Skip to main content

Release Notes for AdminX

Patches Applied

1.10.01

March 1, 2024

New Features

  • 1Kosmos now allows you to configure a third-party Identity provider like Ping, Okta, Azure or ADFS as an Identity Provider for a certain group of users based on a routing policy. To configure an external Identity Provider
    • Setup 1Kosmos as a SAML Service Provider with the Identity Provider
    • Create a new Identity Provider configuration within 1Kosmos control plane.
    • Upload the federation metadata file from the IDP (Ping, Okta etc.) on 1Kosmos.
    • Setup up users by either creating new users within the IDP user store or connecting to an existing directory.
    • Setup a routing policy that defines which users must authenticate with the IDP.

The following new features have been added:

  • Manage a new IDP: Create or edit the configuration of a new external IDP.
  • Delete an External IDP: Deleting an IDP will result in deleting the configuration as well as any users that have been created in the external IDP User Store
  • Create new users in the IDP user store: The control plane offers a dedicated user store to create users who can be authorized to login with the IDP.
  • Manage routing policy: Setup a policy based on usernames matches, groups or route all user created in the IDP User store to login with an external IDP.
  • Login experience: When the user provides their username, the adaptive auth engine evaluates the provided user based on conditions. If matched, the user is redirected to the IDP SSO URL for authentication.

Enhancements

  • Users with userAccountControl 1049088 (Enabled and Not Delegated) & userAccountControl 520 (HOMEDIR_REQUIRED and NORMAL_ACCOUNT) status are now recognized as active users are allowed to authenticate with our platform.

Bug fixes

  • Session storage handling: We have addressed a bug that caused the website to not render when local storage is restricted.

1.10.00

February 10, 2024

New Features

  • For tenants that subscribe to our web Identity wallet, we now support enrollment of ID cards from any country and document. Expired ID cards cannot be enrolled into the web wallet. When enrolled, users can view the details of the document enrolled.
  • In Email Templates, as part of the Self invitation for Passwordless onboarding, we now support {{Lastname}} as a variable allowing for personalization. Previously supported variables included FirstName, Tenant Name and Community Name.
  • We are switching to the font Work Sans from our previously used Adobe Font. Adobe fonts are typically hosted on the cloud and require some of our customers to whitelist the Adobe font. To avoid cumbersome processes, we chose to shift to a font that is hosted within our CDN.

1.09.16

January 27, 2024

New Features

  • Adaptive Auth Journeys allows administrators to build authentication journeys around the conditions mentioned below. When user matches against a policy, the appropriate authentication policies specified by the administrator are presented as options to the user.
ConditionOperatorValues
IP Addressis in the range ofAccepts an array of CIDR values
IP Addressis outside the range ofAccepts array of CIDR values & range
Groupsis one ofSpecify the full DN of the Group. Allows for multiple values
Applicationsis one ofSelect applications (SAML/OIDC/Admin Control Plane) to apply policies to
Usernameis one ofAccepts an array of usernames

Adaptive Auth accepts the following decisions as outcomes:

DecisionOutcome
Deny AccessDenies access when user matches against a policy
Just PasswordRequires the user to only provide a password to login
Push NotificationApprove sign-ins via push notification sent to the BlockID App
FIDOUse Windows Hello, Mac TouchID or your security key to login
BlockID app CodesEnter the 6-digit code generated by the BlockID app
Hardware Token OTPProvide username and enter a 6-digit code generated from hardware token
Password & any OTPProvide password and use passcodes generated through any channel.
Password & Web OTPProvide password and use passcodes generated through Email, SMS, Voice, BlockID App, generated through API’s and hardware token.
Password & SMS OTPUsers are required to provide password and enter a code delivered to their registered phone number via text
Password & Email OTPUsers are required to provide password and enter a code delivered to their registered email address
Password & Voice OTPUsers are required to provide password and enter a code delivered to their registered phone number via voice call
Password & Push NotificationUsers are required to provide their password and approve sign-ins via push notification sent to the BlockID App
Password & FIDOUsers are required to provide their password and enrolled FIDO Device -- Windows Hello, Mac TouchID or your security key to login
Password & BlockID App CodesUsers are required to provide their password and enter the 6-digit code generated by the BlockID app
Password & Hardware OTP CodesUsers are required to provide their password and code from their Hardware token.
  • If users cannot be matched against an authentication policy, then the default policy’s authentication methods will be presented to the user.
  • If user matches multiple authentication journeys, then all authentication methods of the journeys will be presented to the user.
  • However, if user matches against a journey that contains a denied access along with other authentication methods, then the user is automatically denied access.
  • Every time the user lands on the AdminX login page, if machine information is available (through the health agent), a new .wellknown endpoint has been introduced to allow collecting the machine information.
  • The E_LOGIN_SUCCEEDED event now contain a list of all facts evaluated at the time of authentication.

Enhancements

  • Resolved an issue on IE which did not allow the Help Button to render on the login page.

1.09.15

January 13, 2024

New Features

  • A new event E_ROLE_CHANGED has been introduced to capture an audit log anytime a user’s role has been elevated or downgraded.

Enhancements

  • Minor updates to the license.json file produced by the Directory broker to include the tenant DNS.

1.09.14

December 9, 2023

Enhancements & Bug Fixes

  • The analytics dashboard can provide a report that allows downloading the Unique users logging into the 1Kosmos. Hover over the Unique users count on the analytics dashboard to download the report.
  • We now allow customization of messaging templates used at the time of sending emails/text for different purposes. Email and SMS templates include User onboarding, Email verification, delivering passcodes and more.

1.09.14.01

December 7, 2023

Enhancements & Bug Fixes

  • As a preventative measure to enhance security, the control plane now blocks the injection of malicious scripts into email templates, reducing the risk of XSS attacks.
  • POST/users/find API has been restricted to present a maximum of 2 users in order to prevent over exposure of data.
  • The escapeXSS function has been upgraded with stricter measures to prevent any malicious attempts of XSS injection when accessing messaging templates for onboarding or delivering passcodes to users.

1.09.13

October 19, 2023

New Features

User Lockout

  • Community Administrators and Help Desk Administrators now have the ability to lock a user indefinitely or for a defined period. Locked users cannot authenticate into AdminX or web applications using passwords or passwordless means.

  • Community Administrators and Help Desk Administrators can also unlock a locked user. The affected user will be unlocked immediately.

RADIUS Server Configuration

  • Administrators can now manage their RADIUS server configuration within AdminX to define which of the following authentication methods are allowed:

    • Login with Push
    • Login with Password & OTP
    • Login with OTP & Password
    • Login with OTP
  • The RADIUS Server is available for Windows, Linux, and Darwin as a command-line tool. The RADIUS Server comes preconfigured with the appropriate license keys and community ID for your tenant.

Enhancements & Bug Fixes

UX Enhancements

  • Updated UX during the onboarding of authenticators from the user profile

Request User Invites to a Secondary Email

  • Ability to request user invites to a secondary email

User Authorizations from User Token

  • Get user authorizations from the user token instead of making additional API calls after receiving the token

1.09.12

Sept 21, 2023

New Features

New SMS Gateway

  • Introduced support for a new provider, Coalesce, to send text messages when delivering OTPs or invites for passwordless onboarding.

Login with Codes from OneSpan Hardware Tokens

Introduced support to configure OneSpan Server within the AdminX control plane.

  • Administrators can choose whether or not to allow OneSpan authentication tokens as a login method for their tenant, as well as test their OneSpan server configuration.

Manage Session Time for AdminX

  • Introduced support to manage the AdminX session time from within the control plane.

Enhancements & Bug Fixes

IdP Signing Certificate Key Size and Algorithm

  • When an IDP certificate is uploaded, the key size and algorithm from the signing certificate will be used to sign the SAML response.

Invalid OTP Error on Correct OTP Entry

  • Fixed an error for Internet Explorer 11 where the login page was caching GET requests, resulting in AdminX being unable to decode the request and rejecting the authentication.

Number of Devices Linked to an Account

  • Bug fix to address the recorded number of devices linked to an account.

Additional SMS Provider Attributes for Gupshup

  • Added support for two additional attributes when configuring Gupshup as an SMS Provider.

Documentation Updates

1.09.11.01

Sept 7, 2023

New Features

Enable or Disable FIDO Logins

Community Administrators can now enable or disable FIDO logins for all users within their community.

  • Admins can choose whether or not to allow end users to enroll security keys or platform authenticators such as Mac TouchID or Windows Hello.

Allowed Security Keys

Community Administrators can bring in their desired brand of security keys for FIDO logins.

  • Administrators can upload the metadata file of the security key through AdminX.

  • When the metadata is successfully uploaded and enabled, end users can enroll keys from the added brand and use them at the time of authentication.

Reset Password on Next Login

Enforce password resets through the web for Active Directory users mandated to change their password on the next login.

  • Users are required to provide their current password and new password to reset the password.

  • To complete login, users will be prompted to enter an OTP, which can be sent via phone or email.

Enhancements & Bug Fixes

Support for Generating SHA1 & SHA256 Certificates

Introduced the ability to generate SHA1 & SHA256 self-signed certificates.

  • A bug fix was made that addresses an issue of determining the value of the signing algorithm from the uploaded certificate.

Salesforce One Click Onboarding using SAML

  • Updated our parameters to be XML-parser friendly

  • Updated to the latest version of the Salesforce SOAP API.

Error Codes on Login Page

  • Resolved an issue that caused error codes A00006 & A00008 to appear on the login page. These error codes are shown when API failure occurs at the time of rendering the login page.

Documentation Updates

1.09.10.01

August 31, 2023

Enhancements & Bug Fixes

Device Onboarding Access Code

Bug fix to improve the security around the access code that is sent to the user for onboarding their device for passwordless logins.

Documentation Updates

1.09.10

August 17, 2023

New Features

Added Support for Gupshup Gateway

Added support for Gupshup gateway to send text messages to users.

Enhancements & Bug Fixes

Login Page Refresh Button

The QR code on the login page displays a Refresh button after 5 min of inactivity.

  • We fixed a bug that allows the QR code to render appropriately on a Cisco AnyConnect embedded browser.

Last Login Report New Metrics

The Last Login Report now displays a new metric that shows the number of active users per directory.

  • Users marked as active have had at least one authentication using 1Kosmos in the last 30 days.

Logging Improvements

Fixed logging to ensure the journey ID and request ID are consistently available for internal troubleshooting.

Increased Caching

Widespread use of caching to improve API throughput

1.09.09

July 27, 2023

New Features

New Passwordless Login Options

Passwordless Login options have been updated in AdminX to allow Administrators to set their own policies regarding device onboarding.

  • Administrators can define how many devices a single user can onboard for passwordless authentication. When a user attempts to enroll a device after the maximum allowed has been reached, Administrators can set whether to:
    • allow the new device while also deleting the oldest linked device
    • reject the new device

Disable Passwordless Login Options

If your enterprise is not ready for passwordless logins, Administrators can disable passwordless login options.

  • When passwordless login is disabled, users are no longer presented with passwordless login options.

QR Code Refresh When Idle on Login Page

Previously, QR codes on the login page are automatically refreshed every 60 seconds. We have updated our logic to stop refreshing QR codes after users have been idle for five minutes or longer.

-After five minutes have passed, users will see a Refresh button that users must click to manually refresh the QR code. When manually refreshed, a new QR code appears, and the user can scan the QR code to log in.

API Failure on Login Page

When required APIs failed to load on the AdminX login page, end users previously saw a loading message despite the page no longer loading. We have updated our interface to display a refresh button that can be clicked to refresh the page.

  • Error codes are now displayed on the page to help troubleshoot the reason for failure.

Enhancements

Updated Helpdesk Administrator Permissions

Helpdesk Administrators now have additional permissions that allow them to download reports.

Updated Infobip SMS Gateway Integration

SMS Gateway Settings have been updated for Infobip to support an additional parameter, smstemplateid, to define which template should be used on Infobip.

Last Login Report Login Time

The Last Login Report now displays the time a user last logged in, using the local time zone of the browser.

Improved Page Designs

We have improved the design of the following pages:

  • Updated the design for the Active Directory - Advanced Configuration tab to clearly delineate between the different configuration options that can be managed.
  • Updated the design for Multi-factor Authentication to include all options for enabling or disabling login using one-time-passcodes.
  • A new Passwordless Login page has been introduced to manage the configuration options for using Passwordless Login with the BlockID Mobile App.
    • Configuration options include device onboarding methods, fallback authentication options, and device linking preferences.

Documentation Updates

1.09.08

June 29, 2023

New Features

Twillio Support for Voice Gateways

Administrators can leverage Twillio to configure their SMS and Voice gateways.

  • The configured Voice gateway will deliver spoken one-time passcodes to users through a voice phone call.

Last Login report

Administrators can now view a report that combines information about all users in a directory, including their last login date.

  • This report allows administrators to deduce which users have been inactive over 30, 60 or 90 days.

Windows Broker X-509 Certificates

The new Windows broker for Active Directory makes deployment of BlockID Workstation Login faster than ever by eliminating the need for additional NDES infrastructure within the enterprise.

  • The Windows Broker can issue X-509 certificates for the user at the time of enrollment. These certificates are stored on the user's device and are presented by the user (from the BlockID mobile app) when using passwordless login to a Windows workstation.
  • The Windows broker can easily be setup and managed through the AdminX control plane.

Enhancements & Bug Fixes

Login Page Adjustments for Embedded Browsers

We adjusted the login page to display the QR code without having to scroll to view the entire QR code block. This feature was tested on Zscaler to ensure optimal viewing of the displayed QR code.

Internal DB Prevented from Allowing Changes to Password Policy

Fixed a bug that prevented our internal DB from allowing changes to password policy.

Certain Devices Prevented from Completing Phone Verification

Fixed a bug that prevented users from certain devices (Pixel 6) from completing phone verification.

Documentation Updates

1.09.07

June 22, 2023

New Features

Support for Login Passcode through Voice

Administrators now have the ability to enable users to receive one-time passcodes through a phone call.

  • When enabled, users will see a prompt to receive a phone call through which the one-time passcode is read outloud to the user.

1.09.06

June 8, 2023

New Features

Introducing the Windows Broker

Administrators can now deploy the Windows broker for Active Directory on-premise. This edge component allows the 1Kosmos platform to connect with a customer's Active Directory instance so that users can be fetched.

  • The component is designed to be a long running Windows service and can be managed from the control plane.

Enhancements

Edit OIDC applications

Administrators can now modify OIDC applications that were previously created.

  • The application can be modified with a new logo, addition, removal of scopes, redirect URLs and more

1.09.05

June 1, 2023

New Features

Broker Log File Settings

The Windows and Linux brokers deployed on-premise allow for the 1Kosmos platform to fetch and authenticate users in Active Directory. The brokers produce log files that capture detailed information on all activities that occur.

  • The control plane now provides settings that allow for fine grained control of the following values:
    • Broker Log File Size: Maximum size a log file can grow to before it rotates to a new file. Default value is set to 10MB.
    • Broker Log File Rotation Count: Maximum number of log files that should be retained in the logs directory. When the count is reached, and a new log file needs to be created, the oldest log file in the directory will be deleted. Default value is set to 10

Track Off-Boarded Devices

AdminX now produces events when a user removes their device as an authenticator.

  • The E_DEVICE_DELINKED event is created when a user removes their device from their Profile page or from the mobile app.

Documentation Updates

1.09.04

May 18, 2023

New Features

Unenroll Documents from Identity Wallet

Users can now remove/unenroll identity documents (driver's license, passport and social security number) from their identity wallet.

  • Once removed, data from the document is no longer available and cannot be retrieved.

  • The user's Identity Assurance Level (IAL)will be recalculated when of the user removes a document. The IAL will most likely reduce to IAL1 if the the user has removed the documents that were used to achieve IAL2.

Self-Service Passwordless Onboarding from User Profile

Administrators can now enable or disable the ability for end users to pair their devices as authenticators from the My Profile page.

  • When enabled, end users will authenticate into the 1Kosmos portal and be allowed to onboard a new device.

Enhancements & Bug Fixes

Our login page branding settings now allows administrators to customize the footer color on their login page.

Documentation Updates

1.09.03

May 11, 2023

New Features

Help Button Added to Login Page

Administrators can now add a help button on the login page to present phone numbers, FAQ's or troubleshooting tips at the time of login.

  • Help content is authorable using HTML templates available as part of branding settings.

Account lockout for Incorrect OTP Attempts

Administrators can configure the number of incorrect one-time passcodes that can be entered before an account is locked.

  • When locked, users are unable to login using any login method for a configurable amount of time in minutes.
  • After the lockout time has expired the user account is automatically unlocked.

Enhancements & Bug Fixes

Report Downloads Bug Fixes

Removed links to expired reports on the Report Downloads page.

Safari Support for Phone Number Verification

Enhancements were made to ensure users can verify their phone number on the Safari browser when creating an account.

Analytics Dashboard Improvements

Improved the Analytics Dashboard devices view to show more detail.

  • Clicking on the New Devices graph now shows a summary of all new devices enrolled.

Added New Items to Events Dashboard

Added new events to capture a summary of reports requested (E_REPORT_REQUESTED) and reports generated (E_REPORT_GENERATED) by administrators.

Documentation Updates

1.09.02

April 13, 2023

New Features

Passwordless Onboarding Configurability

Community administrators can now allow or disallow users to self-onboard using the Request an Invite self-service page.

  • When enabled, it allows end users to receive an email to self-onboard their mobile device for passwordless authentication.
  • When disabled, it prevents end users from being able to self-onboard a mobile device for passwordless authentication.
  • Administrators can manage user device enrollment in scenarios needing controlled onboarding.

Trigger Identity Verification Flow using OIDC

OIDC clients can trigger an identity verification flow by including the /assurance/ial/2 custom scope.

  • When this scope is included in the OIDC request, the platform is configured to check if the user is verified to Identity Assurance Level 2 (IAL2).
  • If the user is not verified to IAL2, including the scope will trigger an identity verification flow.
  • At the end of the identity verification flow, the OIDC client receives the user's Identity Assurance Level (IAL) to take action on.

Enhancements & Bug Fixes

Identity Wallet Improvements

End users can use the identity wallet on their profile page to enroll new documents.

  • We have improved page load times to allow for uploading documents on a need-to basis.

Form Submission Errors

We resolved errors during form submissions when blank spaces were included in form entries.

Documentation Updates

1.09.01

March 23, 2023

New Features

Analytics Dashboard

Community administrators can now see a summarized report of their usage across the community to view the following data:

  • Counts:
    • Successful Logins: Number of successful logins across all users for any authentication method
    • Unique Logins: Number of active users with at least one login to an application
    • Devices Enrolled: Number of new devices enrolled by users
    • Failed Logins: Number of failed login attempts by all users
  • Visualization:
    • Successful Authentications: Hour/Day breakdown of successful authentications, organized by authentication methods
    • Devices Enrolled: Hour/Day breakdown of devices enrolled for passwordless login
    • Applications Usage: percentage breakdown of logins to applications
    • Failed Logins: percentage breakdown of reasons login attempts failed

Reports download

We now support downloading reports as CSV files for all Login Activity Reports and Event Logs.

  • All downloaded reports can be viewed within the Report Downloads section of the admin panel.
  • Downloaded reports will remain in a pending state until all the records have been compiled. Once ready, the administrator who initiated the request receives an email containing the link to download the report.
  • All report download links are available for a period of 7 days.

Enhancements & Bug Fixes

Email Notifications for Broker Disconnects

Administrators can now receive email notifications when AD or LDAP brokers have disconnected from the tenant.

  • BlockID relies on an active connection with Active Directory brokers to fetch and authenticate users. When one or more brokers are experiencing interruptions, administrators can receive email alerts to review the health of the on premise broker

Documentation Updates

1.09.00

February 27, 2023

New Features

Step-up with Trusted One Time Passcodes (TOTP)

Authentication policies now support a decision to Step-up with Trusted One Time Passcodes (TOTP) using the BlockID Mobile App.

  • Administrators can enable this feature by user geolocation or IP address
  • Review which users performed Step Up with TOTP authentication using the Login Activity Report page in AdminX

Enhancements & Bug Fixes

Password Reset Events

Administrators can initiate password resets from the AdminX login page, or through the BlockID Mobile Application.

  • Password Reset events will be captured and are available to audit using the User Events Dashboard in AdminX.
    • E_PWDRESET_SUCCEEDED: This event is captured any time a user successfully resets their password.
    • E_PWDRESET_FAILED: This event is captured any time a user fails to reset their password. Possible reasons for failure are also captured on the event.

Worldwide Support for Geolocation Authentication Rules

Geolocation Authentication Rules have been updated to support all countries worldwide.

1.08.00

February 02, 2023

Early Access Features

Geolocation Authentication Rules

Administrators can define authentication policies for their users based on geolocation. User geolocation data from the AdminX landing page will determine the type of authentication policy to be applied for the user.

  • Depending on the location of the user, access can be denied, allowed with all available MFA options, or can be restricted to only allow login with our most secure method: LiveID
  • Administrators can set multiple geolocation rules at the same time
  • We currently support geolocation-based authentication policies for users in USA and India. In an upcoming release, we will expand our service to support this feature for users from other countries.

New Features

Access Denied Reports

Access-denied reports are now available in the Reports section in AdminX.

  • The Access Denied report will show IP addresses and location data for denied users, as determined by the current authentication policies set for your tenant.

Enhancements & Bug Fixes

Administrator and User Event Log Reporting Service

We have improved how we log administrator and user events.

  • Updated reporting service to ensure no service interruption will occur in the event an error is encountered while generating events
  • Improved logging to report any errors encountered while generating events

Documentation Updates

1.07.06.01

January 05, 2023

New Features

Configurable Login Option for OTP Authentication

Administrators can enable or disable One-Time Passcode (OTP) authentication based on their authentication policies.

  • When disabled, users can no longer request an OTP to their email or text or login using OTP
  • When enabled, tenant administrators can define which channels (email, SMS, or both) an OTP can be sent

Trigger IAL2 Verification using OAuth2/OIDC

Relying parties can trigger an IAL2 verification flow using custom claims with OAuth2/OIDC.

  • Passing ial2 as an acr value on an OIDC claim will trigger a special authentication journey for users to upload and verify their identity documents online, resulting in IAL2 verification

Administrator Activity Event Logs

Activities performed by tenant and community administrators within BlockID are logged and are available for audit in the Reports section in AdminX. The following new events have been added:

  • E_DIRECTORY_ADDED
  • E_DIRECTORY_MODIFIED
  • E_DIRECTORY_REMOVED
  • E_DIRECTORY_BROKER_ENABLED
  • E_DIRECTORY_BROKER_DISABLED
  • E_DIRECTORY_BROKER_DELETED
  • E_DIRECTORY_BROKER_MODIFIED
  • E_DIRECTORY_ATTRIBUTE_MODIFIED
  • E_DIRECTORY_ATTRIBUTE_DELETED
  • E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED
  • E_IDP_CONFIGURATION_MODIFIED

Enhancements & Bug Fixes

SMS Gateway Configuration Update

The SMS gateway configuration page has been updated in AdminX.

  • the Sender Name field has been updated to support alphanumeric values, allowing administrators to define their enterprise as a sender name to avoid having users assume the message is spam
  • During new account creation, we verify if an account already exists with the provided email before allowing users to begin the email verification process. If an existing email account is found using the email, users are encouraged to sign-in

Documentation Updates

1.07.04, 1.07.05

December 16, 2022

Early Access Features

IP Address Rules

Administrators can define and manage policies that allow user access based on their IP Address.

Password Reset

Administrators can allow their users to reset their account password from the BlockID Mobile App by enabling configuration settings in AdminX. Enabling the configuration settings in AdminX allows users from both the Internal user store and Active Directory to reset their password using the BlockID Mobile App.

  • On the BlockID Mobile Application, click on Reset Password from the menu. Provide a new password and confirm with TouchID/FaceID to complete the request.
  • An upgrade to the latest version of the AD broker and the BlockID Mobile App is required for this feature to function seamlessly.

Login Activity Report

A new Login Activity Report is available in the Reports section in AdminX, which displays a list of all applications that users within your community logged into, and the 2FA method used. 2FA methods include:

  • Password-based methods, such as Username + Password + OTP (email or SMS)
  • Passwordless methods, such as FIDO, QR Login using BlockID Mobile App, and Push Notification login using BlockID Mobile App
  • Kerberos login
  • Step-up authentication using LiveID

Enhancements & Bug Fixes

Security Upgrades

We implemented the following upgrades to address some security exposure to our platforms:

  • We fixed an issue that would have allowed a user of our system to identify the underlying technology stack we are using. This could have been used to create an attack vector against our platform.
  • We obfuscated all references to a user's email or phone number in any authenticated API query on the platform.
  • We have locked down a possible attack vector in which a malicious user could have submitted a script to expose some user information.

Documentation Updates

1.07.03, 1.07.04

November 17, 2022

Early Access Features

Primary Authentication Factors for BlockID Mobile App

Administrators can choose which authentication factor must be supported at the time of authentication. Choose between biometrics and PIN-based options to strengthen the approval of authentication:

  • Touch ID / Face ID: Prompts users to provide their TouchID/FaceID when approving an authentication request from the BlockID mobile app.

  • PIN: Prompts users to provide their PIN when approving an authentication request.

  • LiveID: Prompts users to provide LiveID (live gestures) to approve an authentication request.

Fallback Authentication Factors for BlockID Mobile App

In scenarios where users are attempting to approve authentications from devices that do not support LiveID or TouchID/FaceID, then a fallback authentication mechanism can be enabled to allow alternate means of authentication.

Web SDK for Step-Up Authentication

Third-party websites can leverage the 1Kosmos Web SDK to trigger OIDC-based step-up authentication. The login handler is separated into two parts. The website takes care of first-factor authentication using a username and password combination. A redirect to 1Kosmos Authorization renders an iframe to provide options to trigger second-factor using Email OTP, SMS OTP, or LiveID. The iframe presents login options depending on the incoming request using acr claims.

New Features

Assign Roles to Users

Every user within the community can be assigned a role within BlockID. Their roles determine their permissions within the system. We currently support three roles:

  • Basic User: By default, all users within BlockID have Basic User privileges. This allows them to view their profile information, manage their devices, enroll identity documents, and view their invites.

  • Community Administrator: A community administrator has the highest privileges available and can manage all community operations.

  • Help Desk Admin (new): Help Desk Admin is a new global role that we have introduced within AdminX. Help Desk Admin roles are ideal for users who need to have insight into the activity of a community. The Help Desk Admin role is also useful when troubleshooting user-onboarding errors.

Community Administrator access for BlockID Using Corporate Credentials

As a community administrator on BlockID, you will no longer be required to have a separate account to manage your preferences. Users from AD, LDAP & Azure AD can be promoted to community administrators.

Enhancements & Bug Fixes

AAMVA Failure Error Handling

In scenarios where a response from AAMVA times out during identity verification, we silently handle the error response and allow the end user to proceed to the next step.

Driver's License Enrollment after AAMVA Verification Failure

Bug fixes allow a user's Driver's License to be enrolled to their Identity wallet even if AAMVA verification fails.

Documentation Updates

1.07.02, 1.07.03.02

October 20, 2022

Early Access Features

Verify your identity with passport

The 1Kosmos Identity wallet now allows enrollment of a US Passport. Users can receive a text message on their verified mobile number to scan their passport. A selfie must be provided to verify their face and acts as proof of possession at the time of enrollment. When complete, the user's passport is enrolled within their wallet. For IAL2 credentialing, the user needs to be taken through an additional step of verifying their SSN.

Passport Attributes

The 1Kosmos platform allows the Credential Service Provider to request attributes from the User's passport through SAML or OIDC based workflows. Users are required to consent to information sharing so the attributes can be shared with a relying party.

New Features

Forgot Password

End users can now reset their password if they have forgotten their account password. Citizens start by receiving a magic link to their verified email address. On clicking the magic link, users automatically receive a one time code sent to their verified phone number. Enter the one time password and a new password. Passwords need to meet the password policy defined by the administrator.

Any time a user's information is shared with a Service Provider, the 1Kosmos platform records consent of the user to remember the application and attributes shared with the application. The platform leverages the consent record at the time of sign-in to prove that the user has previously provided consent. If a user has previously consented to share information, they will no longer be prompted for consent when signing in.

Enhancements

Authentication Methods

Our sessions now capture the authentication methods used by the user to login to the session. The JWT supports the following methods: password, otp, uwl, fido, phone_verified, email verified.

AAL Capture

Authentication methods from the session token helps the platform determine the Authenticator Assurance Level. Service Providers can request the AAL of the user through SAML/OIDC.

1.07.01, 1.07.00

September 12, 2022

Early Access Features

IP address based authentication

Allows for administrators to restrict authentication requests within their enterprise

  • Allowed IPs list: Enter individual or a range of IPs from which authentication is allowed. All IPs outside of this will be denied access.
  • Restricted IPs list: Enter individual or a range of IPs from which authentication must be denied. All other IPs will be allowed access.
  • To avoid any conflicts due to IP address ranges, the administrator portal only allows for one of the two rules to be active at run time.

Access denied reports

Reports now show a list of all IPs that have been denied access within Reports > IPs denied access. Event details provide more information on the origination of the access request like user agent, IP Address and time of access.

Enhancements

AD & LDAP integrations now support LDAP Query Filtering

Admins can enter a regex expression to filters users within the directory. Only users who meet the criteria will be displayed within the Users tab on Admin portal and can authenticate into enterprise applications.

New LDAP filters added to Reports

The following list of filters can now be used to delimit specific LDAP queries:

  • E_PUSH_REQUESTED
  • E_OTP GENERATED
  • E_OTP_VERIFIED
  • E_OTP_REQUESTED
  • E_USER_CONSENT

Deprecated Features

Enrollment of ID documents by attributes request

Enrollment of GovID documents (Driver's License and SSN) will no longer be triggered based on attributes requested. Instead enrollment will be supported based on Authn Context of the incoming request.

1.07.00, 1.06.05

August 18, 2022

New Features

Session revalidation logic added for enhanced security

Session revalidation logic was added to ensure that the current application session remains valid for active users that close and re-open their browser window. If a user closes their browser window and reopens again, we check if the user is still active (not locked or disabled) and that each session is still valid.

User URN Identifier

We have introduced user URNs to uniquely identify users across multiple tenants, communities, and respective directories.

Early Access Features

When Kerberos is enabled on BlockID, the Active Directory broker becomes an intelligent identity gateway that allows users to authenticate to all web apps when they are on a domain-joined machine within the corporate network without providing a username or password. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the Active Directory forest whenever access to resources is attempted.

Multi Community Support for Kerberos Single Sign On

Separate communities within the tenant can have Kerberos enabled to support a different Active Directory instance each. This ensures that users across different AD Domains can login seamlessly.

Kerberos Settings for BlockID Credential Provider

When the BlockID Credential Provider is deployed to the workstation, it ensures that AD users login to their workstation using the BlockID mobile app. When paired with Kerberos, it ensures that all web apps within the enterprise will no longer require a username and password. Users are automatically signed into all their apps from the time they passwordless sign in to their workstation.

Enhancements

Performance improvements for BlockID Login pages

Performance improvements were made to the login page to ensure that the software stops polling when the user switches to the "Login with Username" tab.

Signing certificate format verification

When a Signing Certificate is uploaded to the Service Provider Configuration, we will validate for .pem format as well as the presence of headers within the certificate.

Session expiration message removed when forced authentication is enabled

Enabling forced authentication will terminate the user's session silently without displaying the message, "Your session has expired."

Fixes

AD Broker version information added to download page

The Active Directory Broker now displays the version of the broker that the user is downloading. This helps admins decipher which version they are currently running and helps ensure all brokers are running the same version.

Deprecated Features

Removed encryption information from Service Providers App Configuration

The App configuration for Service Providers on AdminX will not require an Encryption Certificate and Encryption Algorithm.

Documentation Updates

1.06.05, 1.06.05.01, 1.06.04.02

July 23, 2022

New Features

Azure AD user stores

We have added support for connecting to Azure AD as a user store

Phone number verification

User phone numbers are now required to be verified during enrollment.

FIDO authentication during enrollment

Users can now setup FIDO authentication during enrollment.

Early Access Features

OIDC application support

OIDC/OAuth applications are now supported for creating SSO flows in web applications, choosing scopes to be verified, and using information from the Authorization Provider to configure the relying party

Version Changes for Underlying Components

NodeJS framework updated

Upgraded NodeJS from version 12.20.1 to version 16.15.0 LTS

Fixes, Limitations and Known Issues

IdP metadata rendering

Fixed an issue that prevented the rendering of the IdP metadata URL

Documentation Updates

1.06.03.05, 1.06.04.02

June 22, 2022

New Features

Customizable username field on login pages

Tenant and community administrators can now configure the text that appears against the username field on the login page to allow for any desired label, such as a username or corporate ID

Specify primary login method

Tenant and community administrators can now configure which default login screen users land on - QR code for passwordless login, or a username and password

1.06.03.03, 1.06.04.01

June 16, 2022

Enhancements

Load time performance improvements

  • Community information will be cached for 10 minutes
  • Polling behavior for login page modified to ensure polling thread sleeps for 1 second between polls

1.06.03.02

June 15, 2022

Fixes, Limitations and Known Issues

  • The Force Authn flag used during SAML interactions now forces re-authentication when enabled

1.06.04

May 26, 2022

New Features

Session handling logic for session invalidation

Added logic for handling proper session invalidation and purging of user attributes after user logs out

Introduced a new web-based identity proofing journey to verify your users identities:

  • Allow users to self-enroll and create an account to perform their identity verification on a tenant

  • Allow users to create a new identity wallet after registration

  • Ability to view identity documents connected to user profile

  • Ability to trigger text messages to user to scan a GovID

  • Ability to enroll a driver's license as an identity document

  • Ability to validate driver's license against AAMVA

  • Ability to enroll SSN in Identity wallet

  • Ability to validate SSN against nationalized database

  • Introduced triangulation logic to ensure Driver's License & Social Security Number belongs to the same user

  • Ability to present data sharing & consent screens to show the specific attributes requested from the user

  • Ability to trigger proofing journeys based on incoming requests from a relying party

  • Introduced a new set of attributes in SAML applications for sharing identity documents data

Documentation Updates

1.06.03

April 14, 2022

New Features

Passwordless login for mac and windows

Support for Passwordless Login for Mac & Windows Workstations to Active Directory by introducing Smart Card Certificates enrollment

New Active Directory configuration settings:

  • Allow Active Directory users to turn on/off passwordless sign-in to your workstation using the BlockID mobile app.
  • Allow Active Directory users to turn on/off SCEP Configuration for the AD Broker

Documentation Updates

1.06.02

March 17, 2022

New Features

Super admin role added to every tenant:

  • Super admins within a tenant can enable Self Registration for Customer/Citizen Product lines

Documentation Updates

1.06.00, 1.06.01

Feb 24, 2022

New Features

Preferred user stores

Administrators can define which directory their users need to be discovered from. We allow up to three directories to be available in AdminX product for use as your preferred user stores

IPFS image store

Every community is provided an IPFS location to store their images. We are able to support scenarios where community admins can upload images into their email templates while onboarding users, as well as when images are required on the login page

IdP metadata download

Enabled support to download SAML metadata of your configured IdP and also provided a dedicated URL to access the metadata

Auto-generate signing and encryption certificates

Ability to auto-generate signing and encryption certificates for your SAML IdP (these are self-signed certificates and are recommended for use in lower environments only)

Signing algorithm support for SAML certificates

Ability to support RSA-SHA1 & RSA-SHA256 signing algorithms for SAML certificates

Documentation Updates

1.05.01.01

Jan 24, 2022

Enhancements

Customize user invite expiration time

When a user requests an invite for passwordless login, the community administrator can set the invitation expiration time

1.05.01

January 6, 2022

New Features

HTTP POST support for SAML integration

Enhanced application integration capability to support SAML using HTTP-POST

Integration of Office 365 using HTTP-POST

End-to-end testing to support the integration of Office 365 using HTTP-POST flow. SSO can be supported successfully on Office 365 Desktop Client for PC & Mac and Native O365 app for Android & iOS.

Email & SMS gateway management

  • Introduced capability to manage email & SMS gateways
    • Ability for administrators to configure SMTP gateways for sending outgoing emails
    • Ability for administrators to configure SMS gateways (Karix, Twillio & Infobip) for sending outgoing text messages
    • Ability to configure backup gateways to round-robin between providers

Early Access Features

FIDO2 Registration Support

  • Introduced capability to support registration using FIDO authenticators
    • Ability to rename a FIDO Key
    • Ability to register multiple security keys & platform authenticators (device biometrics)
    • Ability to unlink a FIDO key

FIDO2 Authentication Support

  • Introduced capability to authenticate using FIDO authenticators
    • End-to-end testing to support login using Windows Hello on Edge, Chrome, Firefox
    • End-to-end testing to support login using Mac TouchID on Edge, Chrome & Safari
    • End-to-end testing to support login using Security Keys on Edge, Chrome, Safari & Firefox (Windows only)
    • Ability to SSO into downstream applications using FIDO keys

Fixes, Limitations and Known Issues

Disable and remove user accounts

Fixed issues that ensure proper disabling of users to remove linked accounts and devices.

Documentation Updates

1.04.02

November 3, 2021

New Features

Secondary email support

Introduced the capability to send Passwordless onboarding invites to text messages and secondary email

Login page branding

Introduced capability to brand the login page with capability to support uploading logos and modify the colors for background and text.

Added CAPTCHA support to invite request pages

Introduced CAPTCHA for our invite request pages to protect against DDOS attacks

Active Directory and LDAP brokers for on-premise user stores

  • Introduced capability to allow connections to an on-premise Active Directory user store using AD and LDAP brokers
    • Ability to view all brokers connected to a Directory
    • Ability to rename a broker
    • Ability to download the latest broker directly from the portal
    • Ability to refresh the status of the broker every 10 seconds

Enhancements

Edit AdminX user profiles

Ability to edit the profiles of existing AdminX users

Documentation Updates