation at docs.1kosmos.com. For Linux workstation login, deploy the PAM module separately; it is not included in the Windows Credential Provider installer.
