Skip to main content

FIDO FacetIDs

Advanced Mode Only

FIDO FacetIDs appear only in Advanced Mode: Advanced Config for the Application selected under Choose an App.

API Calls

FIDO FacetIDs can be administered via RP Applications > Advanced Configuration > FIDO2 FacetIDs calls contained in the HYPR Passwordless API.

Enable FacetIDs to streamline FIDO2 authentication experiences. For a full description of the scope of FIDO2 FacetIDs, see the FIDO Alliance specification.

UAF FacetIDs can be used to restrict registration and authentication to known mobile applications. A FIDO FacetID is not a general cryptographic proof of application version or identity, and should not be used as such.

By default this feature is off. Contact HYPR Support to have it enabled. Administrators are urged to ensure that all HYPR Mobile App installations have been upgraded prior to enabling FIDO FacetIDs. Registrations in older applications will have to be deleted and recreated against the new HYPR server version.

When FIDO FacetIDs are enabled:

  • The HYPR server reports a URL for fetching FacetIDs during registration and authentication

  • HYPR Mobile App will fetch FacetIDs during registration and authentication and verify that the HYPR Mobile App's FacetID is in the list

  • HYPR Mobile App sends its own FacetID along with the registration or authentication payload

  • The HYPR server will fail registrations and authentications whose FacetID is not associated with the RPApp with which the HYPR Mobile App is registering/authenticating

When FIDO FacetIDs are disabled:

  • The HYPR server does not report a URL for fetching FacetIDs during registration and authentication

  • HYPR Mobile App will not fetch FacetIDs during registration and authentication

  • The HYPR server does not verify the included FacetID in registration and authentication

The FIDO FacetID becomes part of the HYPR Mobile App's unique identifier for a registration. Therefore, whether or not the FacetID is checked must be the same during registration and authentication.

  • If FIDO FacetIDs are on for registration but off for authentication the HYPR Mobile App will be unable to authenticate

  • Likewise, if FIDO FacetIDs are off for registration but on for authentication, the HYPR Mobile App will also be unable to authenticate

  • Finally, in all cases if FIDO FacetIDs are on, but the mobile application's FacetID is not registered with the RPApp, the operation will be denied

To enable graceful migration for administrators wishing to use FIDO FacetIDs, HYPR Mobile SDK v9.1.1 and above will allow HYPR Mobile Apps using registrations created without FIDO FacetIDs to authenticate against RPApps using FIDO FacetIDs, provided the FIDO FacetID on the application is registered with the RPApp.