10.1.0 Release Notes
HYPR 10.1.0 is an Enterprise Channel Release.
The Enterprise Release Channel follows a quarterly upgrade cycle, ensuring a stable and predictable update process. This schedule provides organizations with ample time to test, adapt, and implement changes while minimizing disruptions to business operations. With each release, customers receive the latest security, performance, and feature enhancements, allowing them to stay up to date with improvements while maintaining operational stability.
To enable our customers to be more proactive in anticipating industry changes that affect HYPR architecture and topology needs, we have created the Breaking Changes section of the Release Notes. This section may be updated after the GA Release as information becomes available to HYPR.
Minimum Supported Versions
Release Date | HYPR Product | Minimum Requirement | Notes |
---|---|---|---|
March 31, 2025 | HYPR Passwordless for Windows 10.1.0 | Windows (10 "1803", 11) | Reboot required if upgrading from 7.6 or below; Security Key Support for YubiKey 5 Series with firmware 5.X, YubiKey Bio Multi-Protocol Edition, IDEMIA ID-One on Cosmo 8.2, Feitian K9 Plus and K40 Plus and its offshoots |
March 31, 2025 | HYPR Passwordless for Mac 10.1.0 | macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0]) | Security Key Support for Yubikey 5 Series with firmware 5.X and Feitian ePass K9 Plus, K40 Plus and their respective offshoots |
March 31, 2025 | HYPR Mobile App for Android 10.1.0 | Android 8.0+ | |
March 31, 2025 | HYPR Mobile App for iOS 10.1.0 | iOS 12.4+ | |
March 31, 2025 | HYPR Server 10.1.0 | Java Development Kit (JDK) 17+ | Upgrade to 7.10 required before upgrading to 8.0.0 or higher |
March 31, 2025 | HYPR SDK for Android 10.1.0 | Android 8.0+ | |
March 31, 2025 | HYPR SDK for iOS 10.1.0 | iOS 12.4+ | |
March 31, 2025 | HYPR SDK for Java 10.1.0 | Java Development Kit (JDK) 17+ |
All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.
New Features
-
[Enterprise Passkey] Updated User Experience [Beta]
- The Enterprise Passkey desktop login user experience has been simplified and streamlined even further. It now features a mobile-initiated flow, similar to standard HYPR authentication flows.
- Users can tap on the computer account in their HYPR Mobile app to start authentication on their desktop.
-
[Enterprise Passkey] Offline support [Beta]
- Enterprise Passkey can be used for offline authentication, making it suitable for a wider range of enterprise use cases and scenarios, and leveraging the phishing-resistant properties of the FIDO2 protocol.
- Users can generate an Offline PIN in their HYPR Mobile App to authenticate to their desktops even if any of the devices is offline.
-
[Control Center;HYPR Mobile App for Android and iOS] HYPRLinks support
- HYPR platform introduces its own short and dynamic link service, providing a more robust and flexible experience for both administrators and end-users.
- The HYPRLinks service allows deep linking to specific content within your mobile app without depending on external cloud-based services, making it suitable for global deployments and users abroad.
- This replaces the support for Firebase Dynamic Links for Android and iOS, which is being discontinued as per Google's deprecation announcement, and takes effect on August 25, 2025.
-
[Adapt] Logging-Only Policy Mode [Beta]
- HYPR Adapt policies can now be configured in Logging-Only Mode, enabling administrators to evaluate policy behavior in real-world scenarios without enforcing any actions.
- This feature allows organizations to assess the potential impact of policies before activation, ensuring informed decision-making while maintaining a seamless user experience.
Enhancements
-
[Affirm] Notifications & Alerts
- Approvers of all types, including
SOMEONE_ELSE
, can now receive SMS notifications for approval escalations. This ensures timely alerts and faster decision-making by allowing organizations to pass in phone numbers for approvers, similar to email notifications.
- Approvers of all types, including
-
[Affirm] Identity Verification Results Reporting
- Identity verification reports are now accessible to approvers, requests, and Control Center users, improving transparency and decision-making. This data is available via the API, Control Center Logs, Approver Scorecard, and the Requestor results screen.
-
[Affirm] Workflow Management
- Users can now receive their OTP via SMS or corporate email, based on administrator settings in the HYPR Control Center. This enhancement provides greater flexibility for authentication methods.
- Affirm can now read and synchronize timeout settings with Microsoft Entra as well as enforce configured timeouts from Control Center, ensuring authentication timeouts align with organizational security policies and improve user experience.
- Admins can now quickly configure Affirm workflows using predefined templates based on friction levels (high, medium, low, and lowest) for specific use cases like Onboarding and Recovery. This streamlines setup and ensures consistency across workflows.
- Organizations can now customize authentication outcomes based on an Unverified result for an Identity Verification workflow.
- All Affirm code customizations are now available through the API, providing developers with greater control and automation capabilities.
- Admins can now define authentication methods based on individual attributes from multiple user directories. This granular control enhances flexibility and security by allowing personalized authentication profiles while maintaining strict data governance.
-
[Affirm] Workflow UX/UI Enhancements
- Users will now see workflow-specific instructions dynamically generated based on HYPR Control Center settings, ensuring clear guidance at the start of each workflow.
- The user consent screen will now dynamically pull end user consent language, ensuring proper consent messaging and capture controls based on workflow configuration and compliance requirements.
-
[Integrations] Entra ID OAuth 2.0 Client Credentials Grant flow
- Entra ID Enterprise Passkey and Entra ID EAM (External Authentication Methods) integrations leverage the OAuth 2.0 Client Credential Grant flow and can be configured with client secrets or client certificates.
-
[Integrations] Entra ID External Authentication Method integration
- Administrators now can add multiple Entra ID EAM integrations.
- Authentication claims (
acr
andamr
) are dynamically set based on the user's authentication method.
-
[HYPR Passwordless for macOS] Administrators can configure PIN complexity for security devices.
-
[HYPR Passwordless for Windows] Authentiation login speed by default is improved by making additional user account checks optional.
-
[HYPR Passwordless for Windows] Administrators can configure a Touch Policy for YubiKeys.
-
[HYPR Passwordless for Windows] Administrators can configure PIN retries for YubiKeys.
-
[HYPR Passwordless for Windows] Administrators can enable smart-card pairing. The user experience is catered and a new device type is shown during registration.
-
[Platform - Keycloak] Consolidate policy evaluation calls in the Keycloak Select Login Method module
-
[Platform - Keycloak] Keycloak to send authenticated Events
-
[HYPR Mobile App, HYPR Passwordless] End User License Agreement was updated
-
[HYPR Documentation] Organizational Changes
- The Documentation portal Integrations section, previously under Control Center, is now a standalone section
- HYPR Passwordless configuration in Control Center is now moved under HYPR Passwordless
Events
The following Events have been added:
-
AFFIRM_WORKFLOW_EMAIL_CODE_SENT
: Affirm workflow event - code sent. -
POV_EXPIRATION_CLEARED
: Offline token access request. -
POV_EXPIRATION_SET
: Authentication using Offline Mode. A mobile app user used an Offline Mode PIN to login to the workstation. -
MOBILE_DYNAMIC_LINK_USED
: Firebase from app open. | HYPRLink from HYPR scan. | Firebase from HYPR scan.
The following Events are now deprecated:
-
ADAPT_CREATE_EVENT_HANDLER
-
MACHINE_SIGNAL_RECEIVED
See Event Descriptions for a list of all HYPR Events and parameters.
Error Messages
The following error codes have been added:
-
1207019:
THIRD_PARTY_THROTTLE
-
1522054:
FailedToSetPinPukRetries
-
Background Machine Status
-
114404:
HYPR_DISPLAY_CODE_OP_WS_STATUS_APP_PROFILE_EXCEPTION
-
114405:
HYPR_DISPLAY_CODE_OP_WS_STATUS_NO_CONTEXT
-
114406:
HYPR_DISPLAY_CODE_OP_WS_STATUS_REMOVE_MACHINE_EXCEPTION
-
To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.
APIs
-
[Affirm] Regular outcome is
OUTCOME
step in the workflow settings, with following possible settings keys:OUTCOME_STEP_RESULT
OUTCOME_STEP_REDIRECT_URL
OUTCOME_STEP_VERIFIABLE_CREDENTIAL_AUTHORITY_ID
OUTCOME_STEP_VERIFIABLE_CREDENTIAL_MANIFEST_CONTRACT_ID
OUTCOME_STEP_VERIFIABLE_CREDENTIAL_TYPE
OUTCOME_STEP_TAP_TIMEOUT_PRESET
OUTCOME_STEP_TAP_TIMEOUT_MINUTES
OUTCOME_STEP_DISPLAY_VERIFICATION_CONFIRMATION_ID
-true
/false
, applicable whenOUTCOME_STEP_RESULT
isDO_NOTHING
-
[Affirm] Failure outcome is
FAILURE_OUTCOME
with possible options:FAILURE_OUTCOME_STEP_RESULT
-DO_NOTHING
/REDIRECT
FAILURE_OUTCOME_STEP_DISPLAY_VERIFICATION_CONFIRMATION_ID
-true
/false
, applicable whenFAILURE_OUTCOME_STEP_RESULT
isDO_NOTHING
FAILURE_OUTCOME_STEP_REDIRECT_URL
-
[Affirm] Get the results of a workflow attempt:
GET cc/api/idv/workflow/workflowid/results
You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.
Upcoming Changes
-
[Enterprise Passkey] Third-party Passkey Provider Support
- Enterprise Passkey can transform the HYPR Mobile App for Android and iOS into a Third-Party Passkey Provider, creating a consistent user experience with other passkeys providers, either platform or third-party.
- Users can use a registered Enterprise Passkey in the HYPR Mobile App through the native passkey support in Android and iOS, enabling native and browser mobile use cases.
If you're interested in experiencing this feature before it's released to the general public, please contact HYPR support to participate in the early access program.
-
[Adapt] Composite Policies
- HYPR Adapt now allows administrators to combine multiple existing policies into one unified policy, giving you greater control and flexibility in managing your security settings.
If you're interested in experiencing this feature before it's released to the general public, please contact HYPR support to participate in the early access program.
Bug Fixes
-
[Adapt] Fixed: CrowdStrike IdP policy evaluation IdP score check is not working as expected
-
[Adapt] Fixed: CrowdStrike policies:
allowed=true
when unable to obtain a score -
[Adapt] Fixed: CrowdStrike Signal Handlers: Add a Bulk API call to cover ZTA machine statuses for user web calls
-
[Adapt] Fixed: CrowdStrike ZTA policy enhancement fires
STORED_API_ZERO_TRUST_ASSESSMENT
event whenever the ZTA score is manually retrieved -
[Adapt] Fixed: Logging Only Enabled/Disabled status is not tracked in the Audit Trail
-
[Adapt] Fixed: Login Limits Policy: The user remains blocked even after the User Blocked Duration configured.
-
[Adapt] Fixed: Manual evaluation input gets overridden on evaluation request
-
[Adapt] Fixed: Policy / Handler search doesn't work with ID; it works only with name
-
[Adapt] Fixed: The risk policy name is displayed as 'NA' in the Integrations page when the policy is deleted
-
[Affirm] Extra spaces are now automatically removed from the Affirm Login Identifier field to prevent input errors.
-
[Affirm] Resolved a caching issue that caused session failures when users attempted to retry a workflow after being denied.
-
[Affirm] Deleting an Affirm code customization now correctly deactivates any flows associated with the deleted customization.
-
[Affirm] Affirm flows are no longer unintentionally deleted when the RPApp associated with the flow is removed.
-
[Affirm] Fixed: After consent screen, instead of redirecting to chat it redirects to Control Center login page
-
[Affirm] Fixed: Control Center UI Verification Flows table Description sort leads to a white screen
-
[Affirm] Fixed: Generic error when updating a Verification Flow that isn't assigned an
rpAppId
-
[Authenticate] Resolve infinite loop issue on authentication with Android 15
-
[HYPR Mobile App for Android] Fixed an issue where the app froze after deregistering a workstation on HYPR Passwordless during a device token refresh.
-
[HYPR Passwordless for Windows] Fixed: Checking wrong error code after
DiInstallDriver
-
[HYPR Passwordless for Windows] Fixed:
HyprServiceInstallError
system environment variable may be set following the HYPR Passwordless client installation -
[HYPR Passwordless for Windows] Fixed: Not getting firmware version from Feitian keys
Known Issues
-
[Adapt] The user is not being blocked even after an unsuccessful Monitor Authentication login attempt
-
[Adapt] Upong a cold start of the risk engine (e.g., after an upgrade) blocked policy might not be applied
-
[Control Center] Server still sends push notifications with incorrect proxy credentials
-
[Control Center] The security key's device serial number is displayed instead of the certificate's serial number under the User Management table.
-
[HYPR Passwordless for Windows] The text messages in the Windows' login screen are replaced with incorrect text by HYPR Passwordless credential provider under certain circumstances
-
[HYPR Passwordless for Windows] HYPR displays an error when a paired Yubikey Bio MPE has the maximum number of fingerprints stored already
-
[HYPR Passwordless for Windows] HYPR displays an error when a paired Yubikey Bio MPE has the maximum number of fingerprints stored already
-
[HYPR Passwordless for Windows] If the YubiKey mini-driver is updated by HYPR Passwordless installer, a reboot is required
-
[HYPR Mobile App for iOS] The text below the logo on the home screen still says "True Passwordless Security" and has not been updated to "Identity Assurance"
Breaking Changes
-
[Affirm] The step definition related to
PHONE
step identifier is now obsolete.- A new
PHONE_OR_EMAIL
step definition was introduced, with the attributes below:
{
"name": "PHONE_OR_EMAIL",
"settings": {
"PHONE_OR_EMAIL_STEP_OTP_ENABLED": true,
"PHONE_OR_EMAIL_STEP_CONTACT_PREFERENCE": <string>
}
}-
PHONE_OR_EMAIL_STEP_OTP_ENABLED
[true or false]- enabled whether One-Time Passcode (OTP) should be sent after verification of chosen medium (phone number or email)
-
PHONE_OR_EMAIL_STEP_CONTACT_PREFERENCE
- medium of choice to be used for sending the OTP, it can be
SMS
,EMAIL
orSMS_OR_EMAIL
- If the
SMS_OR_EMAIL
is chosen the user being verified will be able to choose their preferred medium on their own
- If the
- medium of choice to be used for sending the OTP, it can be
- A new
-
[Integrations] Entra Enterprise Passkey and EAM (External Authentication Method) Integrations require manually adjusting permissions
- The integration will replace the use of service account roles with OAuth 2.0 Client Credentials grant. This requires adjusting the permissions that were previously granted to the service account through roles, now to the HYPR application in Entra through API permissions. Please refer to the Granting Required API Permissions section for the EAM and Enterprise Passkey integrations.
-
[HYPR Passwordless for Windows] Updated system requirements
-
To ensure optimal performance and compatibility, we've updated the system requirements for HYPR Passwordless for Windows.
- Minimum Operating System: Windows 10 "1803"
- Minimum .NET Framework Version: .NET Framework 4.7.2
-
Please note that these updated requirements will apply to future releases of HYPR Passwordless for Windows.
-