Frequently Asked Questions (FAQs)
- Updated On 17 Sep 2020
- 12 Minutes To Read
This page will answer questions with respect to the BlockID platform. If you have any questions that are not addressed in the sections below, please send us an email at email@example.com
What is 1Kosmos BlockID?
1Kosmos BlockID provides cloud-based identity solutions that leverage biometrics for passwordless user authentication. It uses Blockchain technology for secure and passwordless access to the applications.
What is the licensing model for 1Kosmos BlockID?
1Kosmos BlockID has three separate offerings and each offering has a different pricing plan. Please contact firstname.lastname@example.org for further pricing information.
Where can I obtain more information about 1Kosmos BlockID?
Visit the Why BlockID, Solutions, and Insights sections from the 1Kosmos site. Also, visit the 1Kosmos BlockID Documentation site for in-depth information on each BlockID product. Please contact us on email@example.com for further information.
How can I register for the 1Kosmos BlockID Webinars?
Check out our Webinar page to access the existing webinars and register for the upcoming webinars.
How can I get a Free Trial of the 1Kosmos BlockID solutions?
Visit the BlockID Free Trial page and Sign up to get a free trial of our 1Kosmos BlockID solutions.
What categories of applications are allowed to integrate with BlockID?
1Kosmos BlockID integrates with numerous cloud applications, leading SSO and cloud platforms, along with PAM technologies, Hardware Tokens, Operating Systems, and Remote Access providers. Check out our Integrations page to check the list of categories of applications 1Kosmos BlockID can integrate.
How does BlockID handle multiple identities?
BlockID manages a concept called "User Personas". Multiple identities of a user can be mapped to multiple personas and be under a single master user profile.
What happens if the user loses their mobile device?
The information on the BlockID platform can all be recovered using a recovery phrase and your biometric. A user can download a new version of the app on their new mobile device and then enter their recovery phrase, authenticate with their biometrics to get access to their identity vault.
How would universal logon get set up?
The process will take less than 30 minutes to set up, and involves downloading the BlockID Login integration SDK onto the site. This will then allow the site to generate a QR code that can then be scanned by the user using their mobile device.
Using the BlockID platform, who is bearing the cost of fraud and the cost of errors?
This product interacts with the existing security system and fraud prevention of the commercial enterprise. A service provider will bear the cost of any fraud. However, replacing credentials with biometrics and moving the repository from a single database to a blockchain significantly reduces the risk of fraud and the cost of errors.
Do you follow any of the Blockchain Standards as defined by the W3C (World Wide Web Consortium)?
We use the standards for W3C that relate to verifiable credentials and claims and how they should be stored.
What protocols/algorithms for fingerprint, voice, and facial recognition do you use?
We use the inbuilt biometrics, if available, for the fingerprint. For the voice and matching the facial biometrics to your vault, we use our BlockID facial and voice metrics that use Microsoft Cognitive Artificial Intelligence (AI).
Can you explain your API gateway?
The BlockID API Gateway is the central conduit that allows the BlockID mobile app to interface with a website or a desktop/laptop. It also interacts with the blockchain to store any credential information or write any audit record.
As the platform evolves, how do you update the biometrics to the latest version?
If the biometrics are updated, BlockID releases a new version of the mobile app and will be updated on every user's smartphone as part of their app update process.
Is there any possibility to reverse engineer your Identity on BlockID?
No, the data is stored in an encrypted format using ECDSA encryption.
Which part of the architecture requires us to interact with the browser?
What is the QR code needed for?
The QR code is needed to initialize the app to know what information is being asked for and which service and scope it is being provided to.
What data is captured as part of the QR code?
A QR code consists of four main data elements. These are:
- Scope - A scope details what needs to be queried from the user's identity safe from the mobile device. Typically this would consist of First Name, Last Name, UserId, Date of Birth, etc.
- Factor - Factor identifies which type of biometric the user needs must provide to authenticate, i.e., either the face, fingerprint, or voice.
- Public Key - This is the public key of the requesting party.
- URL - The URL specifies the endpoint that the mobile app will need to use to send the authentication request to.
Can BlockID be used without a QR code?
Yes, however, the first log-in always requires a QR code. Once the ID is established with a vendor, the vendor can use a push notification to send information to the BlockID app.
How does the 1Kosmos platform separate tenant data?
Each tenant has its own smart contract that is used to read and write data. This contract employs tenant-level encryption that prevents any other tenant from seeing data outside of their organization.
What is needed in the customer environment?
There are two applications needed in a customer environment
- BlockID Authentication Broker - This is the single interface that allows allows us to communicate with AD.
- This allows us to communicate with the Microsoft NDES service to issue smartcard certificates.
- BlockID Credential Provider - This is used for the passwordless user login within the Windows workstation.
What can 1Kosmos see as the "administrators" of the platform from the following options?
- User Attributes?
- User's Private Data?
1Kosmos cannot see any user data as it is not stored in our cloud.
- User private data is protected with the user's private key which resides on their phone.
- No AD or other internal company data is stored in the cloud.
- Many other products will copy your AD user attributes to their cloud. BlockID does not.
What are the Authentication Schemes?
Authentication schemes are used to authenticate users into the platform. An authentication scheme can be configured for tenants (Customers) based on their needs. For example, Customer 1 can use Active Directory (AD) while Customer 2 can use 1Kosmos User Directory (1KUD).
Can I log into the 1Kosmos platform with an Active Directory (AD) account?
Yes, once the platform is configured with a client AD, the accounts associated with that Active Directory can be used to authenticate within the platform.
1Kosmos will have NO way to log into the tenant's admin page? Can customers completely remove 1KUD, once they set up their AD?
Customers do not need 1KUD. They could configure BlockID to communicate with the local AD where they house their own user base. 1KUD is for customers who want us to house their legacy users and do not have an LDAP or AD server of their own (or do not want to self manage anymore).
Does 1Kosmos have access or able to log in to the tenants’ admin page? Can customers completely remove 1KUD, once they set up their AD?
1KUD is for the customers who do not have an LDAP or AD server of their own (or do not wish to self manage the user details anymore) and want us to store their legacy users. They could configure BlockID to communicate with the local AD where they store their own user base.
Can we customize the login page for customers?
Yes, the login pages are customizable.
How do you verify addresses in developing countries?
Similar to the United States, BlockID Verify will need to integrate with a source of truth from that country. This integration can be configured on the platform.
Is the NIST standard the only scoring methodology in BlockID?
BlockID also includes an identity trust score that factors NIST as well as other parameters. Both the assurance level of NIST and the trust score for a user is available.
Has BlockID been rated by any agency such as NIST?
We use the guidelines set forth by NIST 800 63-3.
What are your sources for Document Verification?
A typical document verification platform is a central entity that allows BlockID to verify authenticity through an API. Some examples include AAMVA, Melissa, IDDataWeb, etc. They vary depending on the country of origin. Each system of record is from an issuing authority.
How do you handle address verification and what happens if you do not have a match?
We verify addresses with third party services (US Postal Service + Melissa). If there isn't a match, it triggers a manual process where additional documentation is requested from utilities and/or phone services and matched.
How can BlockID be deployed to evade Google’s “control of your search identity”? Or Facebook’s “control of your social identity”?
By not having any log-ins from Google or Facebook, you will not be using the same log-ins that allow those, and other companies, to track which pages you are using while browsing in a private or incognito mode with access to your web applications. All information about the user will be stored in an identity vault.
How does BlockID Consumer eliminate multiple credentials? How would BlockID work across multiple eCommerce sites?
A single BlockID credential can be used to authenticate across multiple sites. This is possible because the single credential resides on the blockchain. This is in contrast with having a credential stored in the individual website's databases.
How does the user control what information is shared with service providers?
BlockID uses a concept of scopes which includes all the user information criteria. As part of the scope, every data request from a service provider has to have one or multiple scopes defined. So, for example, if a website is requesting a user credential for logon, the user would see that the website is asking for their "FirstName" and "LastName" as part of the scope in the request.
Can an eCommerce site or Retailer see all my info?
Only if the information is explicitly shared by the user. All the information shared by the user would be shown as part of the scope defined in the request.
Is BlockID compliant with FIDO2?
Yes, the BlockID solution is compliant with FIDO2 UAF.
How do I authenticate if I'm on my PC and not my mobile device?
BlockID can be used to authenticate a user using an OTP which can be generated and emailed to a user if a mobile device is not present. We only recommend using this solution if you are using MFA with a legacy system.
Does BlockID auto pop up asking the user to update the password in a password reset scenario?
The user gets a popup on windows ahead of time-based on the policy set for the organization. They can either reset the password on Windows or the BlockID app.
Can BlockID be used for applications that do not authenticate against AD?
The application can leverage BlockID and can integrate using SAML.
What happens when an employee leaves the organization and has been using a personal mobile for authentication using BlockID?
The BlockID app is disabled upon disabling the AD account of the employee.
How will BlockID be leveraged in a secure white room type scenario where cell phones may not be allowed inside?
This is a part of our roadmap where biometric-based authentication can be leveraged via laptops/workstations so that mobile phones will not be a dependency.
What does BlockID leverage for Push Notifications?
BlockID uses Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices.
Is there an SDK available to integrate with an existing mobile application?
Yes, BlockID does have an SDK to integrate with mobile application.
Can a user register for BlockID on two or more devices?
Yes, a user could have multiple devices. The Private Key is unique to each registration for the user. The DID will be created per device registered and mapped to the same userID.
FAQ BlockID Authentication Broker
Why do I need a BlockID Authentication Broker on-site?
A BlockID Authentication Broker is installed on a client environment to allow the BlockID Admin Console (running in the cloud) to communicate within a client’s environment. All connections made by the Broker are outbound and there is no need for any inbound connectivity into the company's network. The BlockID Authentication Broker communicates **outbound** only and handles the flow of encrypted traffic between the Credential Provider (on windows), NDES, AD, and the 1Kosmos cloud.
Do I need to open any external > inbound ports or DMZ hosts for the 1Kosmos environment?
No - no firewall ports or network changes are required.
Will the BlockID Authentication Broker be able to communicate over a proxy?
Yes - the BlockID Authentication Broker is proxy enabled and supports proxy authentication. Both the BlockID Authentication Broker and BlockID Credential Provider (for Windows workstations) can use a proxy to talk to the 1Kosmos cloud.
Are BlockID Authentication Broker's highly available for failover/BCP/DR?
Yes - they can be deployed to be as highly available as the customer needs.
How is the BlockID Authentication Broker's made highly available?
Multiple instances of the broker can run in parallel. There is no need for a load balancer as they handle the communication between the client environment and the 1Kosmos cloud automatically.
Are any AD usernames and passwords stored in clear text on the BlockID Authentication Broker (in a file for example)?
1Kosmos does not store any username and password especially if the configuration is set up with Active Directory. We only use the BlockID Authentication Broker to authenticate the user and not to store the credentials.
Should the customer have the technical expertise to configure the broker and other configurations within BlockID?
The configuration that is done on the BlockID platform is straightforward. The detailed guides are also available for a user to perform the configuration by themselves. The setup in the BlockID platform can be done in minutes.