SurePassID Windows Logon Manager (WLM) 2025.4 - Release Notes

Release Date: 10/28/2025
Release Type: Major Feature Release

Highlights

This release introduces Windows Event Log integration, FIDO2 offline authentication, and security event auditing across the credential provider.

New Features

Windows Event Log Integration

• Structured event logging — Error and Warning messages from SPLog are now automatically forwarded to the Windows Application Event Log under the source SurePassID WLM.
• Security event API — New SPLog::SecurityEvent() method writes security-relevant events (MFA bypass usage, authentication failures, offline cache exhaustion, etc.) with dedicated event IDs and categories.
• Message catalog — Added SPEventMessages.mc with 10 defined event IDs across 4 categories (Authentication, Configuration, Security, Connectivity), compiled into a message resource for proper Event Viewer formatting.
• Event source auto-registration — SPWindowsEventLog::EnsureEventSourceRegistered() lazily creates the required registry keys when running with sufficient privileges.
• Registry-controlled forwarding — Event log forwarding can be enabled/disabled via the WriteToEventLog registry value. Error, Warning, and Info messages are forwarded by default. Trace messages are excluded unless WriteTraceToEventLog is set to 1 (to avoid flooding the event log during development).

FIDO2 Offline Authentication

• Offline cache framework — New SPFido2OfflineCache class for storing and retrieving FIDO2 assertion data for offline use.
• Assertion result model — New Fido2AssertionResult class to represent FIDO2 authentication results.
• Server credential parsing — Enhanced ServerPublicKeyCredentialGetOptions with expanded parsing support for offline scenarios.
• CBOR/JSON response handling — Improved SPWebAuthnJsonResponse with additional response parsing capabilities.

NFC APDU Chaining (CTAP 2.0 Compatibility)

• APDU chaining for FIDO 2.0 NFC authenticators — Implemented ISO 7816-4 command chaining in ApduCommand::apdu_list() for CTAP payloads exceeding 255 bytes. FIDO 2.0 authenticators over NFC do not support extended-length APDUs; payloads are now split into 255-byte fragments (CLA=0x90 for intermediate, original CLA for final) per CTAP2 spec section 11.3.6.
• Automatic APDU mode selection — The FIDO2 assertion command now checks the authenticator's reported versions (authenticatorGetInfo). FIDO 2.1 authenticators use extended-length APDUs; FIDO 2.0 authenticators use short APDUs with chaining. This resolves SW 0x6700 (Wrong Length) errors when multiple credentials are registered for a user.
• Diagnostic logging — APDU mode selection (extended vs. chaining), CBOR payload size, and FIDO version are now logged at Trace level for troubleshooting.

Server Connectivity Status Indicator

• Login screen status field — Added SFI_LOGONSTATUS_TEXT field to the credential provider tile showing "Server: Online" or offline status with available authentication methods (e.g., "Offline: Security key or passcode"). Positioned after the submit button for visibility in LogonUI.

Improvements

Security & Encryption

• DPAPI encryption for offline cache — OTP offline cache now uses DPAPI-based encryption (EncryptForCache / DecryptFromCache) with automatic fallback to legacy Brownie/Enc256 for backward compatibility.
• Security event logging for MFA bypass — Bypass code usage is now logged as a security event (MSG_MFA_BYPASS_CODE_USED) for audit trails.
• Offline cache exhaustion alerts — When the offline OTP cache is depleted, a MSG_OFFLINE_CACHE_EXHAUSTED security event is written.
• DPAPI failure auditing — If DPAPI encryption fails and falls back to legacy encryption, a MSG_DPAPI_ENCRYPTION_FAILED event is logged.
• Offline cache invalidation on policy change — When AllowOfflineFido2 or AllowOffLineAuth is set to 0, any existing cached credentials (FIDO2 or OTP) are automatically cleared and a MSG_OFFLINE_CACHE_INVALIDATED security event is logged. This ensures stale caches cannot be used after an administrator disables offline authentication.

Logging

• Thread ID in log entries — All log messages now include [TID:<id>] for easier multi-threaded debugging.
• Thread-safe logging — Added std::mutex-based synchronization across all SPLog methods.
• Default log level fix — Default log level (when no registry key is set) now correctly includes Error-level messages in addition to Warning.

Credential Provider

• Credential provider filter whitelisting — SurePassIdProviderFilter now supports GUID-based whitelisting of credential provider tiles.
• CredUI fixes — Additional fixes for Credential UI (UAC prompt) processing.

Configuration

New Registry Values

Event Log Setup

The event source is registered automatically when running with admin privileges. For test environments, run once as Administrator:

powershell -ExecutionPolicy Bypass -File SurePassIdLibGoogleTests\RegisterEventSource.ps1

Event IDs Reference

Verifying the Installed Version

After installing or updating the DLL, verify you are running release 26.2:

1. Open File Explorer and navigate to the installed DLL location (typically C:\Windows\System32\WindowsLoginManager.dll).
2. Right-click the file ? Properties ? Details tab.
3. Confirm the following values:
   • File version: 26.2.0.0
   • Product version: 26.2.0.0
   • Product name: SurePassID Windows Login Manager

Alternatively, from an elevated PowerShell prompt:

(Get-Item "C:\Windows\System32\WindowsLoginManager.dll").VersionInfo | Select-Object FileVersion, ProductVersion

Expected output:

FileVersion ProductVersion

----------- --------------

26.2.0.0    26.2.0.0

Support

Getting Help

• Documentation: Available in product Help menu
• Support Portal: https://support.surepassid.com
• Email: helpdesk@surepassid.com
• Phone: 1-800-200-8144

© 2011-2026 SurePassID. All rights reserved.