Release Notes for AdminX
1.10.18.01
May 12, 2025
New Features
Resetting Account Passwords through AdminX without OTP
Community administrators can now define how end users reset their forgotten passwords — through AdminX or the Mobile App — using the new Authentication > Reset Password menu in the AdminX interface.
On the Reset Password page, administrators can configure the following options:
- Enable users to reset passwords through AdminX
- Enable users to reset passwords through Mobile App
For more information, see Resetting Account Passwords.
Although mobile-based password resets are supported in the current implementation, this new feature requires that the Enable users to reset passwords through Mobile App setting be explicitly enabled in AdminX for mobile resets to function.
Ability to Terminate Users’ Active Sessions via AdminX
Community administrators with the user.revoke-sessions permission can now revoke active sessions - either their own or others' - to enhance security in cases such as password resets, user termination, or potential insider threats. For more information, see the Ability to Terminate Users’ Active Sessions section in Terminating User's Active Sessions.
Added New Authentication Journey to Login through Profile OTP
A new authentication method, Password + Profile OTP, has been added to the Adaptive Authentication Journey page. When a community administrator assigns this journey to a user, the user is first prompted to enter their password, followed by a verification code (Profile OTP). Upon successful authentication, the user is logged in to the AdminX interface.
- The Profile Passcode option appears on the Choose an authentication method screen only when multiple OTP options (e.g., email and SMS) are enabled for the user journey.
- Make sure that the Password + Profile OTP option has been set as the authentication journey.
Implemented Retry Mechanism for ID Proofing Sessions
Community administrators can now configure the number of retry attempts allowed when users fail to complete the verification process. This is managed in DVCID via a new parameter, maxRetries. In 1Kosmos, the status "Verification Not Performed" indicates that the captured image does not meet the required quality criteria, prompting users to retry document scanning.
By default, the maximum number of retry attempts is set to 2, but administrators can increase it up to 5. If the retry attempt count is set above 4, the UI prompts the administrator to correct the verification configuration before continuing.
If users are unable to complete verification within the allowed attempts, their status remains "Verification Not Performed." The UI also displays a number selector to show how many attempts the user has made. For more information, see the Viewing Session Results section in Verification Journey.
Bug Fixes
- User authentication via password or OTP fails when Kafka pods were down.
- An error message “allowed is not allowed” is displayed when the administrator creates or updates the transformation script.
- When a new broker is added to an existing Active Directory using the same licenseKey as the first broker, the license.json file on the new broker does not contain any licenseKey details. Instead, AdminX generates a new license for each broker/authproxy everytime it is downloaded.
- An error is displayed during document enrollment for IAL2 in the SAML/OIDC authentication flow.
- A typo appears in the message shown upon clicking the Download button for the Login Activity Report in the Reports > Login Activity Reports section of AdminX.
1.10.17
April 12, 2025
New Features
Restricting Access Based on Geo Location
This feature is applicable only when end users attempt to authenticate via QR codes or push notifications using their 1Kosmos mobile application.
1Kosmos now offers the ability to restrict user access if they are not within the allowed radius of their trusted locations. Community administrators can configure this new geo-based restriction rule using the Add New Adaptive Authentication Journey drop-down menu under Authentication > Adaptive Authentication. While configuring the rule, administrators can define the allowed distance between user's mobile location and their trusted location. During authentication, if the location of the user’s device is not within the allowed range of their trusted location, access is denied. For more information, see Restricting Access Based on Geolocation.
Community administrators must ensure that the users’ AD attribute which carries the trusted location is mapped to the BlockID attribute (trustedLocation).
Added Expired and Abandoned Statuses in ID Proofing
1Kosmos now introduces two new statuses in ID proofing: Expired and Abandoned. These statuses can be viewed in the Status drop-down menu of the Verification tab in the AdminX interface. Additionally, the following changes have been implemented as part of this enhancement:
- Two new timestamps have been added: expireSessionInMin (time to start) and abandonSessionInMin (time to complete after starting). These timestamps distinguish between Expired and Abandoned sessions. The default time for the expireSessionInMin parameter is set to 7 days, while the abandonSessionInMin is set to 1 hour.
- Two new events, E_IDV_SESSION_EXPIRED and E_IDV_SESSION_ABANDONED, are triggered when the session is marked as Expired or Abandoned, respectively. For more information, see ID Verification Events.
Ability to Configure Forced Re-Authentication for Service Provider (SP) Applications
1Kosmos now provides community administrators with the ability to force re-authentication when accessing specified SAML/OIDC Service Provider (SP) applications. You can enable re-authentication with the introduction of the new Force Re-authentication setting in the AdminX interface under the Applications tab. By default, this setting is disabled. This feature prompts users to re-enter any required credentials for the relevant authentication journey, regardless of whether they are already logged in with the same authentication factors. The purpose of re-authentication is to ensure continued security and verify the user's identity at specific intervals, preventing unauthorized access by adding an additional layer of protection. For more information, see SAML Application Integrations.
Bug Fixes
Fixed an issue where users received an 'Access Denied' message when attempting to access applications integrated with SAML SSO, despite the SAMLResponse being marked as Success.
1.10.16.01
March 15, 2025
New Features
Adding Affidavit on behalf of a User
1Kosmos enables community/helpdesk administrators to add an affidavit to a user’s web wallet allowing them to become IAL2 certified users without the need to physically scan their documents, but instead rely on notarized physical copies to assert their identity. Affidavit in 1Kosmos is a declaration made by the administrators certifying the authenticity of another user's passport (PPT), Driving License (DL), or SSN. The administrator who creates the affidavit assumes responsibility for verifying the accuracy of the document. However, only administrators with the following permissions are authorized to add the affidavit. For more information, see Bypassing Verification Using Notarized Documents.
New users will no longer be required to enter a PIN.
- user.affidavit.add
- users.view-user
- users.edit
- users.all-users
Bypassing Authentication for Specific Applications
1Kosmos now allows community administrators to configure an adaptive authentication flow that bypasses authentication for specific applications when users are within the designated network range.
As part of this enhancement, a new Grant access action has now been added under the Decision section when creating a new adaptive authentication journey. If the community administrator selects this action, it is mandatory to choose an application for which the journey will apply. This option is recommended for use with low-risk applications where the user does not need to be prompted for authentication within a corporate network. For more information, see Adaptive Authentication.
Authentication cannot be bypassed for AdminX.
Filter Verification Results by Journey Name and UID
Two new filters, Journey Name(DVCID) and uid filter have been added to the Verification > Verification page allowing you to filter sessions and download more granular results. For more information, see Verification Journey.
Display of Appropriate Error Message for Missing Email on User Profile
When a user attempts to download a report from the Verification > Verification page without an email address on their profile, the UI will validate the user's email. If no email is found, an error message will be displayed, notifying the user about the missing email address.
Introduced Standardized Error Responses for User Access
User enumeration is a security vulnerability that arises when an attacker can identify whether a specific username or account exists in a system based on its responses. To prevent user enumeration, the AdminX interface has now been enhanced to display the appropriate error codes and responses in the following scenarios.
The table below outlines the old and new error codes that will be displayed in the AdminX interface:
| Scenario | Old Error Message | New Error Message and Error Code |
|---|---|---|
| User is disabled | Your account has been disabled. Please contact your administrator | You are not authorized to access. Error code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Here, XXXX indicates the privately encrypted ECDSA error code. |
| User not found | User not Found. | You are not authorized to access. Error code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Here, XXXX indicates the privately encrypted ECDSA error code. |
| User locked | Your account has been locked by an administrator. Please contact your administrator. | You are not authorized to access. Error code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Here, XXXX indicates the privately encrypted ECDSA error code. |
| User not authorized | You are not authorized to access this page. | You are not authorized to access. Error code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Here, XXXX indicates the privately encrypted ECDSA error code. |
| User locked by a particular time | Your account has been temporarily locked for security reasons. Please try again in ${minutes} minutes. | You are not authorized to access. Error code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Here, XXXX indicates the privately encrypted ECDSA error code. |
1.10.15
February 21, 2025
New Features
Configuring Authentication Journeys for Windows Workstation MFA Agent in AdminX UI
Windows Workstation MFA Agent can now support the creation adaptive authentication journey from AdminX. The adaptive authentication journey functionality has been enhanced allowing administrators to configure (create, edit, or delete) authentication journeys through the AdminX interface under Authentication > Adaptive Authentication. For more information, see Windows Workstation MFA Agent.
The administrator can configure the following types of login journeys for workstation users:
- Password only
- Push
- QR
- FIDO
- Any OTP
- Password + Push
- Password + Any OTP
- Password + FIDO
- FIDO + Shared Account
The following events are captured in the Event Logs page:
- E_ADAPTIVEAUTH_MODIFIED: This event is triggered when the adaptive auth journey for Windows Workstation is modified.
- E_ADAPTIVEAUTH_CREATED: This event is triggered when the adaptive auth journey for Windows Workstation is created.
- E_ADAPTIVEAUTH_DELETED: This event is triggered when the adaptive auth journey for Windows Workstation is deleted.
Customizing QR Code Design
The Branding page in the AdminX interface has been enhanced allowing administrators to customize the QR code design. You can upload a png or jpg file of size less than 10KB. The recommended size is 35px x 35px. For more information, see Branding.
Ability to Download Verification Results
The community administrator or users with the following permissions can download the report from the AdminX interface under Verification > Verification page.
- idproofing.reports.verification-sessions-download
- idproofing.session-management
Download reports by filtering records based on document type, verification status, and the user who completed the verification process. If the report exceeds 2 million records, users will be prompted to refine their search. For more information, see Downloading Verification Reports.
Bug Fixes
- An invalid Orion authenticator icon is displayed on the other user's profile.
1.10.14.01
January 16, 2025
New Features
Ability to Authenticate with Kerberos
Community administrators can now specify which users within a community are permitted to authenticate using Kerberos, granting them access to the AdminX interface. This can be configured through the Kerberos Single Sign On setting located under Directory > Directory Integrations > <Your AD> Advanced Configuration to enable the Kerberos configuration. Additionally, the following new options have been introduced to configure the authentication journey.
- Kerberos
- Kerberos + Push
- Kerberos + Any OTP
For more information, see Kerberos Authentication.
1.10.14
January 10, 2025
New Features
Ability to Login to a Tenant Using Passcodes from Other Channels
When initiating an authentication journey with a Password & any OTP as the authentication methods, a new Already have a passcode? link will appear on the Sign In – Choose an authentication method page. This feature allows users to bypass generating a new OTP each time they authenticate using their profile OTP.
Make sure that the username for which the Already have a passcode? link should appear has been configured in your adaptive authentication journey.
IAL2 Device Removal Warning
When an end user attempts to remove a IAL2 authenticated device from the Devices tab under My Profile, a warning message is displayed to the user alerting them of the impact of removing the device. This warning is crucial as it ensures uninterrupted access to applications that require higher levels of identity verification.
1.10.13.01
December 14, 2024
New Features
Enabling End Users to Manage Phone Numbers
1Kosmos now enables end-users to add or remove their phone numbers directly through the AdminX interface. This functionality enables end users to make updates to phone numbers on demand and enables them to receive passcodes to new numbers. To allow end-users to link their mobile numbers, community administrators must enable the new Allow users to enroll mobile / landline number setting under Authentication > Multi-factor Authentication > Enroll Phone Number. After enabling this setting, a new Add Phone Number button is displayed under the My Profile tab using which endusers can associate their phone numbers. For more information, see the Viewing My Profile section in Managing My Profile.
Ability to Onboard First Time Login Users through BlockID App
Upon first-time login with a password, users will be prompted to enroll for passwordless access through the BlockID app, allowing them to go passwordless from day one.
Prerequisite: Community administrators must have enabled the new Passwordless Access on BlockID App setting in Initial Sign in MFA Enrollment policy section under the Authentication > Enrollment Preferences tab.
For more information, see Enrollment Preferences Policy.
Generating Onboarding Invite on Behalf of Another User
Community administrators or helpdesk administrators with the user.generate.qr permission can generate a QR code on behalf of another user, enabling them to onboard devices in the user's presence. In addition to the user.generate.qr permission, helpdesk administrators will also need the following permissions to generate the QR code. This option is recommended for scenarios where user onboarding needs to be controlled, requiring users to enroll in the presence of an administrator.
- users.all-users
- users.view-user
- users.edit
For more information, see the Generating Onboarding Invites on Behalf of Another User section in User Management.
Introduced Skip MFA for LDAP Service Accounts in Auth Proxy
With the introduction of the Skip MFA for Service Accounts section in Auth Proxy, community administrators can now specify which service accounts for LDAP can bypass MFA. By specifying the accounts that must skip MFA, community administrators can directly grant access to such accounts with just a username and password. For more information, see Auth Proxy for LDAP Server.
Enhanced the QR Code Design�
The design of the QR code on the following pages has been enhanced for better UX.
- Login Page
- Enrollment on first time login
- Onboarding from My Devices page
- Self-registration
Onboarding Accounts Via Orion Authenticator for Windows
1Kosmos has extended its capability of onboarding accounts on Windows machines through the introduction of the new Orion Authenticator for Windows agent. With this enhancement, Windows end users can themselves seamlessly onboard their relevant accounts and generate passcodes providing a unified behavior for both Windows and Mac users. For more information, see Orion Authenticator.
Introduced New Verification Status in ID Proofing
In certain situations, fraud verification may return a Not Performed result. This generally occurs when the user fails to capture clear, high-quality images. To enhance tracking and provide more accurate verification insights, a new status, Verification Not Performed, has been introduced. This status helps to distinguish cases where fraud verification could not be completed due to poor image quality and also enables businesses to analyze verification trends more effectively. The Verification Not Performed status will appear under the following circumstances:
- When the verification process is partially completed.
- When the front side of the document is processed, but it’s unclear whether there is a backside to the document.
- When the document extraction process fails.
- When an unsupported document is submitted for verification.
For more information, see Verification Journey.
What is Deprecated?
- The Edit Template button in the Preview Invitation section has been removed when sending a passwordless invitation to users.
- The hyperlink with 1Kosmos has been removed from the footer of the login page.
1.10.12
November 8, 2024
New Features
Enhanced the capability for Helpdesk Admins to Unlink a Device
Community and Helpdesk administrators can now use the AdminX interface to unlink a user’s device in cases where the device is lost, the user has accidently uninstalled the BlockID app and is unable to login, or if the user has been offboarded from the organization. Furthermore, a new user.unlink.device permission has been added to the JWT token, which is necessary for Helpdesk administrators to perform the device unlinking. The Delete icon is displayed only if the user.unlink.device permission has been granted to administrators. For more information, see Unlinking User's Devices section in User Management.
Introduced Number Challenge for Push Notification Authentication
To bolster security and protect users from MFA bombing attacks, 1Kosmos has now introduced a new feature: the Number Challenge. This feature adds an extra layer of verification during push notification authentication. For more information, see Enabling Number Challenge section in Passwordless Login.
Filtering Verification Events in ID Proofing
You can now filter verification events for a specific journey using the following new values:
- Authenticator ID
- Device ID
- Mobile Document ID
- Mobile Session ID
Removal of QR code Tab on iOS Devices
On iOS devices, passwordless users will now have to login with username and push notification sent to the BlockID app. Prior to this update, iOS users were shown an option to Login with BlockID. This would open the BlockID app automatically without prompting the user for username. However, this behavior of opening the BlockID app (through a deeplink) is inconsistent across apps like Office 365.
Removal of 1Kosmos Hyperlink from the footer of the Login Page
The @2024 1Kosmos Inc., hyperlink reference has been removed from the footer of the login page from both the User Interface and mobile browsers to prevent end users from reaching out 1Kosmos support.
1.10.10
September 27, 2024
New Features
Display of Device details from Orion Agent on Event Logs
The Adminx interface now shows device information where the Orion agent is installed. Administrators can view these extra metrics in the E_LOGIN_SUCCEEDED and E_LOGIN_FAILED events, which include the following details:
- machine_name
- machine_id
- machine_domain
- machine_os
- machine_os_version
- machine_mac_addr
- agent_version = $version
1.10.09.02
August 30, 2024
New Features
Introduced Orion Authenticator for Mac to Perform MFA
A new Orion Authenticator, a desktop-based agent, has now been introduced for installation on a Mac machine to perform multi-factor authentication. The administrator can deploy this authenticator in organizations with restrictions on mobile device usage allowing for smooth account onboarding and passcode generation for login.
Display of Account OTP on the My Profile page
A new Passcode tab has now been introduced under the Dashboard > My Profile menu of the Dashboard page for the display of account OTP. The display of the OTP in the AdminX interface is intended for situations where users are unable to carry a mobile device or install the BlockID app, which is necessary for generating passcodes to authenticate with VPN applications. The Account OTP shown on the Passcode tab is identical to the Account OTP displayed on the mobile app and is valid for 30 seconds. For more information, see My Profile.
Display of Template ID on SMS Gateway
A new whilelistedTemplateId parameter has been added into the admin APIs that manages the messaging templates such as Onboarding invite, OTP for registration, and so on. The association of template id with the gateway ensures compliance in SMS communications. Specific providers like Sandeshwala & Karix require administrators to populate the template ID to receive the desired content.
1.10.08.01
July 30, 2024
New Features
Enhanced Adaptive Authentication Journey to Support Linux PAM
A new "Linux PAM" adaptive authentication journey has been introduced in the AdminX interface under the "Applications" menu. This feature allows the creation of custom authentication journey for specific groups or users when logging into their Linux servers, offering them a multi-factor authentication experience. By default, the new adaptive auth journey is applicable for all users. For more information, see the Managing Adaptive Authentication Journey for Linux PAM section in the Linux SSH MFA topic.
Introduction of Auth Proxy to Support Radius & LDAP
The go-radius component on the AdminX interface has been renamed to go-authproxy. As it has been renamed, the existing RADIUS configurations will no longer be available on the AdminX interface. Instead, you can use the new Auth Proxy configuration under Applications for RADIUS authentications. The Auth Proxy configuration supports the authentication with Push, Interactive Voice Response (IVR), and passcodes for Windows. For more information, see Auth Proxy for RADIUS Server and Auth Proxy for LDAP Server.
Enhanced User Experience on Login and My Profile Pages
The user experience has now been enhanced by incorporating a skeleton image on both the Login and My Profile pages offering a visual cue that the page is loading faster.
1.10.07
July 5, 2024
New Features
Introduced Enrollment Policies for First-Time Login Users
The introduction of the Enrollment Preferences tab under the Authentication menu in the AdminX interface now allows first-time login users (who does not have their phone numbers in AD or Database) to enroll their mobile or landline number for performing multi factor authentication (MFA) methods such as SMS OTP or voice OTP for the user. This enhancement grants first-time login users the flexibility to input details into their preferred MFA options, eliminating the need for the community administrator to configure them completely and further strengthening their organization’s security posture. For more information, see Enrollment Preferences.
Ability to Login into 1Kosmos Applications Using Aliases Name
The community administrator can now use the Manage Username Aliases button on the Profile Information page of a user to add a maximum of eight username aliases. This ability provides a seamless experience for the user to use the aliases name to login into the following applications and continue using the existing functionality. For more information, see the Managing Aliases section in the User Management topic.
- AdminX
- Linux Credential Provider
- Mac Credential Provider
- Windows Credential Provider
- Radius Applications
- Step-up OIDC
Currently, 1Kosmos supports the usage of aliases as {aliases: {alias1-8}} during SAML/OIDC claim mapping.
Display of Disclaimer Message on AdminX Login Page
The community administrator can now use the new Disclaimer text box on the AdminX interface under Settings > Branding to configure a disclaimer message that needs to be displayed at the bottom of the AdminX sign in page. For more information, see Branding.
Added Reserved Attributes section to BlockID Attributes
A new Reserved Attributes section has been added to Settings > BlockID Attributes page indicating that certain attributes are reserved for specific purposes.
1.10.04
May 9, 2024
New Features
Support multiple hostnames/IP addresses for each LDAP/AD connection
In the current implementation, BlockID supports a single connection string, hostname, or IP address for each LDAP/AD connection. However, if that host becomes unavailable, all authentication requests fail after the response timeout. To address this issue, 1Kosmos has enhanced the system to support multiple hostnames/IP addresses for each LDAP/AD connection, allowing BlockID to failover to another hostname/IP address after a configured period. As part of this update, a new "Failover Support" section has been introduced when establishing a new connection with the directory. In this section, users can specify the ports and hostnames that BlockID should check if the primary host becomes unavailable.
Additionally, users will receive an email notification whenever the status of the hosts changes from active to inactive. The community administrator can use the new setting Hostname status change notifications under the Advanced Configuration tab to specify the user for whom the notification must be sent.
1.10.03
April 25, 2024
New Features
New Report Launch – Admin Role Assignment Report
For audit purposes, 1Kosmos allows community administrators to generate a report of all users with privileged roles like community administrator and help desk administrator. The downloaded CSV report contains a list of all users with a particular role. For more information, see Admin Role Assignment Report.
Detect for Password Expiry at the time of login
AD users attempting to login with BlockID using an expired password will now see an error message “Your password has expired. Please contact your administrator”. Failed login attempts report reason for failure as ‘password expiry’ as opposed to an incorrect password. This enhancement is available when upgraded to the AD broker version 1.08.02.
Detect Password Expiry During Login
Disabled/Locked users AD users attempting to login with BlockID can now see an appropriate error message letting the user know their account was locked/disabled. Failed login attempts report reason for failure as ‘Account Locked / disabled’ as opposed to an incorrect password.
Authentication policies for devices attempting web login
The 1Kosmos health agent is a standalone product that can be deployed on user’s machines transmitting information about the device at the time of a login attempt. This feature allows administrators to define policies based on the machine domain and machine name offering fine grained control to administrators to allow/deny access to users attempting access from certain devices.
Introduced the Fraud detection Panel
When users complete an identity verification request, the 1Kosmos platform runs several checks against the document. In this feature, community administrators are allowed to view which specific check has failed to deem the verification as fraudulent. This gives more visibility and offers options to create an exception mechanism when identity verification fails.
Confidence Score Retention while discarding PII
1Kosmos now enables community administrators to selectively discard PII (Personally Identifiable Information) according to their preferences. With this enhancement, all PII linked to a user is removed, while the confidence scores for the verification journey are retained. A new <summary> object within the session result now stores the confidence scores for all verification checks.
Introduced ID Verification Session Metrics
The new analytics page displays the count of verification session completed, passed and all sessions generated. A time-series graph is also available to show the trend of verifications within the community over 90 days (about 3 months).
Reduced time taken to complete verification
Significant performance optimizations have been made to reduce the overall time required to submit images and receive a verification result.
1.10.01
March 1, 2024
New Features
- 1Kosmos now allows you to configure a third-party Identity provider like Ping, Okta, Azure or ADFS as an Identity Provider for a certain group of users based on a routing policy. To configure an external Identity Provider
- Setup 1Kosmos as a SAML Service Provider with the Identity Provider
- Create a new Identity Provider configuration within 1Kosmos control plane.
- Upload the federation metadata file from the IDP (Ping, Okta etc.) on 1Kosmos.
- Setup up users by either creating new users within the IDP user store or connecting to an existing directory.
- Setup a routing policy that defines which users must authenticate with the IDP.
The following new features have been added:
- Manage a new IDP: Create or edit the configuration of a new external IDP.
- Delete an External IDP: Deleting an IDP will result in deleting the configuration as well as any users that have been created in the external IDP User Store
- Create new users in the IDP user store: The control plane offers a dedicated user store to create users who can be authorized to login with the IDP.
- Manage routing policy: Setup a policy based on usernames matches, groups or route all user created in the IDP User store to login with an external IDP.
- Login experience: When the user provides their username, the adaptive auth engine evaluates the provided user based on conditions. If matched, the user is redirected to the IDP SSO URL for authentication.
Enhancements
- Users with
userAccountControl 1049088(Enabled and Not Delegated) &userAccountControl 520 (HOMEDIR_REQUIRED and NORMAL_ACCOUNT)status are now recognized as active users are allowed to authenticate with our platform.
Bug fixes
- Session storage handling: We have addressed a bug that caused the website to not render when local storage is restricted.
1.10.00
February 10, 2024
New Features
- For tenants that subscribe to our web Identity wallet, we now support enrollment of ID cards from any country and document. Expired ID cards cannot be enrolled into the web wallet. When enrolled, users can view the details of the document enrolled.
- In Email Templates, as part of the Self invitation for Passwordless onboarding, we now support
{{Lastname}}as a variable allowing for personalization. Previously supported variables includedFirstName,Tenant NameandCommunity Name. - We are switching to the font Work Sans from our previously used Adobe Font. Adobe fonts are typically hosted on the cloud and require some of our customers to whitelist the Adobe font. To avoid cumbersome processes, we chose to shift to a font that is hosted within our CDN.
1.09.16
January 27, 2024
New Features
- Adaptive Auth Journeys allows administrators to build authentication journeys around the conditions mentioned below. When user matches against a policy, the appropriate authentication policies specified by the administrator are presented as options to the user.
| Condition | Operator | Values |
|---|---|---|
| IP Address | is in the range of | Accepts an array of CIDR values |
| IP Address | is outside the range of | Accepts array of CIDR values & range |
| Groups | is one of | Specify the full DN of the Group. Allows for multiple values |
| Applications | is one of | Select applications (SAML/OIDC/Admin Control Plane) to apply policies to |
| Username | is one of | Accepts an array of usernames |
Adaptive Auth accepts the following decisions as outcomes:
| Decision | Outcome |
|---|---|
| Deny Access | Denies access when user matches against a policy |
| Just Password | Requires the user to only provide a password to login |
| Push Notification | Approve sign-ins via push notification sent to the BlockID App |
| FIDO | Use Windows Hello, Mac TouchID or your security key to login |
| BlockID app Codes | Enter the 6-digit code generated by the BlockID app |
| Hardware Token OTP | Provide username and enter a 6-digit code generated from hardware token |
| Password & any OTP | Provide password and use passcodes generated through any channel. |
| Password & Web OTP | Provide password and use passcodes generated through Email, SMS, Voice, BlockID App, generated through API’s and hardware token. |
| Password & SMS OTP | Users are required to provide password and enter a code delivered to their registered phone number via text |
| Password & Email OTP | Users are required to provide password and enter a code delivered to their registered email address |
| Password & Voice OTP | Users are required to provide password and enter a code delivered to their registered phone number via voice call |
| Password & Push Notification | Users are required to provide their password and approve sign-ins via push notification sent to the BlockID App |
| Password & FIDO | Users are required to provide their password and enrolled FIDO Device -- Windows Hello, Mac TouchID or your security key to login |
| Password & BlockID App Codes | Users are required to provide their password and enter the 6-digit code generated by the BlockID app |
| Password & Hardware OTP Codes | Users are required to provide their password and code from their Hardware token. |
- If users cannot be matched against an authentication policy, then the default policy’s authentication methods will be presented to the user.
- If user matches multiple authentication journeys, then all authentication methods of the journeys will be presented to the user.
- However, if user matches against a journey that contains a denied access along with other authentication methods, then the user is automatically denied access.
- Every time the user lands on the AdminX login page, if machine information is available (through the health agent), a new .wellknown endpoint has been introduced to allow collecting the machine information.
- The
E_LOGIN_SUCCEEDEDevent now contain a list of all facts evaluated at the time of authentication.
Enhancements
- Resolved an issue on IE which did not allow the Help Button to render on the login page.
1.09.15
January 13, 2024
New Features
- A new event
E_ROLE_CHANGEDhas been introduced to capture an audit log anytime a user’s role has been elevated or downgraded.
Enhancements
- Minor updates to the
license.jsonfile produced by the Directory broker to include the tenant DNS.
1.09.14
December 9, 2023
Enhancements & Bug Fixes
- The analytics dashboard can provide a report that allows downloading the Unique users logging into the 1Kosmos. Hover over the Unique users count on the analytics dashboard to download the report.
- We now allow customization of messaging templates used at the time of sending emails/text for different purposes. Email and SMS templates include User onboarding, Email verification, delivering passcodes and more.
1.09.14.01
December 7, 2023
Enhancements & Bug Fixes
- As a preventative measure to enhance security, the control plane now blocks the injection of malicious scripts into email templates, reducing the risk of XSS attacks.
POST/users/findAPI has been restricted to present a maximum of 2 users in order to prevent over exposure of data.- The
escapeXSSfunction has been upgraded with stricter measures to prevent any malicious attempts of XSS injection when accessing messaging templates for onboarding or delivering passcodes to users.
1.09.13
October 19, 2023
New Features
User Lockout
-
Community Administrators and Help Desk Administrators now have the ability to lock a user indefinitely or for a defined period. Locked users cannot authenticate into AdminX or web applications using passwords or passwordless means.
-
Community Administrators and Help Desk Administrators can also unlock a locked user. The affected user will be unlocked immediately.
RADIUS Server Configuration
-
Administrators can now manage their RADIUS server configuration within AdminX to define which of the following authentication methods are allowed:
- Login with Push
- Login with Password & OTP
- Login with OTP & Password
- Login with OTP
-
The RADIUS Server is available for Windows, Linux, and Darwin as a command-line tool. The RADIUS Server comes preconfigured with the appropriate license keys and community ID for your tenant.
Enhancements & Bug Fixes
UX Enhancements
- Updated UX during the onboarding of authenticators from the user profile
Request User Invites to a Secondary Email
- Ability to request user invites to a secondary email
User Authorizations from User Token
- Get user authorizations from the user token instead of making additional API calls after receiving the token
1.09.12
Sept 21, 2023
New Features
New SMS Gateway
- Introduced support for a new provider, Coalesce, to send text messages when delivering OTPs or invites for passwordless onboarding.
Login with Codes from OneSpan Hardware Tokens
Introduced support to configure OneSpan Server within the AdminX control plane.
- Administrators can choose whether or not to allow OneSpan authentication tokens as a login method for their tenant, as well as test their OneSpan server configuration.
Manage Session Time for AdminX
- Introduced support to manage the AdminX session time from within the control plane.
Enhancements & Bug Fixes
IdP Signing Certificate Key Size and Algorithm
- When an IDP certificate is uploaded, the key size and algorithm from the signing certificate will be used to sign the SAML response.
Invalid OTP Error on Correct OTP Entry
- Fixed an error for Internet Explorer 11 where the login page was caching
GETrequests, resulting in AdminX being unable to decode the request and rejecting the authentication.
Number of Devices Linked to an Account
- Bug fix to address the recorded number of devices linked to an account.
Additional SMS Provider Attributes for Gupshup
- Added support for two additional attributes when configuring Gupshup as an SMS Provider.
Documentation Updates
1.09.11.01
Sept 7, 2023
New Features
Enable or Disable FIDO Logins
Community Administrators can now enable or disable FIDO logins for all users within their community.
- Admins can choose whether or not to allow end users to enroll security keys or platform authenticators such as Mac TouchID or Windows Hello.
Allowed Security Keys
Community Administrators can bring in their desired brand of security keys for FIDO logins.
-
Administrators can upload the metadata file of the security key through AdminX.
-
When the metadata is successfully uploaded and enabled, end users can enroll keys from the added brand and use them at the time of authentication.
Reset Password on Next Login
Enforce password resets through the web for Active Directory users mandated to change their password on the next login.
-
Users are required to provide their current password and new password to reset the password.
-
To complete login, users will be prompted to enter an OTP, which can be sent via phone or email.
Enhancements & Bug Fixes
Support for Generating SHA1 & SHA256 Certificates
Introduced the ability to generate SHA1 & SHA256 self-signed certificates.
- A bug fix was made that addresses an issue of determining the value of the signing algorithm from the uploaded certificate.
Salesforce One Click Onboarding using SAML
-
Updated our parameters to be XML-parser friendly
-
Updated to the latest version of the Salesforce SOAP API.
Error Codes on Login Page
- Resolved an issue that caused error codes
A00006&A00008to appear on the login page. These error codes are shown when API failure occurs at the time of rendering the login page.
Documentation Updates
1.09.10.01
August 31, 2023
Enhancements & Bug Fixes
Device Onboarding Access Code
Bug fix to improve the security around the access code that is sent to the user for onboarding their device for passwordless logins.
Documentation Updates
1.09.10
August 17, 2023
New Features
Added Support for Gupshup Gateway
Added support for Gupshup gateway to send text messages to users.
Enhancements & Bug Fixes
Login Page Refresh Button
The QR code on the login page displays a Refresh button after 5 min of inactivity.
- We fixed a bug that allows the QR code to render appropriately on a Cisco AnyConnect embedded browser.
Last Login Report New Metrics��
The Last Login Report now displays a new metric that shows the number of active users per directory.
- Users marked as active have had at least one authentication using 1Kosmos in the last 30 days.
Logging Improvements
Fixed logging to ensure the journey ID and request ID are consistently available for internal troubleshooting.
Increased Caching
Widespread use of caching to improve API throughput
1.09.09
July 27, 2023
New Features
New Passwordless Login Options
Passwordless Login options have been updated in AdminX to allow Administrators to set their own policies regarding device onboarding.
- Administrators can define how many devices a single user can onboard for passwordless authentication. When a user attempts to enroll a device after the maximum allowed has been reached, Administrators can set whether to:
- allow the new device while also deleting the oldest linked device
- reject the new device
Disable Passwordless Login Options
If your enterprise is not ready for passwordless logins, Administrators can disable passwordless login options.
- When passwordless login is disabled, users are no longer presented with passwordless login options.
QR Code Refresh When Idle on Login Page
Previously, QR codes on the login page are automatically refreshed every 60 seconds. We have updated our logic to stop refreshing QR codes after users have been idle for five minutes or longer.
-After five minutes have passed, users will see a Refresh button that users must click to manually refresh the QR code. When manually refreshed, a new QR code appears, and the user can scan the QR code to log in.
API Failure on Login Page
When required APIs failed to load on the AdminX login page, end users previously saw a loading message despite the page no longer loading. We have updated our interface to display a refresh button that can be clicked to refresh the page.
- Error codes are now displayed on the page to help troubleshoot the reason for failure.
Enhancements
Updated Helpdesk Administrator Permissions
Helpdesk Administrators now have additional permissions that allow them to download reports.
Updated Infobip SMS Gateway Integration
SMS Gateway Settings have been updated for Infobip to support an additional parameter, smstemplateid, to define which template should be used on Infobip.
Last Login Report Login Time
The Last Login Report now displays the time a user last logged in, using the local time zone of the browser.
Improved Page Designs
We have improved the design of the following pages:
- Updated the design for the Active Directory - Advanced Configuration tab to clearly delineate between the different configuration options that can be managed.
- Updated the design for Multi-factor Authentication to include all options for enabling or disabling login using one-time-passcodes.
- A new Passwordless Login page has been introduced to manage the configuration options for using Passwordless Login with the BlockID Mobile App.
- Configuration options include device onboarding methods, fallback authentication options, and device linking preferences.
Documentation Updates
- AD Broker
- Multi-Factor Authentication
- Passwordless Login
- Last Login Report
- Gateway Settings
- User Management
1.09.08
June 29, 2023
New Features
Twillio Support for Voice Gateways
Administrators can leverage Twillio to configure their SMS and Voice gateways.
- The configured Voice gateway will deliver spoken one-time passcodes to users through a voice phone call.
Last Login report
Administrators can now view a report that combines information about all users in a directory, including their last login date.
- This report allows administrators to deduce which users have been inactive over 30, 60 or 90 days.
Windows Broker X-509 Certificates
The new Windows broker for Active Directory makes deployment of BlockID Workstation Login faster than ever by eliminating the need for additional NDES infrastructure within the enterprise.
- The Windows Broker can issue X-509 certificates for the user at the time of enrollment. These certificates are stored on the user's device and are presented by the user (from the BlockID mobile app) when using passwordless login to a Windows workstation.
- The Windows broker can easily be setup and managed through the AdminX control plane.
Enhancements & Bug Fixes
Login Page Adjustments for Embedded Browsers
We adjusted the login page to display the QR code without having to scroll to view the entire QR code block. This feature was tested on Zscaler to ensure optimal viewing of the displayed QR code.
Internal DB Prevented from Allowing Changes to Password Policy
Fixed a bug that prevented our internal DB from allowing changes to password policy.
Certain Devices Prevented from Completing Phone Verification
Fixed a bug that prevented users from certain devices (Pixel 6) from completing phone verification.
Documentation Updates
1.09.07
June 22, 2023
New Features
Support for Login Passcode through Voice
Administrators now have the ability to enable users to receive one-time passcodes through a phone call.
- When enabled, users will see a prompt to receive a phone call through which the one-time passcode is read outloud to the user.
1.09.06
June 8, 2023
New Features
Introducing the Windows Broker
Administrators can now deploy the Windows broker for Active Directory on-premise. This edge component allows the 1Kosmos platform to connect with a customer's Active Directory instance so that users can be fetched.
- The component is designed to be a long running Windows service and can be managed from the control plane.
Enhancements
Edit OIDC applications
Administrators can now modify OIDC applications that were previously created.
- The application can be modified with a new logo, addition, removal of scopes, redirect URLs and more
1.09.05
June 1, 2023
New Features
Broker Log File Settings
The Windows and Linux brokers deployed on-premise allow for the 1Kosmos platform to fetch and authenticate users in Active Directory. The brokers produce log files that capture detailed information on all activities that occur.
- The control plane now provides settings that allow for fine grained control of the following values:
- Broker Log File Size: Maximum size a log file can grow to before it rotates to a new file. Default value is set to 10MB.
- Broker Log File Rotation Count: Maximum number of log files that should be retained in the logs directory. When the count is reached, and a new log file needs to be created, the oldest log file in the directory will be deleted. Default value is set to 10
Track Off-Boarded Devices
AdminX now produces events when a user removes their device as an authenticator.
- The E_DEVICE_DELINKED event is created when a user removes their device from their Profile page or from the mobile app.
Documentation Updates
1.09.04
May 18, 2023
New Features
Unenroll Documents from Identity Wallet
Users can now remove/unenroll identity documents (driver's license, passport and social security number) from their identity wallet.
-
Once removed, data from the document is no longer available and cannot be retrieved.
-
The user's Identity Assurance Level (IAL)will be recalculated when of the user removes a document. The IAL will most likely reduce to IAL1 if the the user has removed the documents that were used to achieve IAL2.
Self-Service Passwordless Onboarding from User Profile
Administrators can now enable or disable the ability for end users to pair their devices as authenticators from the My Profile page.
- When enabled, end users will authenticate into the 1Kosmos portal and be allowed to onboard a new device.
Enhancements & Bug Fixes
Customize Footer Color on Login Page
Our login page branding settings now allows administrators to customize the footer color on their login page.
Documentation Updates
1.09.03
May 11, 2023
New Features
Help Button Added to Login Page
Administrators can now add a help button on the login page to present phone numbers, FAQ's or troubleshooting tips at the time of login.
- Help content is authorable using HTML templates available as part of branding settings.
Account lockout for Incorrect OTP Attempts
Administrators can configure the number of incorrect one-time passcodes that can be entered before an account is locked.
- When locked, users are unable to login using any login method for a configurable amount of time in minutes.
- After the lockout time has expired the user account is automatically unlocked.
Enhancements & Bug Fixes
Report Downloads Bug Fixes
Removed links to expired reports on the Report Downloads page.
Safari Support for Phone Number Verification
Enhancements were made to ensure users can verify their phone number on the Safari browser when creating an account.
Analytics Dashboard Improvements
Improved the Analytics Dashboard devices view to show more detail.
- Clicking on the New Devices graph now shows a summary of all new devices enrolled.
Added New Items to Events Dashboard
Added new events to capture a summary of reports requested (E_REPORT_REQUESTED) and reports generated (E_REPORT_GENERATED) by administrators.
Documentation Updates
1.09.02
April 13, 2023
New Features
Passwordless Onboarding Configurability
Community administrators can now allow or disallow users to self-onboard using the Request an Invite self-service page.
- When enabled, it allows end users to receive an email to self-onboard their mobile device for passwordless authentication.
- When disabled, it prevents end users from being able to self-onboard a mobile device for passwordless authentication.
- Administrators can manage user device enrollment in scenarios needing controlled onboarding.
Trigger Identity Verification Flow using OIDC
OIDC clients can trigger an identity verification flow by including the /assurance/ial/2 custom scope.
- When this scope is included in the OIDC request, the platform is configured to check if the user is verified to Identity Assurance Level 2 (IAL2).
- If the user is not verified to IAL2, including the scope will trigger an identity verification flow.
- At the end of the identity verification flow, the OIDC client receives the user's Identity Assurance Level (IAL) to take action on.
Enhancements & Bug Fixes
Identity Wallet Improvements
End users can use the identity wallet on their profile page to enroll new documents.
- We have improved page load times to allow for uploading documents on a need-to basis.
Form Submission Errors
We resolved errors during form submissions when blank spaces were included in form entries.
Documentation Updates
1.09.01
March 23, 2023
New Features
Analytics Dashboard
Community administrators can now see a summarized report of their usage across the community to view the following data:
- Counts:
- Successful Logins: Number of successful logins across all users for any authentication method
- Unique Logins: Number of active users with at least one login to an application
- Devices Enrolled: Number of new devices enrolled by users
- Failed Logins: Number of failed login attempts by all users
- Visualization:
- Successful Authentications: Hour/Day breakdown of successful authentications, organized by authentication methods
- Devices Enrolled: Hour/Day breakdown of devices enrolled for passwordless login
- Applications Usage: percentage breakdown of logins to applications
- Failed Logins: percentage breakdown of reasons login attempts failed
Reports download
We now support downloading reports as CSV files for all Login Activity Reports and Event Logs.
- All downloaded reports can be viewed within the Report Downloads section of the admin panel.
- Downloaded reports will remain in a pending state until all the records have been compiled. Once ready, the administrator who initiated the request receives an email containing the link to download the report.
- All report download links are available for a period of 7 days.
Enhancements & Bug Fixes
Email Notifications for Broker Disconnects
Administrators can now receive email notifications when AD or LDAP brokers have disconnected from the tenant.
- BlockID relies on an active connection with Active Directory brokers to fetch and authenticate users. When one or more brokers are experiencing interruptions, administrators can receive email alerts to review the health of the on premise broker
Documentation Updates
1.09.00
February 27, 2023
New Features
Step-up with Trusted One Time Passcodes (TOTP)
Authentication policies now support a decision to Step-up with Trusted One Time Passcodes (TOTP) using the BlockID Mobile App.
- Administrators can enable this feature by user geolocation or IP address
- Review which users performed Step Up with TOTP authentication using the Login Activity Report page in AdminX
Enhancements & Bug Fixes
Password Reset Events
Administrators can initiate password resets from the AdminX login page, or through the BlockID Mobile Application.
- Password Reset events will be captured and are available to audit using the User Events Dashboard in AdminX.
- E_PWDRESET_SUCCEEDED: This event is captured any time a user successfully resets their password.
- E_PWDRESET_FAILED: This event is captured any time a user fails to reset their password. Possible reasons for failure are also captured on the event.
Worldwide Support for Geolocation Authentication Rules
Geolocation Authentication Rules have been updated to support all countries worldwide.
1.08.00
February 02, 2023
Early Access Features
Geolocation Authentication Rules
Administrators can define authentication policies for their users based on geolocation. User geolocation data from the AdminX landing page will determine the type of authentication policy to be applied for the user.
- Depending on the location of the user, access can be denied, allowed with all available MFA options, or can be restricted to only allow login with our most secure method: LiveID
- Administrators can set multiple geolocation rules at the same time
- We currently support geolocation-based authentication policies for users in USA and India. In an upcoming release, we will expand our service to support this feature for users from other countries.
New Features
Access Denied Reports
Access-denied reports are now available in the Reports section in AdminX.
- The Access Denied report will show IP addresses and location data for denied users, as determined by the current authentication policies set for your tenant.
Enhancements & Bug Fixes
Administrator and User Event Log Reporting Service
We have improved how we log administrator and user events.
- Updated reporting service to ensure no service interruption will occur in the event an error is encountered while generating events
- Improved logging to report any errors encountered while generating events
Documentation Updates
1.07.06.01
January 05, 2023
New Features
Configurable Login Option for OTP Authentication
Administrators can enable or disable One-Time Passcode (OTP) authentication based on their authentication policies.
- When disabled, users can no longer request an OTP to their email or text or login using OTP
- When enabled, tenant administrators can define which channels (email, SMS, or both) an OTP can be sent
Trigger IAL2 Verification using OAuth2/OIDC
Relying parties can trigger an IAL2 verification flow using custom claims with OAuth2/OIDC.
- Passing
ial2as anacrvalue on an OIDC claim will trigger a special authentication journey for users to upload and verify their identity documents online, resulting in IAL2 verification
Administrator Activity Event Logs
Activities performed by tenant and community administrators within BlockID are logged and are available for audit in the Reports section in AdminX. The following new events have been added:
- E_DIRECTORY_ADDED
- E_DIRECTORY_MODIFIED
- E_DIRECTORY_REMOVED
- E_DIRECTORY_BROKER_ENABLED
- E_DIRECTORY_BROKER_DISABLED
- E_DIRECTORY_BROKER_DELETED
- E_DIRECTORY_BROKER_MODIFIED
- E_DIRECTORY_ATTRIBUTE_MODIFIED
- E_DIRECTORY_ATTRIBUTE_DELETED
- E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED
- E_IDP_CONFIGURATION_MODIFIED
Enhancements & Bug Fixes
SMS Gateway Configuration Update
The SMS gateway configuration page has been updated in AdminX.
- the
Sender Namefield has been updated to support alphanumeric values, allowing administrators to define their enterprise as a sender name to avoid having users assume the message is spam - During new account creation, we verify if an account already exists with the provided email before allowing users to begin the email verification process. If an existing email account is found using the email, users are encouraged to sign-in
Documentation Updates
1.07.04, 1.07.05
December 16, 2022
Early Access Features
IP Address Rules
Administrators can define and manage policies that allow user access based on their IP Address.
Password Reset
Administrators can allow their users to reset their account password from the BlockID Mobile App by enabling configuration settings in AdminX. Enabling the configuration settings in AdminX allows users from both the Internal user store and Active Directory to reset their password using the BlockID Mobile App.
- On the BlockID Mobile Application, click on Reset Password from the menu. Provide a new password and confirm with TouchID/FaceID to complete the request.
- An upgrade to the latest version of the AD broker and the BlockID Mobile App is required for this feature to function seamlessly.
Login Activity Report
A new Login Activity Report is available in the Reports section in AdminX, which displays a list of all applications that users within your community logged into, and the 2FA method used. 2FA methods include:
- Password-based methods, such as Username + Password + OTP (email or SMS)
- Passwordless methods, such as FIDO, QR Login using BlockID Mobile App, and Push Notification login using BlockID Mobile App
- Kerberos login
- Step-up authentication using LiveID
Enhancements & Bug Fixes
Security Upgrades
We implemented the following upgrades to address some security exposure to our platforms:
- We fixed an issue that would have allowed a user of our system to identify the underlying technology stack we are using. This could have been used to create an attack vector against our platform.
- We obfuscated all references to a user's email or phone number in any authenticated API query on the platform.
- We have locked down a possible attack vector in which a malicious user could have submitted a script to expose some user information.
Documentation Updates
1.07.03, 1.07.04
November 17, 2022
Early Access Features
Primary Authentication Factors for BlockID Mobile App
Administrators can choose which authentication factor must be supported at the time of authentication. Choose between biometrics and PIN-based options to strengthen the approval of authentication:
-
Touch ID / Face ID: Prompts users to provide their TouchID/FaceID when approving an authentication request from the BlockID mobile app.
-
PIN: Prompts users to provide their PIN when approving an authentication request.
-
LiveID: Prompts users to provide LiveID (live gestures) to approve an authentication request.
Fallback Authentication Factors for BlockID Mobile App
In scenarios where users are attempting to approve authentications from devices that do not support LiveID or TouchID/FaceID, then a fallback authentication mechanism can be enabled to allow alternate means of authentication.
Web SDK for Step-Up Authentication
Third-party websites can leverage the 1Kosmos Web SDK to trigger OIDC-based step-up authentication. The login handler is separated into two parts. The website takes care of first-factor authentication using a username and password combination. A redirect to 1Kosmos Authorization renders an iframe to provide options to trigger second-factor using Email OTP, SMS OTP, or LiveID. The iframe presents login options depending on the incoming request using acr claims.
New Features
Assign Roles to Users
Every user within the community can be assigned a role within BlockID. Their roles determine their permissions within the system. We currently support three roles:
-
Basic User: By default, all users within BlockID have Basic User privileges. This allows them to view their profile information, manage their devices, enroll identity documents, and view their invites.
-
Community Administrator: A community administrator has the highest privileges available and can manage all community operations.
-
Help Desk Admin (new): Help Desk Admin is a new global role that we have introduced within AdminX. Help Desk Admin roles are ideal for users who need to have insight into the activity of a community. The Help Desk Admin role is also useful when troubleshooting user-onboarding errors.
Community Administrator access for BlockID Using Corporate Credentials
As a community administrator on BlockID, you will no longer be required to have a separate account to manage your preferences. Users from AD, LDAP & Azure AD can be promoted to community administrators.
Enhancements & Bug Fixes
AAMVA Failure Error Handling
In scenarios where a response from AAMVA times out during identity verification, we silently handle the error response and allow the end user to proceed to the next step.
Driver's License Enrollment after AAMVA Verification Failure
Bug fixes allow a user's Driver's License to be enrolled to their Identity wallet even if AAMVA verification fails.
Documentation Updates
1.07.02, 1.07.03.02
October 20, 2022
Early Access Features
Verify your identity with passport
The 1Kosmos Identity wallet now allows enrollment of a US Passport. Users can receive a text message on their verified mobile number to scan their passport. A selfie must be provided to verify their face and acts as proof of possession at the time of enrollment. When complete, the user's passport is enrolled within their wallet. For IAL2 credentialing, the user needs to be taken through an additional step of verifying their SSN.
Passport Attributes
The 1Kosmos platform allows the Credential Service Provider to request attributes from the User's passport through SAML or OIDC based workflows. Users are required to consent to information sharing so the attributes can be shared with a relying party.
New Features
Forgot Password
End users can now reset their password if they have forgotten their account password. Citizens start by receiving a magic link to their verified email address. On clicking the magic link, users automatically receive a one time code sent to their verified phone number. Enter the one time password and a new password. Passwords need to meet the password policy defined by the administrator.
Save and Retrieve Consent
Any time a user's information is shared with a Service Provider, the 1Kosmos platform records consent of the user to remember the application and attributes shared with the application. The platform leverages the consent record at the time of sign-in to prove that the user has previously provided consent. If a user has previously consented to share information, they will no longer be prompted for consent when signing in.
Enhancements
Authentication Methods
Our sessions now capture the authentication methods used by the user to login to the session. The JWT supports the following methods: password, otp, uwl, fido, phone_verified, email verified.
AAL Capture
Authentication methods from the session token helps the platform determine the Authenticator Assurance Level. Service Providers can request the AAL of the user through SAML/OIDC.
1.07.01, 1.07.00
September 12, 2022
Early Access Features
IP address based authentication
Allows for administrators to restrict authentication requests within their enterprise
- Allowed IPs list: Enter individual or a range of IPs from which authentication is allowed. All IPs outside of this will be denied access.
- Restricted IPs list: Enter individual or a range of IPs from which authentication must be denied. All other IPs will be allowed access.
- To avoid any conflicts due to IP address ranges, the administrator portal only allows for one of the two rules to be active at run time.
Access denied reports
Reports now show a list of all IPs that have been denied access within Reports > IPs denied access. Event details provide more information on the origination of the access request like user agent, IP Address and time of access.
Enhancements
AD & LDAP integrations now support LDAP Query Filtering
Admins can enter a regex expression to filters users within the directory. Only users who meet the criteria will be displayed within the Users tab on Admin portal and can authenticate into enterprise applications.
New LDAP filters added to Reports
The following list of filters can now be used to delimit specific LDAP queries:
E_PUSH_REQUESTEDE_OTP GENERATEDE_OTP_VERIFIEDE_OTP_REQUESTEDE_USER_CONSENT
Deprecated Features
Enrollment of ID documents by attributes request
Enrollment of GovID documents (Driver's License and SSN) will no longer be triggered based on attributes requested. Instead enrollment will be supported based on Authn Context of the incoming request.
1.07.00, 1.06.05
August 18, 2022
New Features
Session revalidation logic added for enhanced security
Session revalidation logic was added to ensure that the current application session remains valid for active users that close and re-open their browser window. If a user closes their browser window and reopens again, we check if the user is still active (not locked or disabled) and that each session is still valid.
User URN Identifier
We have introduced user URNs to uniquely identify users across multiple tenants, communities, and respective directories.
Early Access Features
When Kerberos is enabled on BlockID, the Active Directory broker becomes an intelligent identity gateway that allows users to authenticate to all web apps when they are on a domain-joined machine within the corporate network without providing a username or password. After initial domain sign on through Winlogon, Kerberos manages the credentials throughout the Active Directory forest whenever access to resources is attempted.
Multi Community Support for Kerberos Single Sign On
Separate communities within the tenant can have Kerberos enabled to support a different Active Directory instance each. This ensures that users across different AD Domains can login seamlessly.
Kerberos Settings for BlockID Credential Provider
When the BlockID Credential Provider is deployed to the workstation, it ensures that AD users login to their workstation using the BlockID mobile app. When paired with Kerberos, it ensures that all web apps within the enterprise will no longer require a username and password. Users are automatically signed into all their apps from the time they passwordless sign in to their workstation.
Enhancements
Performance improvements for BlockID Login pages
Performance improvements were made to the login page to ensure that the software stops polling when the user switches to the "Login with Username" tab.
Signing certificate format verification
When a Signing Certificate is uploaded to the Service Provider Configuration, we will validate for .pem format as well as the presence of headers within the certificate.
Session expiration message removed when forced authentication is enabled
Enabling forced authentication will terminate the user's session silently without displaying the message, "Your session has expired."
Fixes
AD Broker version information added to download page
The Active Directory Broker now displays the version of the broker that the user is downloading. This helps admins decipher which version they are currently running and helps ensure all brokers are running the same version.
Deprecated Features
Removed encryption information from Service Providers App Configuration
The App configuration for Service Providers on AdminX will not require an Encryption Certificate and Encryption Algorithm.
Documentation Updates
1.06.05, 1.06.05.01, 1.06.04.02
July 23, 2022
New Features
Azure AD user stores
We have added support for connecting to Azure AD as a user store
Phone number verification
User phone numbers are now required to be verified during enrollment.
FIDO authentication during enrollment
Users can now setup FIDO authentication during enrollment.
Early Access Features
OIDC application support
OIDC/OAuth applications are now supported for creating SSO flows in web applications, choosing scopes to be verified, and using information from the Authorization Provider to configure the relying party
Version Changes for Underlying Components
NodeJS framework updated
Upgraded NodeJS from version 12.20.1 to version 16.15.0 LTS
Fixes, Limitations and Known Issues
IdP metadata rendering
Fixed an issue that prevented the rendering of the IdP metadata URL
Documentation Updates
1.06.03.05, 1.06.04.02
June 22, 2022
New Features
Customizable username field on login pages
Tenant and community administrators can now configure the text that appears against the username field on the login page to allow for any desired label, such as a username or corporate ID
Specify primary login method
Tenant and community administrators can now configure which default login screen users land on - QR code for passwordless login, or a username and password
1.06.03.03, 1.06.04.01
June 16, 2022
Enhancements
Load time performance improvements
- Community information will be cached for 10 minutes
- Polling behavior for login page modified to ensure polling thread sleeps for 1 second between polls
1.06.03.02
June 15, 2022
Fixes, Limitations and Known Issues
- The
Force Authnflag used during SAML interactions now forces re-authentication when enabled
1.06.04
May 26, 2022
New Features
Session handling logic for session invalidation
Added logic for handling proper session invalidation and purging of user attributes after user logs out
Introduced a new web-based identity proofing journey to verify your users identities:
-
Allow users to self-enroll and create an account to perform their identity verification on a tenant
-
Allow users to create a new identity wallet after registration
-
Ability to view identity documents connected to user profile
-
Ability to trigger text messages to user to scan a GovID
-
Ability to enroll a driver's license as an identity document
-
Ability to validate driver's license against AAMVA
-
Ability to enroll SSN in Identity wallet
-
Ability to validate SSN against nationalized database
-
Introduced triangulation logic to ensure Driver's License & Social Security Number belongs to the same user
-
Ability to present data sharing & consent screens to show the specific attributes requested from the user
-
Ability to trigger proofing journeys based on incoming requests from a relying party
-
Introduced a new set of attributes in SAML applications for sharing identity documents data
Documentation Updates
- 1Kosmos Identity Proofing Journey
- Create your Account
- Access your Identity Profile
- Verify your Identity Documents
- Data Sharing & Consent
1.06.03
April 14, 2022
New Features
Passwordless login for mac and windows
Support for Passwordless Login for Mac & Windows Workstations to Active Directory by introducing Smart Card Certificates enrollment
New Active Directory configuration settings:
- Allow Active Directory users to turn on/off passwordless sign-in to your workstation using the BlockID mobile app.
- Allow Active Directory users to turn on/off SCEP Configuration for the AD Broker
Documentation Updates
- Workstation Login for MacOS
- Workstation Login for Windows
- SCEP Configuration for Active Directory Authentication Broker
1.06.02
March 17, 2022
New Features
Super admin role added to every tenant:
- Super admins within a tenant can enable Self Registration for Customer/Citizen Product lines
Documentation Updates
1.06.00, 1.06.01
Feb 24, 2022
New Features
Preferred user stores
Administrators can define which directory their users need to be discovered from. We allow up to three directories to be available in AdminX product for use as your preferred user stores
IPFS image store
Every community is provided an IPFS location to store their images. We are able to support scenarios where community admins can upload images into their email templates while onboarding users, as well as when images are required on the login page
IdP metadata download
Enabled support to download SAML metadata of your configured IdP and also provided a dedicated URL to access the metadata
Auto-generate signing and encryption certificates
Ability to auto-generate signing and encryption certificates for your SAML IdP (these are self-signed certificates and are recommended for use in lower environments only)
Signing algorithm support for SAML certificates
Ability to support RSA-SHA1 & RSA-SHA256 signing algorithms for SAML certificates
Documentation Updates
1.05.01.01
Jan 24, 2022
Enhancements
Customize user invite expiration time
When a user requests an invite for passwordless login, the community administrator can set the invitation expiration time
1.05.01
January 6, 2022
New Features
HTTP POST support for SAML integration
Enhanced application integration capability to support SAML using HTTP-POST
Integration of Office 365 using HTTP-POST
End-to-end testing to support the integration of Office 365 using HTTP-POST flow. SSO can be supported successfully on Office 365 Desktop Client for PC & Mac and Native O365 app for Android & iOS.
Email & SMS gateway management
- Introduced capability to manage email & SMS gateways
- Ability for administrators to configure SMTP gateways for sending outgoing emails
- Ability for administrators to configure SMS gateways (Karix, Twillio & Infobip) for sending outgoing text messages
- Ability to configure backup gateways to round-robin between providers
Early Access Features
FIDO2 Registration Support
- Introduced capability to support registration using FIDO authenticators
- Ability to rename a FIDO Key
- Ability to register multiple security keys & platform authenticators (device biometrics)
- Ability to unlink a FIDO key
FIDO2 Authentication Support
- Introduced capability to authenticate using FIDO authenticators
- End-to-end testing to support login using Windows Hello on Edge, Chrome, Firefox
- End-to-end testing to support login using Mac TouchID on Edge, Chrome & Safari
- End-to-end testing to support login using Security Keys on Edge, Chrome, Safari & Firefox (Windows only)
- Ability to SSO into downstream applications using FIDO keys
Fixes, Limitations and Known Issues
Disable and remove user accounts
Fixed issues that ensure proper disabling of users to remove linked accounts and devices.
Documentation Updates
1.04.02
November 3, 2021
New Features
Secondary email support
Introduced the capability to send Passwordless onboarding invites to text messages and secondary email
Login page branding
Introduced capability to brand the login page with capability to support uploading logos and modify the colors for background and text.
Added CAPTCHA support to invite request pages
Introduced CAPTCHA for our invite request pages to protect against DDOS attacks
Active Directory and LDAP brokers for on-premise user stores
- Introduced capability to allow connections to an on-premise Active Directory user store using AD and LDAP brokers
- Ability to view all brokers connected to a Directory
- Ability to rename a broker
- Ability to download the latest broker directly from the portal
- Ability to refresh the status of the broker every 10 seconds
Enhancements
Edit AdminX user profiles
Ability to edit the profiles of existing AdminX users