Skip to main content
Version: 11.1.0

HYPR Affirm: Overview

Introduction

HYPR Affirm is an automated identity verification (IdV) solution designed to ensure that employees and customers are who they claim to be. It provides fast, secure, and passwordless verification for onboarding, account recovery, and other critical verification flows.

Key Features

  • Prevents identity fraud using advanced verification technologies
  • Streamlines and automates identity verification, reducing administrative overhead
  • Enables continuous identity proofing and re-verification throughout the user lifecycle
  • Affirm Studio (Screen Management): Customize content and branding for all verification screens - see Configuring End User Screen Management and Affirm Studio
  • Affirm Studio Inline Preview: Preview key screens directly in Studio (including desktop/mobile views) before publishing changes
  • Content Customization API: Programmatic control over screen content and user experience - see Affirm Content Customization API
  • Injectable Outcomes & Retry Limits: Configure step-level outcomes and retry limits for verification steps - see Configuring Injectable Outcomes & Retry Limits
  • Photo and Liveness Detection Enhancements: Auto capture and real-time feedback for improved document verification - see Document and Biometric Verification
  • KYC Compliance Checks: AML, OFAC, and watchlist screening for regulatory compliance - see KYC Compliance Checks
  • Liveness-Only (Anchor Image) Verification: Use a directory-stored anchor image instead of a document upload for certain internal verification scenarios – see Configuring Liveness-Only Verification (Anchor Image)
  • Integration Login Handoff to Affirm: Supported integrations (including OIDC, Entra EAM, Okta, and Ping DaVinci) can route sign-in flows into a selected Affirm workflow
  • Document Policy Controls: Restrict accepted document types and configure allowed ID-issuing countries for document verification workflows
  • Helpdesk Access Controls: Role-based Helpdesk permissions, workflow visibility controls, and configurable completed-request retention windows
  • Friction Profiles and Retry Governance: Preconfigured friction levels plus workflow and step retry controls to balance user experience and assurance level
  • Operational Visibility: Rich Audit Trail and Activity Log records for workflow outcomes, step details, and compliance review
  • Compliance Screening: KYC/AML/OFAC watchlist checks for regulated verification programs
  • Supports secure and accurate verification methods, including:
    • Document verification (e.g., passports, driver's licenses)
    • Facial recognition with spoof detection
    • Location detection and compliance
    • Chat and video verification (AI and human interaction)
    • Manager attestation for added assurance

Enabling Specific Features for your Deployment

Many Affirm capabilities are enabled through HYPR-managed settings called feature flags at the tenant or application level. This allows HYPR to roll out capabilities safely and lets organizations enable features in a controlled way per environment.

If your deployment requires specific Affirm features, consult with your HYPR representative to ensure that all related functionality will be enabled by HYPR for your specific deployment.

See Reference: Friction Levels and Feature Flags for common Affirm feature flags and related features.

How it Works

HYPR Affirm adopts a flow model for identity verification. Users are given a URL and are guided through a series of steps (screens), in which users are asked to present identifying information. Configuring Affirm as an administrator involves creating a verification flow by choosing which verification steps are to be included in the verification flow. Once the verification flow has been created, Affirm generates a URL to be given to the end user.

First, you assign applications that will use HYPR Affirm. Then you choose a verification flow to check identity by one or more of the following methods:

  • Phone number and/or email OTP confirmation

  • Location and network policy checks (IP/geolocation controls)

  • Live chat and/or video with an assigned approver (including escalation paths)

  • Document and biometric verification (including optional liveness checks)

  • Photo ID and Liveness Capture, including liveness-only anchor-image mode (where configured)

  • Identity Verification via Verified Credentials (Microsoft Entra Verified ID, where enabled)

Then assign one or more approvers to verify the requester. If you are using an identity provider, HYPR can derive the individual's immediate manager from it. If not, approvers can be individually assigned to the flow.

HYPR Affirm Events are logged in the Audit Trail tab; actual approvals and denials are logged in the Activity Log tab.

HYPR Affirm Settings are accessible via the Control Center left navigation menu:

Clicking the HYPR Affirm menu link will display the following tabs, defaulting to the first:

  • Verification Flows: Create and manage verification workflows, including steps, applications, retry limits, approver/escalation assignments, and outcomes
  • Advanced Settings: Configure and test customizations (for example, User Directory, SMS, Email, Outcome) and manage OIDC settings used by Affirm flows
  • Audit Trail: View HYPR-wide Affirm events for operational auditing and troubleshooting
  • Activity Log: Review verification attempts, decisions, and per-step details for each workflow instance
  • Helpdesk Settings: Configure global and per-workflow Helpdesk behavior, including RP app assignment, visibility controls, initialization defaults, and activity record window settings
  • Helpdesk Users: Add and manage Helpdesk agents and roles for portal access
  • Affirm Studio: Create and apply reusable content/branding kits for end-user screens, with preview support

Affirm Studio

Affirm Studio offers an easy-to-use visual screen management interface for HYPR Affirm. It lets administrators design the content and messaging for each verification step by creating reusable “kits” of screen customizations (titles, descriptions, instructions, button labels and other copy) and applying those kits to one or more verification flows. Changes can be previewed before they are applied, ensuring that end-user screens follow corporate branding and communication guidelines across the entire workflow. This includes liveness-only (anchor-image) configurations for the Photo ID and Liveness Capture step; see Configuring Liveness-Only Verification (Anchor Image) for setup details. See Configuring End User Screen Management and Affirm Studio for details.

Verification Steps

Affirm offers the following verification steps:

NameDescription
Login IdentifierInitiates the HYPR Affirm IdV process. This option will always display Required.
Escalate to Live ChatIf toggled On and the requester fails the IdV flow checks, the requester is placed into a video and chat session with the approver.
Phone Number/Email VerificationRequires the requester to verify an OTP delivered via SMS or email, based on the configured channel and flow behavior.
LocationA location based upon the requester's IP address will be displayed to the approver.
Identity Verification via Verified Credentials[Preview] Allows users to present Microsoft Entra Verified ID credentials stored in Microsoft Authenticator as a verification step. Users scan a QR code or use a deep link to present their credential, which is validated for claims, issuer trust, and expiration.
Document and Biometric VerificationThis step involves presenting a document (such as passport or driver's license) that gets compared against the identity data from HR. It may optionally include a liveness check, document-type restrictions, and allowed ID-issuing country controls.
Photo ID and Liveness CaptureRequires either upload of a valid photo ID or use of a directory-sourced anchor image (depending on configuration), followed by a real-time selfie that is compared to the reference image to verify a match. This step does not inspect identity data and only concerns image comparison to mitigate risks of deepfakes.
Approver Chat and VideoOpens a chat window between the approver (often a manager) and the requester.
AttestationRequired in order for the verification flow to issue an Outcome. An approver must review the request before the Outcome is issued. The approver is either a person or HYPR automated approval. HYPR automated approval calculates approval based on the results of the previous steps.
Verified OutcomeDefines what happens after the verification succeeds (for example, redirect, TAP, or VC actions).
Unverified OutcomeDefines what happens after the verification fails (for example, denial, escalation, or redirect).

Details for each of these steps can be found on the HYPR documentation website. See Administering HYPR Affirm for more information.

Pre-configured Verification Flows

To accelerate verification flow creation, Affirm offers several canned verification flows based on business use case and desired friction level:

  • Onboarding: for new hire scenarios
  • Recovery Flow: for credential recovery
  • CC Admin: for onboarding HYPR Control Center admin accounts

For each scenario, you may choose a friction level, which refers to the number of verification steps needed to complete the verification flow. There are six levels of friction:

  • Highest
  • High
  • Medium
  • Low
  • Lowest
  • None (no verification steps are pre-selected)

See Reference: Friction Levels and Feature Flags for which verification steps are included in each friction level.

Application Assignment

Some verification scenarios require you to have configured an integration with an Identity Provider (IDP) elsewhere in the HYPR Control Center. IDP integrations allow HYPR to be used as a passwordless authentication mechanism to the IDP. Each IDP integration has an associated application name, often referred to as relying party application (or rpAppId). You will need to have an IDP integration for the following scenarios:

  • The selected Verified Outcome is Redirect to Device Manager to register a new login method
  • Document and Biometric Verification has been selected as a verification step AND you are not using an Advanced Customization to retrieve identity data from an external data source

If one of those two scenarios applies, then you will select the application during the configuration of the Affirm verification flow.

See Integrations for more information on creating an integration.

Advanced Settings

HYPR Affirm provides two types of advanced settings for flexible business scenarios:

  1. Customizations – Custom code that overrides default behavior in key parts of the verification flow. For example, you can pull identity data from an external system rather than an IDP integration by writing JavaScript code to retrieve that data as part of the IdV flow.

    Types of customizations include:

    • User Directory: Specify the user info source.
    • SMS: Send and verify SMS codes via a custom REST call instead of HYPR's SMS service.
    • Email: Send emails through a custom REST call instead of HYPR's SMTP servers.
    • Email Notification Templates: Customize email templates used for HYPR notifications (branding edits, template revisions, and custom image uploads). See Email Notification Customization.
    • Outcome: Customize how outcomes are computed or handled when specific verification steps succeed or fail.

    Settings for all of these can be accessed by selecting a workflow in the Verification Flows tab and navigating to the appropriate section in the menu.

    See Customizations for more details on customizations.

  2. OIDC Settings – Set up Affirm as an OIDC relying party. These settings can trigger OIDC authentication for the requester or approver at specific points in the flow. Currently, these are assignable via the HYPR Affirm API.

  • For the requester: Forces OIDC authentication at a specified part of the flow.
  • For the approver: Forces OIDC authentication before entering a verification flow to which they were invited via email or SMS.

Integrations and Login Routing

Affirm workflows can be used as part of broader authentication and recovery journeys through HYPR integrations. In supported integration Login Settings, administrators can choose Affirm as an authenticator and map users into a selected verification flow.

This enables a consistent handoff from sign-in prompts to identity verification flows for scenarios such as recovery, high-risk access, or additional identity checks.

For integration-specific setup and supported options, see Integrations and Administering HYPR Affirm.

Deployment and Configuration

A successful Affirm deployment requires careful preparation and configuration. Use the following checklist to ensure a smooth rollout:

  • Identify the Affirm verification flow steps that align with your business requirements
  • Determine the desired outcomes for successful and unsuccessful flows
  • Ensure you have access to the HYPR Control Center
  • Request the HYPR deployment team to enable the relevant functionality in your HYPR Control Center (see Feature Flags below)
  • Configure your IDP integration or external data source
  • Configure your verification flow

Configuration Tips:

  • Understand possible failure modes for document and data validation (e.g., data comparison, image integrity, visual authenticity, data consistency, age validation, etc.)
  • Add directory sources and ensure required user attributes (username, email, phone, etc.) are available for your flows
  • For Entra or Okta integrations, follow the HYPR documentation for setup steps:

See Deployment Overview for more details.

Operational and Governance Overview

This overview page focuses on what Affirm can do. For operational setup and detailed controls, use the implementation guides linked below:

  • Friction Levels and Feature Flags: Choose an assurance profile (Highest to None) and apply tenant/app feature flags to enable required capabilities. See Reference: Friction Levels and Feature Flags.
  • Audit Trail and Activity Log: Track events, decisions, and step-level outcomes for investigations and compliance. See Audit Trail and Activity Log.
  • Photo/Liveness and Motion Detection: Auto-capture, real-time feedback, and optional motion-detection hardening are available as part of document/liveness steps. See Administering HYPR Affirm.
  • KYC/AML/OFAC Screening: Optional watchlist checks can be enabled for regulated identity-verification programs.
  • Helpdesk Operations: Dedicated Helpdesk configuration, users/roles, and workflow controls are documented in Affirm Helpdesk and summarized in Helpdesk Overview.
  • Validation and Testing: Use baseline functional and non-functional test coverage guidance in Reference: Friction Levels and Feature Flags.

Helpdesk Overview

Affirm includes a dedicated Helpdesk experience for secure, human-assisted identity verification. It supports role-based agent access, workflow visibility controls, configurable initialization behavior, and operational review of verification activity.

For full setup and operating guidance, see Affirm Helpdesk.

Helpdesk Application:

HYPR Affirm API

HYPR Affirm provides an API for advanced integration and automation. The API allows you to:

  • Perform CRUD operations on verification flows and configurations
  • Test HYPR Affirm IdV flows programmatically
  • Assign advanced settings such as OIDC triggers and customizations

For detailed API documentation and usage examples, see the HYPR Passwordless API collection.

Example Test Cases and Verification

When validating an Affirm deployment, include both functional and non-functional checks:

  • End-to-end verification outcomes across your active workflow types
  • Retry-limit and failure-outcome behavior (including escalation paths)
  • Data-quality and policy scenarios (for example, missing attributes, location/policy mismatches, compliance screening failures)
  • Performance and reliability checks for your target user journeys

For a broader checklist baseline, see Reference: Friction Levels and Feature Flags.