Skip to main content

Workstation Login for Windows Release Notes

2.1.4.0

November 7, 2025

Enhancement

Added detailed FIDO-related debug logs to assist in troubleshooting and observability. A new log file, BlockIDFIDOLogs.txt, is now created in the Logs folder.

Security Fixes

Implemented security enhancements to improve protection and strengthen overall system resilience in the Windows Workstation MFA Agent.

Bug Fixes

  • After the workstation resumes from sleep, the BlockID Credential Provider (CP) may not appear as an available option on the LogonUI screen. This has been fixed in this release.

  • During RDP login, after entering the password in the Microsoft native Credential Provider and submitting the OTP in the 1Kosmos Credential Provider, the following error was displayed:

    “Something went wrong. Please contact your administrator.”

2.1.3.0

October 17, 2025

New Features

Support for Filtering Password Provider in Windows Workstation MFA Agent

1Kosmos now allows users to independently enable or disable the password provider for Login/Unlock and CredUI flows. This lets you enforce MFA at the workstation login screen while retaining password-based access where still required (e.g., RDP, Run As). For more information, see Configuring Password Provider Visibility.

Added ability to clear last used provider in Windows Workstation MFA Agent

1Kosmos now has the ability to prevent the OS from automatically using the last-used credential provider (via Windows Workstation MFA Agent) on subsequent logins, allowing users to select a different provider or delay login. For more information, see Managing Last-Used Credential Provider Behavior.

Added Request ID in Logging

Added support to display the requestId in system logs to improve traceability and debugging.

Bug Fixes

  • Fixed an issue where the screen flickered during window transitions, resulting in a poor user experience.
  • Fixed a crash in the Windows Workstation MFA Agent when logging in with a local user that shares the same username as a directory user.
  • Fixed an issue causing frequent LogonUI.exe crashes in Jefferies VDI environments following the BlockID CP upgrade. The crashes were due to an invalid memory access within the CP module during user logon.

2.1.2.0

September 5, 2025

New Features

Ability to enroll and authenticate to Windows Using Typing Biometrics and Pin

1Kosmos now supports two additional authentication factors — Behavior Authentication and User PIN.

  • Behavior Authentication – Recognizes a user by their unique typing rhythm, speed, and key press patterns. This helps verify identity without additional credentials.
  • User PIN – Allows a user to set and use their own Personal Identification Number.

Both can be enrolled through the Windows Workstation MFA Agent. These factors can be used as authentication methods for logging in to Windows.

This method is particularly beneficial in environments where login requires DSS-compliant passwords (14–16 characters), which can be difficult to remember. As an added measure, users can also enroll a PIN to authenticate and log in to their workstation securely.

By implementing this feature, the need for frequent password change reduces offering a seamless authentication solution. For more information, see Behavior Authentication.

Security Enhancement

In this release, authenticated JWT is being used to fetch SCEP and are used for enrollments on Windows Workstation MFA Agent.

Authenticated JWT- The platform will provide the Windows Workstation MFA Agent with a JWT containing all the completed authentication factors for the user, which will then be used to fetch SCEP or for enrollment.

Enhanced the Generate OTP API

The Windows Workstation MFA Agent now supports OTP generation via Email, SMS, and voice when a user's mobile device is not registered or enrolled.

2.0.9.0

June 30, 2025

New Features

Shared account logins now use the username fetched from the CyberArk proxy, instead of relying on the displayed username on the shared account window. The CyberArk proxy applies a transformation script to retrieve the username in UPN format.

Bug Fixes

Windows LiveID incorrectly validates a face even when it is placed outside the camera view.

2.0.8.0

May 15, 2025

New Features

Support for MFA on Local Account Logins

1Kosmos now supports displaying multi-factor authentication (MFA) methods for both local and remote account logins. To enable MFA for a local user, the local account must be added as an alias. For more information, see Offline Login.

Introduced CyberArk Proxy Component

In the current implementation, the Windows Workstation MFA agent directly sends requests to CyberArk to retrieve service account credentials. Under high concurrency (~400 users), the service account gets locked out, causing login disruptions. This is due to throttling mechanisms in CyberArk. Even at lower loads, API throttling leads to slow response time of the APIs (~5 seconds), negatively impacting user experience and business continuity.

To address this, 1Kosmos has introduced a new on-prem proxy component for Windows, Darwin, and Linux systems. This proxy handles the connection to CyberArk, offloading direct API calls from each workstation. On Windows, it runs as a service; on Mac and Linux, it operates via the command line. Before starting the service, administrators must configure CyberArk credentials, including a valid service account, to streamline password retrieval and prevent repeated logins. For more information, see CyberArk Proxy Login Using Shared Accounts.

note

Both direct and proxy-based implementations are supported, and customers can choose suitable models.

Security Fix

Addressed a potential replay attack vector where an attacker with physical access to a workstation could intercept and replay API responses from the platform to gain unauthorized access.

This scenario required the attacker to install a proxy tool on the target machine to capture network traffic, making it a complex and unlikely attack path. However, safeguards have now been implemented to mitigate this risk and enhance overall platform security

Bug Fixes

Resolved an issue where cURL requests had inconsistent timeout behavior on the loading screen:

  • When internet connectivity was available, requests timed out as expected.
  • When a proxy was enabled but no internet connection was present, requests experienced prolonged delays.

2.0.7.0

May 1, 2025

New Features

Passwordless Authentication for Remote Desktop Protocol(RDP) and Run as Use Cases

1Kosmos now enables users to passwordlessly authenticate when running applications as an administrator or a different user. For more information, see the passwordless authentication section in the Windows Workstation MFA Agent.

Added Support for Logging into Windows Using UserPrincipalName(UPN)

This release now supports user login using both the SAM account name and the User Principal Name (UPN).

To enable UPN-based login, administrators must map the user's SAM account name to the BlockID attribute (winuserattribute).

Enhanced E_LOGIN_SUCCEEDED and E_LOGIN_FAILED Event Details

When a user uses QR, Push, or FIDO mechanisms to log in to their workstation, both the E_LOGIN_SUCCEEDED and E_LOGIN_FAILED events now display the device details, and the authenticator used during authentication. These events include the following information:

  • device_id
  • auth_device_os
  • auth_device_name
  • auth_device_app_name
  • auth_device_app_version
  • auth_device_ip_address
  • auth_device_os_type
  • auth_device_make
  • auth_device_model

Miscellaneous

During the installation of the Windows Workstation MFA Agent, the default idle timeout value has been updated to 75 seconds to enhance session security and responsiveness.

2.0.6.0

February 24, 2025

New Features

Allow users to send OTP via SMS, Email and Voice Call

Users will be shown options to send OTP via sms, email, call if the user’s profile has associated phone number and/or email address.

note

The phone number for sms/call is selected as the primary phone number associated in the profile.

OTP delivery via channels is enabled by default. If the user profile has number associated, voice call and sms options are displayed. If email is associated with the user profile, email otp option is shown.

note

No control over enabling either of sms/email/mobile/voice OTP is available right now.

Miscellaneous

  • Added a feedback message for users after the QR code is scanned and the authentication is approved on the mobile device.
  • Added a feedback message to inform users when their account is locked due to exceeding the maximum number of incorrect OTP entries.

Bug Fixes

Resolved an issue where FIDO login would occasionally fail.

2.0.5.0

December 20, 2024

New Features

Notifying Users During QR Scan Validation

When users scan the QR on the login screen, the Windows Workstation MFA agent informs them that the scanned QR code is being validated. The display of the validation message provides a smoother user experience.

Enhanced Logging for PII Protection

The logs have now been enhanced to prevent the display of users’ PII data.

Error Message on Maximum Incorrect OTP Attempts

The Windows Workstation MFA agent now shows an error message when a user exceeds the maximum incorrect OTP attempts, notifying them that their account is locked, and they can try again later.

Bugs Fixed

  • Fixed an issue where the user is unable to login to the workstation with the registered FIDO key.
  • Fixed the issue of log files being created in the default location despite selecting a custom install path.

2.0.4.0

December 13, 2024

New Features

  • Support for new consent screen on mobile.
  • Support for number challenge push notification.
  • Ability to custom branding.
  • Support for direct upgradation from V1 to V2 CP.
  • Miscellaneous bugs related to UI have also been fixed.

2.0.3.1

October 12, 2024

Bug Fixes

Smartcard login via BlockID (e.g., Push) fails after session lock in Citrix VDI with V2 CP 2.0.3.0, showing "The username or password is incorrect" after a prolonged loading screen.

2.0.3.0

September 30, 2024

New Features

  • Support for local accounts login.
  • Support for shared accounts.
  • Stability improvements / UX fixes

2.0.2.0

August 30, 2024

New Features

Ability to Allow Local Accounts to login to the Workstation

The user can now use the local account to login to the workstation through the BlockID app. The credential provider is intelligent enough in identifying whether the selected account is a local account or a domain account. This enhancement allows access to the workstation without requiring a network connection and offers flexibility and resilience, ensuring that users have reliable access to their workstations under a variety of circumstances.

Enhanced Windows V2 Credential Provider by determining Users using Shared Account

The Windows V2 CP is now enhanced offering the capability to determine the user who uses the shared account to login to the workstation. To achieve this, a new Shared Account option has been introduced on the Sign In - Choose an Authentication Method screen. The Shared Account option must be configured in the database. When a user clicks on the shared account option, a list of shared accounts associated with the user is displayed. The user can select the appropriate account and login to their workstation. This capability allows organizations to trace the user using the shared account and help them manage it.

2.00.00

July 10, 2024

New Features

Introduced a new Credential Provider built on the Windows Credential Provider V2 framework, enabling user authentication using a combination of password and one-time passcode (OTP). For more information, see Windows Workstation MFA Agent.

1.09.01

March 22, 2024

New Features

  • Enabled password redirection from host workstation which enables usage of OTP, QR and push mechanism on the remote machine when connecting through RDP.
  • OTP & FIDO options has been integrated into the Switch User lock screen. BlockID now offers push notifications, OTP, and FIDO keys to be used to unlock workstation.

Fixes

  • Fixed an issue where multiple QR dialogs would show up on the login screen for some workstations.
  • Fixed issue where cancellation of QR and push notification would not work in certain cases.

1.09.00

January 31, 2024

New Features

  • Introduced functionality for utilizing password and OTP MFA through the "More choices" option on the Windows authentication prompt for applications.
  • Added capability to pre-populate passwords on the remote workstation's login screen in case of password redirects from the host workstation.

Enhancements

  • QR and push notification-based login mechanisms have been made configurable, allowing users to easily enable or disable these features as needed.
  • OTP mechanism is now accessible on the Windows lock screen. Users can enable these from the BlockID configurator.
  • Automated installation script has been updated to accommodate new configurations introduced.

1.08.07.01

November 22, 2023

Enhancements

  • Removed validations on the tenant tag in the BlockID configurator.
  • Resolved issue where BlockID Credential Provider would crash when an invalid user attempted to login with a FIDO key.

1.08.07

October 19, 2023

Enhancements

  • Eliminated the requirement for the initial mobile login as a prerequisite for enabling authentication through FIDO keys. As the FIDO assertion is produced using the 1Kosmos platform, the workstation should be connected to the internet to use this feature.

  • Added configuration to enable/disable PIN prompt for logins through FIDO keys on the lock screen.

  • Updated the behavior of UV and UP flags for FIDO login on the credential provider based on the configuration received from the API.

1.08.06

September 21, 2023

Fixes

  • Cross-signed the Credential Provider DLLs through Microsoft. This was required to fix an issue on Windows 11 22H2 workstations where LSA, when enabled, would block the 1Kosmos smartcard driver from loading, resulting in authentication failures.

1.08.05

August 31, 2023

Fixes

  • Resolved an issue where logins would fail due to communication protocol not being initialized in certain situations. This issue was intermittent and the user would see a Username or password is incorrect error, a generic error message displayed by the Windows OS.

1.08.04

August 10, 2023

Enhancements

  • Implemented a cache manager to better manage the local cache. The cache manager handles the API endpoint caching and associated public keys for a maximum of 24 hours, improving overall performance and login time.

1.08.03

July 20, 2023

Enhancements

  • Smart Card Driver DLL files are now signed using a new code signing certificate.
  • Logging Functionality in the BlockID Credential Provider has been amplified.
  • Updated logic to identify PAC URLs. URLS are now treated as a PAC URL if the address contains .pac.
    • This allows the BlockID Credential Provider to recognize PAC URLs that also have a policy parameter. For example, a URL such as http://webproxy.local:3128/proxy.pac?p=15df7tpd5 is now recognized as as a PAC URL by the Credential Provider.

Fixes

Corrected a bug where a connections check through proxy was not taking place.

1.08.00

May 18. 2023

Enhancements

  • Added a timeout to the BlockID Credential Provider when establishing a connection through a proxy to check the system connectivity status and to refresh login tiles.

Fixes

  • Fixed an issue where remote connections through BlockID RDPHelper were failing.

1.07.05

April 27. 2023

New Features

FIDO2 Based Authentication Using Security Keys

FIDO2 authentication using hardware security keys (eg, YubiKey) has been added to the BlockID Credential Provider. Users can enroll their security key using the AdminX control panel. When using FIDO2 login methods, the credential provider sends a FIDO challenge to the security key using CTAP2 protocol. The credential provider validates the signed challenge returned by the key and allows the user to login following successful verification.

Fixes

  • Fixed an issue where BlockID CP smart card login was failing intermittently.

Enhancements

  • Updated the label for passwordless login using QR to QR Login and resized the dialog for a better UX Experience.

1.07.04

February 17, 2023

Enhancements

  • The BlockID CP now caches service directory endpoints to avoid making repeated API calls for fetching data, improving overall performance and login time.

Fixes

  • Fixed an issue where the BlockID CP tiles were repeating in case of multiple user logins through RDP on the same workstation.

1.07.03

January 25, 2023

Enhancements

  • Users can now choose whether to enable or disable automatic restarts for workstations when installing the BlockID CP using batch scripts. Users can choose to restart the workstation by supplying a restart flag.

  • BlockID now has a setting to configure “Login with FIDO” mode. Configuration for this setting can also be automated when running the installation and configuration script.

  • The BlockID CP now updates its available login options when detecting a change in internet connectivity. If the workstation is online, QR Code and Push Notification login options will be available. If the workstation is offline, only OTP login (if enabled in BlockID CP) will be availble.

Fixes

  • Removed test-suite executables FakeWinlogon.exe and NativeLibTest.exe from the BlockID installer package. These are simulators that were present in the package and could be used to test BlockID service and login flow (without invoking BlockID from the login screen). However, these carried no real purpose to the end user and were removed.

  • Fixed an issue where offline authentication using OTP fails after setting a proxy.

  • Fixed an issue where the BlockID service does not start, causing the workstation screen to blur, rendering the log in page inaccessible.

1.07.02

December 07, 2022

New Features

FIDO2 Based Authentication for the BlockID Credential Provider

FIDO2 based authentication has been integrated in the BlockID Credential Provider. Users can now enroll themselves for using the BlockID Mobile Application. When using the FIDO2 login feature, the BlockID Credential Provider sends a FIDO2 challenge to the BlockID Mobile Application for singing. The Credential Provider then validates the signed challenge. After successful account verification the user will be logged in.

Enhancements

  • BlockID now checks the expiration time of cached user certificates before authenticating the user when the machine is offline

Fixes

  • Fixed an issue where proxy settings were not being used when creating new user sessions

  • Fixed an issue where the BlockID tile does not show up on the login screen when the VC++ Redistributable package is not installed on the workstation

1.07.01

September 1, 2022

New Features

Forced Passwordless Authentication

BlockID now allows administrators to force passwordless authentication onto the workstations. This disables the default password provider, and the user has the option to login via QR, Push Notifications, OTP and MFA. Forced passwordless can be turned on using the "Disable Windows Password Provider" option in the Advanced Tab.

CAD Feature

Requiring CAD (Ctrl + Alt + Delete) before users sign in ensures communication through a trusted path when providing credentials. CAD ensures users are not susceptible to attacks that attempt to intercept their credentials when signing in. This feature can be turned on using the "Enforce Ctrl + Alt + Del" option provided in the Advanced Tab of the BlockID Configurator. CAD feature is enabled by default when forced passwordless option is enabled.

Enhancements

  • Ability to re-initialize QR or Push Notification after an error or the user cancels the login attempt.

Fixes

  • Fixed an issue where MFA (username + password + OTP) would not work in certain cases when the workstation is offline.

1.07.00

August 22, 2022

Enhancements

  • The BlockID Credential Provider now caches the session's services and community public keys so as not to make repeated API calls for fetching them. This improves overall performance in using platform microservice for user sessions.
  • The BlockID Credential Provider now verifies if the user account is linked to the DID.

1.06.02

August 1, 2022

New Features

Support for MFA login (User ID + Password + OTP)

BlockID Credential Provider now supports enablement of password factor to be used along with OTP for added security. The user is challenged for their username, password and Workstation OTP (from the BlockID mobile app). This feature can be turned on using the “Allow Password Factor” setting provided in the BlockID Configurator.

Support for BlockID OTP from the BlockID Mobile App

Users can now log in to their workstations using the BlockID OTP, which is displayed on the main screen of the BlockID Mobile App. The BlockID OTP is available by default and can be used when the workstation is online. If the administrator decides to enable hardware tokens for OTP generation, then this feature can easily be disabled.

Support for Hardware OTP Tokens

BlockID can now be configured to use OTPs from enterprise issued hardware tokens such as OneSpan. This feature can be turned on using the “Use Hardware OTP” setting provided in the BlockID Configurator. This authentication feature is available only when the workstation is online.

Enhancements

  • Support for UWL 2.0 sessions
    Internal enhancement where the BlockID Credential Provider uses the platform microservice for generation of user sessions. This enables and supplements the audit trail of user activity.

Fixes

  • User cancel issue on Windows Server 2012 and Windows 8/8.1
    Fixed an issue where the user was not able to cancel QR or Push Notification on workstations or remote machines running Windows Server 2012 and Windows 8/8.1.

1.06.01

May 30, 2022

New Features

Online Login Supported via OTP

BlockID has extended the OTP authentication feature to be used when the workstation is online. The setting can be turned on by the administrator using the “Enable Online OTP" setting provided in the BlockID Configurator. The Workstation OTP available in the BlockID App can be used for generating the time based - OTP to be used for login. The user is now provided with QR, Push Notification and Workstation OTP to login to their workstations.

Enhancements

  • BlockID now has configurations to enable Offline and/or Online OTP modes and also add custom images and labels for the OTP tiles on the login screen. These configurations can also be automated using the installation & configuration script.

  • Updated icons for the Configurator, RDPHelper and installer exe.

1.06.00

May 13, 2022

New Features

Offline Login Supported via OTP

BlockID Credential Provider now supports login via OTP as the authentication factor when the workstation is offline. BlockID identifies when the workstation is not connected and challenges the user to enter “Workstation OTP” from the BlockID mobile application. The pre-requisite for using the Workstation OTP is that the user must have logged in using BlockID QR or Push Notification at least once prior to using the OTP feature.

Deprecated Functionality

  • Deprecated reverse QR scanning feature for offline login.

1.04.00

August 16, 2021

Fixes

  • Removed the "BlockID Initialization..." message on Windows start-up. If the service does not start-up during machine start-up for a fairly considerable time, the Credential Provider waits with the above message which conveys incorrectly that the hold-up is because of BlockID.

1.03.01 - MSI

July 19, 2021

New Features

Install BlockID via GPO

An MSI file was included in addition to the existing BlockID Credential Provider installation executable. This enables administrators to install BlockID via GPO.

1.03.01

June 11, 2021

New Features

Optional Deny Credential Passthrough for RDP

Added a flag on the BlockID Configurator to deny credential passthrough for RDP connections. If the flag is checked, credentials passthrough is disabled on the remote machine (RDP). New configuration to deny credential passthrough is added to the auto installation and configuration script.

Disabled Default Windows Smart Card Credential Provider in Registry

Disabled default Windows smart card credential provider in the registry. This is done to stop users from using PIN on remote workstation to log-in when using RDP.

1.03.00

April 17, 2021

Fixes

  • Fix to pass credentials in case of RDP login using username/password, and to stop BlockID QR pop-up.

Documentation Updates

  • Versioning of the CP has been moved to a new format representing the quarterly release numbers.