Administering HYPR Affirm
Some functionality is limited. This article is subject to change as the feature develops and we make improvements.
At least one Okta or Entra ID integration must be enabled via HYPR. See Integrations for instructions on how to accomplish this step.
If you do not have a qualifying Okta or Entra ID integration, HYPR Affirm will display this message when you try to do anything:

Click Set Up Integration Now to open the Control Center Standard: Integrations options.
Click Cancel to return to HYPR Affirm.
For HYPR Affirm to work with the integration fully, the IdP must include the following attributes for all target users:
-
Username (UPN field for Entra ID and Username field for Okta)
-
Email Address
Depending on the specific verification flow configuration, HYPR Affirm requires the following additional attributes:
-
Mobile Phone Number (Phone Number Verification step)
-
First and Last Name (Identity Verification step)
-
Manager Information (Required if Approver type of Manager is set. Manager field for Entra ID and ManagerId field for Okta)
-
Street Address (Location step)
-
City (Location step)
-
State (Location step)
-
Postal Code (Location step. This is called Zip code in Okta)
-
Country Code (Location step)
The calls to perform CRUD operations and to test HYPR Affirm IdV flows can be found here in the HYPR Passwordless API collection.

HYPR Affirm administration consists of several tabs:
-
Verification Flows: (Default) Create and manage workflow steps and their behaviors
-
Advanced Settings: Administer and test workflow Customizations and manage OIDC settings for the workflow
-
Audit Trail: Easy access to the HYPR Audit Trail
-
Activity Log: A log of requests and the decisions for each
Verification Flows
Creating a Workflow
-
Click the + Workflow button at the top right. The New Workflow dialog opens.
-
Give the workflow a Name and add a Description (optional).
Not Too DescriptiveThe Description field accepts alphanumeric characters and the following special characters: `~!@#$-_+.,
-
Select a workflow Type.
-
Onboarding: New employee verification
-
Recovery Flow: Verify existing employees who have a new device
-
CC Admin: Assign to administrators to Affirm their access to Control Center
-
Only one CC Admin workflow can exist at a time
-
CC Admin must use Redirect to Device Manager to register a new login method as an outcome
-
New members of CC Admins will be forced into an Affirm flow (assuming Affirm is enabled)
-
-
-
Choose a Friction Level.
-
Highest Friction
-
High Friction
-
Medium Friction
-
Low Friction
-
Lowest Friction
What are friction levels?Different friction levels require the user to undergo different verification steps, from all possible steps for Highest to the bare minimum for Lowest
High and Highest levelsHigh and Highest friction levels require an RpApp to be initially attached to the workflow, in order for all subsequent validations to pass
Changing friction levelsOnce a verification flow is created, you cannot excplicitly change its friction level; however, you can reset the workflow configuration to the default config dictated by a chosen friction level
-
-
Click + Workflow to save. Control Center returns to the Affirm Verification Flows tab.
Managing Workflows
When one or more workflows exist, they are listed in Verification Flows using the following columns:
Field | Description |
---|---|
Name | The name of the workflow. |
Type | The type of workflow. [ Onboarding | Recovery | CC Admin ] If CC Admin is chosen, the only acceptable Outcome is Redirect to Device Manager to register a new login method. |
URL | The link to be given to requesters; typically it is <tenant_URL>/ui/idv/?verificationFlowId=<verificationFlowId> .A handy copy icon helps you grab this URL for distribution. |
Description | The Description field as entered when the workflow was created. |
Status | An icon indicating the current status. [ Enabled | Disabled ] |
RpApp | The HYPR Relying Party Application associated with this policy; typically this is the RP App associated with the integration being used. Only one RP Application can be associated to a policy. |
To manage a workflow's configuration, click the row where it is listed. The Workflow Management drawer opens at right.

With the exception of the unique identifier for this workflow (the ID column) Workflow Management top-level information reflects the list columns from the main pane. Here, unmutable values can be copied and mutable values can be changed.
Be sure to scroll all the way to the bottom of Workflow Management and click Save Workflow when you are satisfied with the settings.
Applications
This section lists applications to which this workflow applies. When this section is rolled up, it will display the number of applications in parentheses.
-
Add an Application: Click + Application and click the desired application on the drop-down list that appears; once clicked, it will appear under Applications
-
Remove an Application: Hover over the row and click the trash can icon next to the entry
Verification Steps
Steps used by this workflow will appear here. When this section is rolled up, it will display the number of steps in parentheses.
When it is expanded, each step is listed below the header. Edit a step by hovering over the row and clicking the pencil icon next to the entry; the Verification Steps window opens.
At the top of the Verification Steps tab that appears are listed the values Name, Type, URL, and Status as described above. Name and Type may be changed here, but URL and Status may not.
Escalate to Live Chat

If this feature is toggled On and the requester fails the IdV flow checks, the requester is immediately placed into a video and chat session with the approver.
Scenarios where escalation will occur include the following:
-
Face match fails between the ID photo and the selfie
-
The OnFIDO government document check does not come back clean
When this feature is On:
-
Escalation Approver Assignment will be visible in the Approver Assignment tab in this dialog
-
Approver Chat and Video must not be a verification step already
Login Identifier

Initiates the HYPR Affirm IdV process. This option will always display Required.
Phone Number/Email Verification

This setting is always On to require the requester to enter a phone number or email address for their device.
In 10.1 and onwards, the requester can choose between SMS and email for receiving their OTP.
Location

A location based upon the requester's IP address will be displayed to the approver. Enabled by default.
Identity Verification

Determine the types of evidence required for affirmation. Disabled by default.
-
Document Authentication: Requester must provide a valid Photo ID for name and image comparisons; Document Authentication mimics the toggle state of Identity Verification
-
Liveness Check: The requester must take and submit a selfie in real time; it is then compared to the provided photo ID; Liveness Check mimics the toggle state of Identity Verification
-
Name Checking: Compares the name from the uploaded document to the requester's directory listing
-
See Supported Documents by Location for a list of documents that are currently supported for authentication.
Photo ID and Liveness Capture

Toggle to require upload of a valid photo ID and a subsequent real-time selfie, both of which will be compared to each other to verify a match.
Idntifying documents differ greatly from place to place, both in which ones are considered authentic and in composition and layout. To know which documents are accepted by Affirm, check the Supported Documents by Location page.
Approver Chat and Video

Toggle to enable a chat window between the approver and requester. Enabled by Default.
Attestation

Always Enabled. An approver must review the request before a credential is issued to the requester.
Outcome

What happens to the requester upon success?
-
Redirect to Device Manager to register a new login method
-
Issue a Microsoft Entra ID Temporary Access Pass (TAP)
-
Issue a Microsoft Entra ID Verified ID Verifiable Credential (VC)
- To set up Entra ID for this feature, see the Configuring Outcome: Entra ID Verified ID instructions
-
Redirect to a Okta password reset page
- To set up Okta for this feature, see Configuring Outcome: Okta Password Reset
-
Redirect to URL (provide a URL)
- Type the Redirect URL you wish to send the requester to when they are approved
- See API documentation on Create a verification flow for providing a dynamic URL which is useful when embedding an Affirm verification flow in an external application
-
Only display if the requester was approved or denied