Release Notes for AdminX
Patches Applied
1.10.01
March 1, 2024
New Features
- 1Kosmos now allows you to configure a third-party Identity provider like Ping, Okta, Azure or ADFS as an Identity Provider for a certain group of users based on a routing policy. To configure an external Identity Provider
- Setup 1Kosmos as a SAML Service Provider with the Identity Provider
- Create a new Identity Provider configuration within 1Kosmos control plane.
- Upload the federation metadata file from the IDP (Ping, Okta etc.) on 1Kosmos.
- Setup up users by either creating new users within the IDP user store or connecting to an existing directory.
- Setup a routing policy that defines which users must authenticate with the IDP.
The following new features have been added:
- Manage a new IDP: Create or edit the configuration of a new external IDP.
- Delete an External IDP: Deleting an IDP will result in deleting the configuration as well as any users that have been created in the external IDP User Store
- Create new users in the IDP user store: The control plane offers a dedicated user store to create users who can be authorized to login with the IDP.
- Manage routing policy: Setup a policy based on usernames matches, groups or route all user created in the IDP User store to login with an external IDP.
- Login experience: When the user provides their username, the adaptive auth engine evaluates the provided user based on conditions. If matched, the user is redirected to the IDP SSO URL for authentication.
Enhancements
- Users with
userAccountControl 1049088
(Enabled and Not Delegated) &userAccountControl 520 (HOMEDIR_REQUIRED and NORMAL_ACCOUNT)
status are now recognized as active users are allowed to authenticate with our platform.
Bug fixes
- Session storage handling: We have addressed a bug that caused the website to not render when local storage is restricted.
1.10.00
February 10, 2024
New Features
- For tenants that subscribe to our web Identity wallet, we now support enrollment of ID cards from any country and document. Expired ID cards cannot be enrolled into the web wallet. When enrolled, users can view the details of the document enrolled.
- In Email Templates, as part of the Self invitation for Passwordless onboarding, we now support
{{Lastname}}
as a variable allowing for personalization. Previously supported variables includedFirstName
,Tenant Name
andCommunity Name
. - We are switching to the font Work Sans from our previously used Adobe Font. Adobe fonts are typically hosted on the cloud and require some of our customers to whitelist the Adobe font. To avoid cumbersome processes, we chose to shift to a font that is hosted within our CDN.
1.09.16
January 27, 2024
New Features
- Adaptive Auth Journeys allows administrators to build authentication journeys around the conditions mentioned below. When user matches against a policy, the appropriate authentication policies specified by the administrator are presented as options to the user.
Condition | Operator | Values |
---|---|---|
IP Address | is in the range of | Accepts an array of CIDR values |
IP Address | is outside the range of | Accepts array of CIDR values & range |
Groups | is one of | Specify the full DN of the Group. Allows for multiple values |
Applications | is one of | Select applications (SAML/OIDC/Admin Control Plane) to apply policies to |
Username | is one of | Accepts an array of usernames |
Adaptive Auth accepts the following decisions as outcomes:
Decision | Outcome |
---|---|
Deny Access | Denies access when user matches against a policy |
Just Password | Requires the user to only provide a password to login |
Push Notification | Approve sign-ins via push notification sent to the BlockID App |
FIDO | Use Windows Hello, Mac TouchID or your security key to login |
BlockID app Codes | Enter the 6-digit code generated by the BlockID app |
Hardware Token OTP | Provide username and enter a 6-digit code generated from hardware token |
Password & any OTP | Provide password and use passcodes generated through any channel. |
Password & Web OTP | Provide password and use passcodes generated through Email, SMS, Voice, BlockID App, generated through API’s and hardware token. |
Password & SMS OTP | Users are required to provide password and enter a code delivered to their registered phone number via text |
Password & Email OTP | Users are required to provide password and enter a code delivered to their registered email address |
Password & Voice OTP | Users are required to provide password and enter a code delivered to their registered phone number via voice call |
Password & Push Notification | Users are required to provide their password and approve sign-ins via push notification sent to the BlockID App |
Password & FIDO | Users are required to provide their password and enrolled FIDO Device -- Windows Hello, Mac TouchID or your security key to login |
Password & BlockID App Codes | Users are required to provide their password and enter the 6-digit code generated by the BlockID app |
Password & Hardware OTP Codes | Users are required to provide their password and code from their Hardware token. |
- If users cannot be matched against an authentication policy, then the default policy’s authentication methods will be presented to the user.
- If user matches multiple authentication journeys, then all authentication methods of the journeys will be presented to the user.
- However, if user matches against a journey that contains a denied access along with other authentication methods, then the user is automatically denied access.
- Every time the user lands on the AdminX login page, if machine information is available (through the health agent), a new .wellknown endpoint has been introduced to allow collecting the machine information.
- The
E_LOGIN_SUCCEEDED
event now contain a list of all facts evaluated at the time of authentication.
Enhancements
- Resolved an issue on IE which did not allow the Help Button to render on the login page.
1.09.15
January 13, 2024
New Features
- A new event
E_ROLE_CHANGED
has been introduced to capture an audit log anytime a user’s role has been elevated or downgraded.
Enhancements
- Minor updates to the
license.json
file produced by the Directory broker to include the tenant DNS.
1.09.14
December 9, 2023
Enhancements & Bug Fixes
- The analytics dashboard can provide a report that allows downloading the Unique users logging into the 1Kosmos. Hover over the Unique users count on the analytics dashboard to download the report.
- We now allow customization of messaging templates used at the time of sending emails/text for different purposes. Email and SMS templates include User onboarding, Email verification, delivering passcodes and more.
1.09.14.01
December 7, 2023
Enhancements & Bug Fixes
- As a preventative measure to enhance security, the control plane now blocks the injection of malicious scripts into email templates, reducing the risk of XSS attacks.
POST/users/find
API has been restricted to present a maximum of 2 users in order to prevent over exposure of data.- The
escapeXSS
function has been upgraded with stricter measures to prevent any malicious attempts of XSS injection when accessing messaging templates for onboarding or delivering passcodes to users.
1.09.13
October 19, 2023
New Features
User Lockout
-
Community Administrators and Help Desk Administrators now have the ability to lock a user indefinitely or for a defined period. Locked users cannot authenticate into AdminX or web applications using passwords or passwordless means.
-
Community Administrators and Help Desk Administrators can also unlock a locked user. The affected user will be unlocked immediately.
RADIUS Server Configuration
-
Administrators can now manage their RADIUS server configuration within AdminX to define which of the following authentication methods are allowed:
- Login with Push
- Login with Password & OTP
- Login with OTP & Password
- Login with OTP
-
The RADIUS Server is available for Windows, Linux, and Darwin as a command-line tool. The RADIUS Server comes preconfigured with the appropriate license keys and community ID for your tenant.
Enhancements & Bug Fixes
UX Enhancements
- Updated UX during the onboarding of authenticators from the user profile
Request User Invites to a Secondary Email
- Ability to request user invites to a secondary email
User Authorizations from User Token
- Get user authorizations from the user token instead of making additional API calls after receiving the token
1.09.12
Sept 21, 2023
New Features
New SMS Gateway
- Introduced support for a new provider, Coalesce, to send text messages when delivering OTPs or invites for passwordless onboarding.
Login with Codes from OneSpan Hardware Tokens
Introduced support to configure OneSpan Server within the AdminX control plane.
- Administrators can choose whether or not to allow OneSpan authentication tokens as a login method for their tenant, as well as test their OneSpan server configuration.
Manage Session Time for AdminX
- Introduced support to manage the AdminX session time from within the control plane.
Enhancements & Bug Fixes
IdP Signing Certificate Key Size and Algorithm
- When an IDP certificate is uploaded, the key size and algorithm from the signing certificate will be used to sign the SAML response.
Invalid OTP Error on Correct OTP Entry
- Fixed an error for Internet Explorer 11 where the login page was caching
GET
requests, resulting in AdminX being unable to decode the request and rejecting the authentication.
Number of Devices Linked to an Account
- Bug fix to address the recorded number of devices linked to an account.
Additional SMS Provider Attributes for Gupshup
- Added support for two additional attributes when configuring Gupshup as an SMS Provider.
Documentation Updates
1.09.11.01
Sept 7, 2023
New Features
Enable or Disable FIDO Logins
Community Administrators can now enable or disable FIDO logins for all users within their community.
- Admins can choose whether or not to allow end users to enroll security keys or platform authenticators such as Mac TouchID or Windows Hello.
Allowed Security Keys
Community Administrators can bring in their desired brand of security keys for FIDO logins.
-
Administrators can upload the metadata file of the security key through AdminX.
-
When the metadata is successfully uploaded and enabled, end users can enroll keys from the added brand and use them at the time of authentication.
Reset Password on Next Login
Enforce password resets through the web for Active Directory users mandated to change their password on the next login.
-
Users are required to provide their current password and new password to reset the password.
-
To complete login, users will be prompted to enter an OTP, which can be sent via phone or email.
Enhancements & Bug Fixes
Support for Generating SHA1 & SHA256 Certificates
Introduced the ability to generate SHA1 & SHA256 self-signed certificates.
- A bug fix was made that addresses an issue of determining the value of the signing algorithm from the uploaded certificate.
Salesforce One Click Onboarding using SAML
-
Updated our parameters to be XML-parser friendly
-
Updated to the latest version of the Salesforce SOAP API.
Error Codes on Login Page
- Resolved an issue that caused error codes
A00006
&A00008
to appear on the login page. These error codes are shown when API failure occurs at the time of rendering the login page.
Documentation Updates
1.09.10.01
August 31, 2023
Enhancements & Bug Fixes
Device Onboarding Access Code
Bug fix to improve the security around the access code that is sent to the user for onboarding their device for passwordless logins.
Documentation Updates
1.09.10
August 17, 2023
New Features
Added Support for Gupshup Gateway
Added support for Gupshup gateway to send text messages to users.
Enhancements & Bug Fixes
Login Page Refresh Button
The QR code on the login page displays a Refresh button after 5 min of inactivity.
- We fixed a bug that allows the QR code to render appropriately on a Cisco AnyConnect embedded browser.
Last Login Report New Metrics
The Last Login Report now displays a new metric that shows the number of active users per directory.
- Users marked as active have had at least one authentication using 1Kosmos in the last 30 days.
Logging Improvements
Fixed logging to ensure the journey ID and request ID are consistently available for internal troubleshooting.
Increased Caching
Widespread use of caching to improve API throughput
1.09.09
July 27, 2023
New Features
New Passwordless Login Options
Passwordless Login options have been updated in AdminX to allow Administrators to set their own policies regarding device onboarding.
- Administrators can define how many devices a single user can onboard for passwordless authentication. When a user attempts to enroll a device after the maximum allowed has been reached, Administrators can set whether to:
- allow the new device while also deleting the oldest linked device
- reject the new device
Disable Passwordless Login Options
If your enterprise is not ready for passwordless logins, Administrators can disable passwordless login options.
- When passwordless login is disabled, users are no longer presented with passwordless login options.
QR Code Refresh When Idle on Login Page
Previously, QR codes on the login page are automatically refreshed every 60 seconds. We have updated our logic to stop refreshing QR codes after users have been idle for five minutes or longer.
-After five minutes have passed, users will see a Refresh button that users must click to manually refresh the QR code. When manually refreshed, a new QR code appears, and the user can scan the QR code to log in.
API Failure on Login Page
When required APIs failed to load on the AdminX login page, end users previously saw a loading message despite the page no longer loading. We have updated our interface to display a refresh button that can be clicked to refresh the page.
- Error codes are now displayed on the page to help troubleshoot the reason for failure.
Enhancements
Updated Helpdesk Administrator Permissions
Helpdesk Administrators now have additional permissions that allow them to download reports.
Updated Infobip SMS Gateway Integration
SMS Gateway Settings have been updated for Infobip to support an additional parameter, smstemplateid
, to define which template should be used on Infobip.
Last Login Report Login Time
The Last Login Report now displays the time a user last logged in, using the local time zone of the browser.
Improved Page Designs
We have improved the design of the following pages:
- Updated the design for the Active Directory - Advanced Configuration tab to clearly delineate between the different configuration options that can be managed.
- Updated the design for Multi-factor Authentication to include all options for enabling or disabling login using one-time-passcodes.
- A new Passwordless Login page has been introduced to manage the configuration options for using Passwordless Login with the BlockID Mobile App.
- Configuration options include device onboarding methods, fallback authentication options, and device linking preferences.
Documentation Updates
- AD Broker
- Multi-Factor Authentication
- Passwordless Login
- Last Login Report
- Gateway Settings
- User Management
1.09.08
June 29, 2023
New Features
Twillio Support for Voice Gateways
Administrators can leverage Twillio to configure their SMS and Voice gateways.
- The configured Voice gateway will deliver spoken one-time passcodes to users through a voice phone call.
Last Login report
Administrators can now view a report that combines information about all users in a directory, including their last login date.
- This report allows administrators to deduce which users have been inactive over 30, 60 or 90 days.
Windows Broker X-509 Certificates
The new Windows broker for Active Directory makes deployment of BlockID Workstation Login faster than ever by eliminating the need for additional NDES infrastructure within the enterprise.
- The Windows Broker can issue X-509 certificates for the user at the time of enrollment. These certificates are stored on the user's device and are presented by the user (from the BlockID mobile app) when using passwordless login to a Windows workstation.
- The Windows broker can easily be setup and managed through the AdminX control plane.
Enhancements & Bug Fixes
Login Page Adjustments for Embedded Browsers
We adjusted the login page to display the QR code without having to scroll to view the entire QR code block. This feature was tested on Zscaler to ensure optimal viewing of the displayed QR code.
Internal DB Prevented from Allowing Changes to Password Policy
Fixed a bug that prevented our internal DB from allowing changes to password policy.
Certain Devices Prevented from Completing Phone Verification
Fixed a bug that prevented users from certain devices (Pixel 6) from completing phone verification.
Documentation Updates
1.09.07
June 22, 2023
New Features
Support for Login Passcode through Voice
Administrators now have the ability to enable users to receive one-time passcodes through a phone call.
- When enabled, users will see a prompt to receive a phone call through which the one-time passcode is read outloud to the user.
1.09.06
June 8, 2023
New Features
Introducing the Windows Broker
Administrators can now deploy the Windows broker for Active Directory on-premise. This edge component allows the 1Kosmos platform to connect with a customer's Active Directory instance so that users can be fetched.
- The component is designed to be a long running Windows service and can be managed from the control plane.
Enhancements
Edit OIDC applications
Administrators can now modify OIDC applications that were previously created.
- The application can be modified with a new logo, addition, removal of scopes, redirect URLs and more
1.09.05
June 1, 2023
New Features
Broker Log File Settings
The Windows and Linux brokers deployed on-premise allow for the 1Kosmos platform to fetch and authenticate users in Active Directory. The brokers produce log files that capture detailed information on all activities that occur.
- The control plane now provides settings that allow for fine grained control of the following values:
- Broker Log File Size: Maximum size a log file can grow to before it rotates to a new file. Default value is set to 10MB.
- Broker Log File Rotation Count: Maximum number of log files that should be retained in the logs directory. When the count is reached, and a new log file needs to be created, the oldest log file in the directory will be deleted. Default value is set to 10
Track Off-Boarded Devices
AdminX now produces events when a user removes their device as an authenticator.
- The E_DEVICE_DELINKED event is created when a user removes their device from their Profile page or from the mobile app.
Documentation Updates
1.09.04
May 18, 2023
New Features
Unenroll Documents from Identity Wallet
Users can now remove/unenroll identity documents (driver's license, passport and social security number) from their identity wallet.
-
Once removed, data from the document is no longer available and cannot be retrieved.
-
The user's Identity Assurance Level (IAL)will be recalculated when of the user removes a document. The IAL will most likely reduce to IAL1 if the the user has removed the documents that were used to achieve IAL2.
Self-Service Passwordless Onboarding from User Profile
Administrators can now enable or disable the ability for end users to pair their devices as authenticators from the My Profile page.
- When enabled, end users will authenticate into the 1Kosmos portal and be allowed to onboard a new device.
Enhancements & Bug Fixes
Customize Footer Color on Login Page
Our login page branding settings now allows administrators to customize the footer color on their login page.
Documentation Updates
1.09.03
May 11, 2023
New Features
Help Button Added to Login Page
Administrators can now add a help button on the login page to present phone numbers, FAQ's or troubleshooting tips at the time of login.
- Help content is authorable using HTML templates available as part of branding settings.
Account lockout for Incorrect OTP Attempts
Administrators can configure the number of incorrect one-time passcodes that can be entered before an account is locked.
- When locked, users are unable to login using any login method for a configurable amount of time in minutes.
- After the lockout time has expired the user account is automatically unlocked.
Enhancements & Bug Fixes
Report Downloads Bug Fixes
Removed links to expired reports on the Report Downloads page.
Safari Support for Phone Number Verification
Enhancements were made to ensure users can verify their phone number on the Safari browser when creating an account.
Analytics Dashboard Improvements
Improved the Analytics Dashboard devices view to show more detail.
- Clicking on the New Devices graph now shows a summary of all new devices enrolled.
Added New Items to Events Dashboard
Added new events to capture a summary of reports requested (E_REPORT_REQUESTED
) and reports generated (E_REPORT_GENERATED
) by administrators.
Documentation Updates
1.09.02
April 13, 2023
New Features
Passwordless Onboarding Configurability
Community administrators can now allow or disallow users to self-onboard using the Request an Invite self-service page.
- When enabled, it allows end users to receive an email to self-onboard their mobile device for passwordless authentication.
- When disabled, it prevents end users from being able to self-onboard a mobile device for passwordless authentication.
- Administrators can manage user device enrollment in scenarios needing controlled onboarding.
Trigger Identity Verification Flow using OIDC
OIDC clients can trigger an identity verification flow by including the /assurance/ial/2
custom scope.
- When this scope is included in the OIDC request, the platform is configured to check if the user is verified to Identity Assurance Level 2 (IAL2).
- If the user is not verified to IAL2, including the scope will trigger an identity verification flow.
- At the end of the identity verification flow, the OIDC client receives the user's Identity Assurance Level (IAL) to take action on.
Enhancements & Bug Fixes
Identity Wallet Improvements
End users can use the identity wallet on their profile page to enroll new documents.
- We have improved page load times to allow for uploading documents on a need-to basis.
Form Submission Errors
We resolved errors during form submissions when blank spaces were included in form entries.
Documentation Updates
1.09.01
March 23, 2023
New Features
Analytics Dashboard
Community administrators can now see a summarized report of their usage across the community to view the following data:
- Counts:
- Successful Logins: Number of successful logins across all users for any authentication method
- Unique Logins: Number of active users with at least one login to an application
- Devices Enrolled: Number of new devices enrolled by users
- Failed Logins: Number of failed login attempts by all users
- Visualization:
- Successful Authentications: Hour/Day breakdown of successful authentications, organized by authentication methods
- Devices Enrolled: Hour/Day breakdown of devices enrolled for passwordless login
- Applications Usage: percentage breakdown of logins to applications
- Failed Logins: percentage breakdown of reasons login attempts failed
Reports download
We now support downloading reports as CSV files for all Login Activity Reports and Event Logs.
- All downloaded reports can be viewed within the Report Downloads section of the admin panel.
- Downloaded reports will remain in a pending state until all the records have been compiled. Once ready, the administrator who initiated the request receives an email containing the link to download the report.
- All report download links are available for a period of 7 days.
Enhancements & Bug Fixes
Email Notifications for Broker Disconnects
Administrators can now receive email notifications when AD or LDAP brokers have disconnected from the tenant.
- BlockID relies on an active connection with Active Directory brokers to fetch and authenticate users. When one or more brokers are experiencing interruptions, administrators can receive email alerts to review the health of the on premise broker
Documentation Updates
1.09.00
February 27, 2023
New Features
Step-up with Trusted One Time Passcodes (TOTP)
Authentication policies now support a decision to Step-up with Trusted One Time Passcodes (TOTP) using the BlockID Mobile App.
- Administrators can enable this feature by user geolocation or IP address
- Review which users performed Step Up with TOTP authentication using the Login Activity Report page in AdminX
Enhancements & Bug Fixes
Password Reset Events
Administrators can initiate password resets from the AdminX login page, or through the BlockID Mobile Application.
- Password Reset events will be captured and are available to audit using the User Events Dashboard in AdminX.
- E_PWDRESET_SUCCEEDED: This event is captured any time a user successfully resets their password.
- E_PWDRESET_FAILED: This event is captured any time a user fails to reset their password. Possible reasons for failure are also captured on the event.
Worldwide Support for Geolocation Authentication Rules
Geolocation Authentication Rules have been updated to support all countries worldwide.
1.08.00
February 02, 2023
Early Access Features
Geolocation Authentication Rules
Administrators can define authentication policies for their users based on geolocation. User geolocation data from the AdminX landing page will determine the type of authentication policy to be applied for the user.
- Depending on the location of the user, access can be denied, allowed with all available MFA options, or can be restricted to only allow login with our most secure method: LiveID
- Administrators can set multiple geolocation rules at the same time
- We currently support geolocation-based authentication policies for users in USA and India. In an upcoming release, we will expand our service to support this feature for users from other countries.
New Features
Access Denied Reports
Access-denied reports are now available in the Reports section in AdminX.
- The Access Denied report will show IP addresses and location data for denied users, as determined by the current authentication policies set for your tenant.
Enhancements & Bug Fixes
Administrator and User Event Log Reporting Service
We have improved how we log administrator and user events.
- Updated reporting service to ensure no service interruption will occur in the event an error is encountered while generating events
- Improved logging to report any errors encountered while generating events
Documentation Updates
1.07.06.01
January 05, 2023
New Features
Configurable Login Option for OTP Authentication
Administrators can enable or disable One-Time Passcode (OTP) authentication based on their authentication policies.
- When disabled, users can no longer request an OTP to their email or text or login using OTP
- When enabled, tenant administrators can define which channels (email, SMS, or both) an OTP can be sent
Trigger IAL2 Verification using OAuth2/OIDC
Relying parties can trigger an IAL2 verification flow using custom claims with OAuth2/OIDC.
- Passing
ial2
as anacr
value on an OIDC claim will trigger a special authentication journey for users to upload and verify their identity documents online, resulting in IAL2 verification
Administrator Activity Event Logs
Activities performed by tenant and community administrators within BlockID are logged and are available for audit in the Reports section in AdminX. The following new events have been added:
- E_DIRECTORY_ADDED
- E_DIRECTORY_MODIFIED
- E_DIRECTORY_REMOVED
- E_DIRECTORY_BROKER_ENABLED
- E_DIRECTORY_BROKER_DISABLED
- E_DIRECTORY_BROKER_DELETED
- E_DIRECTORY_BROKER_MODIFIED
- E_DIRECTORY_ATTRIBUTE_MODIFIED
- E_DIRECTORY_ATTRIBUTE_DELETED
- E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED
- E_IDP_CONFIGURATION_MODIFIED
Enhancements & Bug Fixes
SMS Gateway Configuration Update
The SMS gateway configuration page has been updated in AdminX.
- the
Sender Name
field has been updated to support alphanumeric values, allowing administrators to define their enterprise as a sender name to avoid having users assume the message is spam - During new account creation, we verify if an account already exists with the provided email before allowing users to begin the email verification process. If an existing email account is found using the email, users are encouraged to sign-in
Documentation Updates
1.07.04, 1.07.05
December 16, 2022
Early Access Features
IP Address Rules
Administrators can define and manage policies that allow user access based on their IP Address.
Password Reset
Administrators can allow their users to reset their account password from the BlockID Mobile App by enabling configuration settings in AdminX. Enabling the configuration settings in AdminX allows users from both the Internal user store and Active Directory to reset their password using the BlockID Mobile App.
- On the BlockID Mobile Application, click on Reset Password from the menu. Provide a new password and confirm with TouchID/FaceID to complete the request.
- An upgrade to the latest version of the AD broker and the BlockID Mobile App is required for this feature to function seamlessly.
Login Activity Report
A new Login Activity Report is available in the Reports section in AdminX, which displays a list of all applications that users within your community logged into, and the 2FA method used. 2FA methods include:
- Password-based methods, such as Username + Password + OTP (email or SMS)
- Passwordless methods, such as FIDO, QR Login using BlockID Mobile App, and Push Notification login using BlockID Mobile App
- Kerberos login
- Step-up authentication using LiveID
Enhancements & Bug Fixes
Security Upgrades
We implemented the following upgrades to address some security exposure to our platforms:
- We fixed an issue that would have allowed a user of our system to identify the underlying technology stack we are using. This could have been used to create an attack vector against our platform.
- We obfuscated all references to a user's email or phone number in any authenticated API query on the platform.
- We have locked down a possible attack vector in which a malicious user could have submitted a script to expose some user information.
Documentation Updates
1.07.03, 1.07.04
November 17, 2022
Early Access Features
Primary Authentication Factors for BlockID Mobile App
Administrators can choose which authentication factor must be supported at the time of authentication. Choose between biometrics and PIN-based options to strengthen the approval of authentication:
-
Touch ID / Face ID: Prompts users to provide their TouchID/FaceID when approving an authentication request from the BlockID mobile app.
-
PIN: Prompts users to provide their PIN when approving an authentication request.
-
LiveID: Prompts users to provide LiveID (live gestures) to approve an authentication request.
Fallback Authentication Factors for BlockID Mobile App
In scenarios where users are attempting to approve authentications from devices that do not support LiveID or TouchID/FaceID, then a fallback authentication mechanism can be enabled to allow alternate means of authentication.
Web SDK for Step-Up Authentication
Third-party websites can leverage the 1Kosmos Web SDK to trigger OIDC-based step-up authentication. The login handler is separated into two parts. The website takes care of first-factor authentication using a username and password combination. A redirect to 1Kosmos Authorization renders an iframe to provide options to trigger second-factor using Email OTP, SMS OTP, or LiveID. The iframe presents login options depending on the incoming request using acr claims.
New Features
Assign Roles to Users
Every user within the community can be assigned a role within BlockID. Their roles determine their permissions within the system. We currently support three roles:
-
Basic User: By default, all users within BlockID have Basic User privileges. This allows them to view their profile information, manage their devices, enroll identity documents, and view their invites.
-
Community Administrator: A community administrator has the highest privileges available and can manage all community operations.
-
Help Desk Admin (new): Help Desk Admin is a new global role that we have introduced within AdminX. Help Desk Admin roles are ideal for users who need to have insight into the activity of a community. The Help Desk Admin role is also useful when troubleshooting user-onboarding errors.
Community Administrator access for BlockID Using Corporate Credentials
As a community administrator on BlockID, you will no longer be required to have a separate account to manage your preferences. Users from AD, LDAP & Azure AD can be promoted to community administrators.
Enhancements & Bug Fixes
AAMVA Failure Error Handling
In scenarios where a response from AAMVA times out during identity verification, we silently handle the error response and allow the end user to proceed to the next step.
Driver's License Enrollment after AAMVA Verification Failure
Bug fixes allow a user's Driver's License to be enrolled to their Identity wallet even if AAMVA verification fails.
Documentation Updates
1.07.02, 1.07.03.02
October 20, 2022
Early Access Features
Verify your identity with passport
The 1Kosmos Identity wallet now allows enrollment of a US Passport. Users can receive a text message on their verified mobile number to scan their passport. A selfie must be provided to verify their face and acts as proof of possession at the time of enrollment. When complete, the user's passport is enrolled within their wallet. For IAL2 credentialing, the user needs to be taken through an additional step of verifying their SSN.
Passport Attributes
The 1Kosmos platform allows the Credential Service Provider to request attributes from the User's passport through SAML or OIDC based workflows. Users are required to consent to information sharing so the attributes can be shared with a relying party.
New Features
Forgot Password
End users can now reset their password if they have forgotten their account password. Citizens start by receiving a magic link to their verified email address. On clicking the magic link, users automatically receive a one time code sent to their verified phone number. Enter the one time password and a new password. Passwords need to meet the password policy defined by the administrator.
Save and Retrieve Consent
Any time a user's information is shared with a Service Provider, the 1Kosmos platform records consent of the user to remember the application and attributes shared with the application. The platform leverages the consent record at the time of sign-in to prove that the user has previously provided consent. If a user has previously consented to share information, they will no longer be prompted for consent when signing in.
Enhancements
Authentication Methods
Our sessions now capture the authentication methods used by the user to login to the session. The JWT supports the following methods: password, otp, uwl, fido, phone_verified, email verified
.
AAL Capture
Authentication methods from the session token helps the platform determine the Authenticator Assurance Level. Service Providers can request the AAL of the user through SAML/OIDC.
1.07.01, 1.07.00
September 12, 2022
Early Access Features
IP address based authentication
Allows for administrators to restrict authentication requests within their enterprise
- Allowed IPs list: Enter individual or a range of IPs from which authentication is allowed. All IPs outside of this will be denied access.
- Restricted IPs list: Enter individual or a range of IPs from which authentication must be denied. All other IPs will be allowed access.
- To avoid any conflicts due to IP address ranges, the administrator portal only allows for one of the two rules to be active at run time.
Access denied reports
Reports now show a list of all IPs that have been denied access within Reports > IPs denied access. Event details provide more information on the origination of the access request like user agent, IP Address and time of access.
Enhancements
AD & LDAP integrations now support LDAP Query Filtering
Admins can enter a regex expression to filters users within the directory. Only users who meet the criteria will be displayed within the Users tab on Admin portal and can authenticate into enterprise applications.
New LDAP filters added to Reports
The following list of filters can now be used to delimit specific LDAP queries:
E_PUSH_REQUESTED
E_OTP GENERATED
E_OTP_VERIFIED
E_OTP_REQUESTED
E_USER_CONSENT
Deprecated Features
Enrollment of ID documents by attributes request
Enrollment of GovID documents (Driver's License and SSN) will no longer be triggered based on attributes requested. Instead enrollment will be supported based on Authn Context of the incoming request.
1.07.00, 1.06.05
August 18, 2022
New Features
Session revalidation logic added for enhanced security
Session revalidation logic was added to ensure that the current application session remains valid for active users that close and re-open their browser window. If a user closes their browser window and reopens again, we check if the user is still active (not locked or disabled) and that each session is still valid.
User URN Identifier
We have introduced user URNs to uniquely identify users across multiple tenants, communities, and respective directories.
Early Access Features
When Kerberos is enabled on BlockID, the Active Directory broker becomes an intelligent identity gateway that allows users to authenticate to all web apps when they are on a domain-joined machine within the corporate network without providing a username or password. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the Active Directory forest whenever access to resources is attempted.
Multi Community Support for Kerberos Single Sign On
Separate communities within the tenant can have Kerberos enabled to support a different Active Directory instance each. This ensures that users across different AD Domains can login seamlessly.
Kerberos Settings for BlockID Credential Provider
When the BlockID Credential Provider is deployed to the workstation, it ensures that AD users login to their workstation using the BlockID mobile app. When paired with Kerberos, it ensures that all web apps within the enterprise will no longer require a username and password. Users are automatically signed into all their apps from the time they passwordless sign in to their workstation.
Enhancements
Performance improvements for BlockID Login pages
Performance improvements were made to the login page to ensure that the software stops polling when the user switches to the "Login with Username" tab.
Signing certificate format verification
When a Signing Certificate is uploaded to the Service Provider Configuration, we will validate for .pem
format as well as the presence of headers within the certificate.
Session expiration message removed when forced authentication is enabled
Enabling forced authentication will terminate the user's session silently without displaying the message, "Your session has expired."
Fixes
AD Broker version information added to download page
The Active Directory Broker now displays the version of the broker that the user is downloading. This helps admins decipher which version they are currently running and helps ensure all brokers are running the same version.
Deprecated Features
Removed encryption information from Service Providers App Configuration
The App configuration for Service Providers on AdminX will not require an Encryption Certificate and Encryption Algorithm.
Documentation Updates
1.06.05, 1.06.05.01, 1.06.04.02
July 23, 2022
New Features
Azure AD user stores
We have added support for connecting to Azure AD as a user store
Phone number verification
User phone numbers are now required to be verified during enrollment.
FIDO authentication during enrollment
Users can now setup FIDO authentication during enrollment.
Early Access Features
OIDC application support
OIDC/OAuth applications are now supported for creating SSO flows in web applications, choosing scopes to be verified, and using information from the Authorization Provider to configure the relying party
Version Changes for Underlying Components
NodeJS framework updated
Upgraded NodeJS from version 12.20.1 to version 16.15.0 LTS
Fixes, Limitations and Known Issues
IdP metadata rendering
Fixed an issue that prevented the rendering of the IdP metadata URL
Documentation Updates
1.06.03.05, 1.06.04.02
June 22, 2022
New Features
Customizable username field on login pages
Tenant and community administrators can now configure the text that appears against the username field on the login page to allow for any desired label, such as a username or corporate ID
Specify primary login method
Tenant and community administrators can now configure which default login screen users land on - QR code for passwordless login, or a username and password
1.06.03.03, 1.06.04.01
June 16, 2022
Enhancements
Load time performance improvements
- Community information will be cached for 10 minutes
- Polling behavior for login page modified to ensure polling thread sleeps for 1 second between polls
1.06.03.02
June 15, 2022
Fixes, Limitations and Known Issues
- The
Force Authn
flag used during SAML interactions now forces re-authentication when enabled
1.06.04
May 26, 2022
New Features
Session handling logic for session invalidation
Added logic for handling proper session invalidation and purging of user attributes after user logs out
Introduced a new web-based identity proofing journey to verify your users identities:
-
Allow users to self-enroll and create an account to perform their identity verification on a tenant
-
Allow users to create a new identity wallet after registration
-
Ability to view identity documents connected to user profile
-
Ability to trigger text messages to user to scan a GovID
-
Ability to enroll a driver's license as an identity document
-
Ability to validate driver's license against AAMVA
-
Ability to enroll SSN in Identity wallet
-
Ability to validate SSN against nationalized database
-
Introduced triangulation logic to ensure Driver's License & Social Security Number belongs to the same user
-
Ability to present data sharing & consent screens to show the specific attributes requested from the user
-
Ability to trigger proofing journeys based on incoming requests from a relying party
-
Introduced a new set of attributes in SAML applications for sharing identity documents data
Documentation Updates
- 1Kosmos Identity Proofing Journey
- Create your Account
- Access your Identity Profile
- Verify your Identity Documents
- Data Sharing & Consent
1.06.03
April 14, 2022
New Features
Passwordless login for mac and windows
Support for Passwordless Login for Mac & Windows Workstations to Active Directory by introducing Smart Card Certificates enrollment
New Active Directory configuration settings:
- Allow Active Directory users to turn on/off passwordless sign-in to your workstation using the BlockID mobile app.
- Allow Active Directory users to turn on/off SCEP Configuration for the AD Broker
Documentation Updates
- Workstation Login for MacOS
- Workstation Login for Windows
- SCEP Configuration for Active Directory Authentication Broker
1.06.02
March 17, 2022
New Features
Super admin role added to every tenant:
- Super admins within a tenant can enable Self Registration for Customer/Citizen Product lines
Documentation Updates
1.06.00, 1.06.01
Feb 24, 2022
New Features
Preferred user stores
Administrators can define which directory their users need to be discovered from. We allow up to three directories to be available in AdminX product for use as your preferred user stores
IPFS image store
Every community is provided an IPFS location to store their images. We are able to support scenarios where community admins can upload images into their email templates while onboarding users, as well as when images are required on the login page
IdP metadata download
Enabled support to download SAML metadata of your configured IdP and also provided a dedicated URL to access the metadata
Auto-generate signing and encryption certificates
Ability to auto-generate signing and encryption certificates for your SAML IdP (these are self-signed certificates and are recommended for use in lower environments only)
Signing algorithm support for SAML certificates
Ability to support RSA-SHA1 & RSA-SHA256 signing algorithms for SAML certificates
Documentation Updates
1.05.01.01
Jan 24, 2022
Enhancements
Customize user invite expiration time
When a user requests an invite for passwordless login, the community administrator can set the invitation expiration time
1.05.01
January 6, 2022
New Features
HTTP POST support for SAML integration
Enhanced application integration capability to support SAML using HTTP-POST
Integration of Office 365 using HTTP-POST
End-to-end testing to support the integration of Office 365 using HTTP-POST flow. SSO can be supported successfully on Office 365 Desktop Client for PC & Mac and Native O365 app for Android & iOS.
Email & SMS gateway management
- Introduced capability to manage email & SMS gateways
- Ability for administrators to configure SMTP gateways for sending outgoing emails
- Ability for administrators to configure SMS gateways (Karix, Twillio & Infobip) for sending outgoing text messages
- Ability to configure backup gateways to round-robin between providers
Early Access Features
FIDO2 Registration Support
- Introduced capability to support registration using FIDO authenticators
- Ability to rename a FIDO Key
- Ability to register multiple security keys & platform authenticators (device biometrics)
- Ability to unlink a FIDO key
FIDO2 Authentication Support
- Introduced capability to authenticate using FIDO authenticators
- End-to-end testing to support login using Windows Hello on Edge, Chrome, Firefox
- End-to-end testing to support login using Mac TouchID on Edge, Chrome & Safari
- End-to-end testing to support login using Security Keys on Edge, Chrome, Safari & Firefox (Windows only)
- Ability to SSO into downstream applications using FIDO keys
Fixes, Limitations and Known Issues
Disable and remove user accounts
Fixed issues that ensure proper disabling of users to remove linked accounts and devices.
Documentation Updates
1.04.02
November 3, 2021
New Features
Secondary email support
Introduced the capability to send Passwordless onboarding invites to text messages and secondary email
Login page branding
Introduced capability to brand the login page with capability to support uploading logos and modify the colors for background and text.
Added CAPTCHA support to invite request pages
Introduced CAPTCHA for our invite request pages to protect against DDOS attacks
Active Directory and LDAP brokers for on-premise user stores
- Introduced capability to allow connections to an on-premise Active Directory user store using AD and LDAP brokers
- Ability to view all brokers connected to a Directory
- Ability to rename a broker
- Ability to download the latest broker directly from the portal
- Ability to refresh the status of the broker every 10 seconds
Enhancements
Edit AdminX user profiles
Ability to edit the profiles of existing AdminX users