Skip to main content
Version: 10.3.0

10.3.0 Release Notes

HYPR 10.3.0 is an Enterprise Channel Release.

The Enterprise Release Channel follows a quarterly upgrade cycle, ensuring a stable and predictable update process. This schedule provides organizations with ample time to test, adapt, and implement changes while minimizing disruptions to business operations. With each release, customers receive the latest security, performance, and feature enhancements, allowing them to stay up to date with improvements while maintaining operational stability.

New Section

To enable our customers to be more proactive in anticipating industry changes that affect HYPR architecture and topology needs, we have created the Breaking Changes section of the Release Notes. This section may be updated after the GA Release as information becomes available to HYPR.

Minimum Supported Versions

Release DateHYPR ProductMinimum RequirementNotes
June 25, 2025HYPR Passwordless for Windows 10.3.0Windows (10 "1803", 11)Reboot required if upgrading from 7.6 or below; Security Key Support for YubiKey 5 Series with firmware 5.X, YubiKey Bio Multi-Protocol Edition, IDEMIA ID-One on Cosmo 8.2, Feitian K9 Plus and K40 Plus and its offshoots
June 25, 2025HYPR Passwordless for Mac 10.3.0macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0])Security Key Support for Yubikey 5 Series with firmware 5.X and Feitian ePass K9 Plus, K40 Plus and their respective offshoots
June 25, 2025HYPR Mobile App for Android 10.3.0Android 8.0+
June 25, 2025HYPR Mobile App for iOS 10.3.0iOS 12.4+
June 25, 2025HYPR Server 10.3.0Java Development Kit (JDK) 17+Upgrade to 7.10 required before upgrading to 8.0.0 or higher
June 25, 2025HYPR SDK for Android 10.3.0Android 8.0+
June 25, 2025HYPR SDK for iOS 10.3.0iOS 12.4+
June 25, 2025HYPR SDK for Java 10.3.0Java Development Kit (JDK) 17+
Backward Compatibility

All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.

New Features

  • [Adapt] HYPR Adapt for Microsoft Edge for Business Integration [Demo]

    • This integration provides access to device signals directly through the browser, providing broader coverage for device signals by accessing attested information not available from regular web application contexts.
    • Microsoft Edge for Business APIs support three security connector groups: Device Trust, Reporting and Data Loss Prevention, allowing for enterprise browser capabilities to be leveraged to enhance security assessment features

  • [Affirm] KYC Compliance Checks - AML, OFAC, Watchlists

    • Affirm can now utilize Onfido's enhanced identity verification services for comprehensive KYC, AML, and OFAC checks with added security layers.
    • Automated OFAC & AML screening via Onfido — integrates compliance data sources to check user identity attributes against sanctions lists, watchlists and financial crime databases, with results displayed over APIs, Control Center logs and approver scorecards.
    • Comprehensive monitoring of regulatory risk through logged compliance check results in Control Center, approver scorecards and all logs/events, enabling enterprises to proactively identify high-risk individuals before they gain access to sensitive services.
    • Having streamlined compliance workflows eliminates the need for customers to stitch together multiple vendors or manual reviews, reducing operational costs, error rates and friction while enabling fintech, crypto, gaming and banking customers with strict KYC requirements.

  • [Affirm] Injectable Outcomes & Retry Limits [Beta]

    • Added the functionality for admins to configure outcomes for verification steps when they fail, as well as customizable retry limits (both applicable to the following steps: Phone/Email Verification, Location, Identity Verification, Photo ID and Liveness Capture).
    • Step-level outcome control enables customers to define how each verification step handles Success, Failure and Error outcomes through configurable actions including Deny Verification, Redirect Workflow, Continue Workflow, retry attempts, fallback verification methods and escalation procedures, allowing organizations to take different actions based on which step failed rather than applying uniform workflow-wide responses.
    • Support for dynamic redirect URLs as customized step outcomes.

  • [Affirm] Help Desk Application [Alpha]

    • Help Desk agents can log in using their organization's existing authentication methods including SSO or enterprise identity providers, ensuring secure role-based access to the Affirm Help Desk interface.
    • Agents can quickly search for and validate verification codes shown to users at the end of their workflow, enabling fast identification of specific transactions without requiring additional personal details.
    • New identity verification workflows can be launched by sending URLs directly to users via email, SMS or by sharing them via internal communication tools, eliminating delays and improving user experience

  • [Affirm] End User Screen Management System [Beta]

    • End User Screen Management System allows Control Center admins to manage content and branding displayed on end-user screens for both Requesters and Approvers within the HYPR Affirm workflow, enabling customization of titles, descriptions, placeholders, captions and button labels.
    • The content customization API provides four new routes for creating, patching and retrieving content customizations, allowing customers to apply logos, brand colors and company-specific language for a more trusted and cohesive end-user experience while supporting localized versions for global teams.

  • HID Global Crescendo 4000 card/keys integration

    • Integrates HID Global's Crescendo 4000 line of access cards and security keys, supporting desktop login through Smart Card/PIV with PIN input, desktop/web access through FIDO2 credentials/passkeys and different physical access protocols with contact and/or contactless interfaces.
    • Unified access experience with a single secure credential for both physical and digital environments through phishing-resistant device-bound authentication without password fallbacks, simplifying IT operations via centralized credential management and extending existing HID infrastructure to digital access needs.
    • Requires the "Smart Card Pairing" setting introduced in 10.1 to be enabled, with HID Global's Smart-Card Mini-Drivers available through Windows Update for automatic installation or manual installation via a downloadable driver, while HID Global Crescendo 4000 cards require capable Smart Card reader devices supporting contact and/or contactless interfaces.
    • Added HID smart card support for WFA.

  • HYPR Passwordless Branding for MacOS

    • Enables administrators to set basic branding customizations including Application Icon, Application Name, Background Image and Logo, putting Mac support on par with Windows in terms of basic branding capabilities for a more homogeneous user experience.
    • Improved user trust and platform consistency — unified and professional user interface experience on both Mac and Windows through consistent branding aligned with corporate identity, enhancing trust.

Enhancements

  • [Affirm] Improvements to Photo and Liveness Detection [Beta]

    • Auto Capture automatically detects when a document is properly positioned and initiates capture without requiring manual input, reducing friction and improving speed especially for users unfamiliar with scanning documents.
    • Real-time feedback provides live feedback to users on issues like poor lighting, glare, blurriness or out-of-frame images, helping them correct conditions before submission to ensure higher verification success rates.
    • User guidance UI for biometric and document capture displays intuitive on-screen overlays including facial bounding boxes and document framing guides to direct users where to position their face or ID, minimizing user error and enhancing first-time capture accuracy.

  • HYPR Enterprise Passkey Enhancements

    • HYPR Enterprise Passkeys can now work when the HYPR Mobile App is offline, the workstation is offline, or both are offline at the same time, providing coverage across common enterprise use cases including offline scenarios.
    • The new "Tap-to-Login" user experience features a mobile-initiated flow that provides similar user interactions regardless of Entra joint type, ensuring Entra joined, Entra hybrid joined and Active Directory joined devices have consistent experiences without requiring additional device-specific guidance.
    • Support for third-party passkey provider addresses mobile use cases through third-party passkey provider APIs, enabling native passkey flows for mobile native apps and browser-based apps with seamless authentication flows that eliminate challenging back-and-forth overcomplication between browser and apps.
    • Focus on improving user experience and reliability through roaming support restoration, Recovery and Offline PIN fixes for Entra hybrid joined devices, extensive bug fixes for edge cases and moving FIDO2 Provisioning API support closer to GA.
    • Further streamlines registration through inline registration into Entra ID via the FIDO2 Provisioning API while deprecating transports including BLE, WiFi and FIDO2 Gateway, with Offline PINs generated during registration and renewed after each unlock.
    • Enterprise Passkey authentication events can now be logged separately.
    • Implemented metrics for the passkey provisioning API.
    • Added support for encrypting passkeys in Windows using AES.
    • Added a Roaming feature — using scan-to-unlock on a workstation joined to Entra ID that has never been paired with the HYPR mobile app.

  • Security Key and Smart-Card Enhancements

    • The touch policy for Series 5 YubiKeys enables setting enforcement of touch policy requirements in addition to activation secrets (PINs), requiring users to enter PIN and physically touch the key, controlled by the SecurityKeyTouchPolicy registry setting in the workstation.
    • Configurable lockout for Series 5 YubiKeys enables setting the amount of failed PIN attempts allowed, controlled by the SecurityKeyPinRetries setting on the workstation, reducing support burden and improving user experience while enhancing security and compliance with security requirements.

  • [Authenticate] UX/UI Enhancements

    • Improvements made to WFA interface and links ("Need assistance" and "Contact support")

  • [Authenticate] Performance and Security Enhancements

    • Improvements to general stability
    • Improvements to specific feature flags and their components
    • Feature flags are now cached at JVM level
    • WS Long polling has been disabled by default to improve performance
    • Addressed potential logging-related vulnerabilities

  • [Authenticate for MacOS] Added an option to customize the number of PIN attempts a user is allowed to make before they are locked out

  • [Affirm] Workflow UX/UI Enhancements

    • The workflow setup menu has been streamlined to improve user experience
    • The Continue button has been removed from the Almost Done! screen—the user is now redirected to the next step automatically once the process is complete
    • Fixes and improvements to the Keycloak login UI
    • Added pagination for the Affirm flow page
    • Changed the text displayed on the Location Verification Skipped screen
    • The username in the single-user workflow can now be set to be read-only
    • Approvers of type DYNAMIC can now be created via the UI, matching the API specifications
    • Added an option for the single-user workflow that allows for the login identifier step to be skippable for any workflow instance initialized with requester data via API
    • Integrated anti-money laundering reports into the Affirm workflow

  • [Control Center] Control Center UX/UI Enhancements

    • Addressed potential security vulnerabilities
    • The default code customization for USER DIRECTORY has been improved
    • Improved Control Center UI

  • [HYPR One App for iOS] Performance and Security Enhancements

    • Improved performance by optimizing the feature flag API to request configurations only for features that are actively in use, reducing unnecessary data transfer.
    • Enhanced the security of the API token exchange process by refactoring its implementation to align with modern best practices
    • Updated the Version Control component
    • Improved the security of stored data

  • [HYPR One App for Android] Enhancements to app stability

Events

The following Events have been added:

AFFIRM_WORKFLOW_STEP_RESULT - Tracks when a verification flow gets terminated due to a requestor reaching a DENY or REDIRECT outcome

AFFIRM_WORKFLOW_REQUESTOR_BLOCKED - Tracks when a requestor gets blocked after reaching a DENY outcome

AFFIRM_WORKFLOW_REQUESTOR_UNBLOCKED - Tracks when a requestor gets unblocked through the API

See Event Descriptions for a list of all HYPR Events and parameters.

Error Messages

The following error codes have been added:

  • 1202603: HEALTH_CHECK_CONFIGURATION_ERROR

  • 1202604: CACHE_INVALIDATION_ERROR

To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.

APIs

  • [User & RPUser Management]

    • Added support for querying RP users with filtering and pagination:
      GET /cc/api/versioned/rpUser
    • Added endpoint to summarize registered users per RP App:
      GET /cc/api/versioned/rpUser/registered/summary/rpApp
    • Added endpoint to delete a specific device for an RP user:
      DELETE /cc/api/rpUser/deleteDevice
    • Added endpoint to delete a user by appId and username:
      DELETE /cc/api/user

  • [Identity Verification (IDV)]

    • Added endpoints for managing and querying OIDC configurations and assignments:
      • GET /cc/api/idv/oidc/{id}
      • DELETE /cc/api/idv/oidc/{id}
      • GET /cc/api/idv/configuration
      • GET /cc/api/idv/configuration/supportedTenantRpApps
      • GET /cc/api/idv/code-customization/{id}
      • DELETE /cc/api/idv/configuration/{rpAppId}
    • Added endpoint to unblock an unverified user:
      • POST /cc/api/idv/user/unblock

  • [Integrations & Adapt]

    • Added endpoint to check SSO integration enablement:
      GET /cc/api/idp/integration/enablement
    • Added endpoint to fetch all RP App Adapt configurations:
      GET /cc/api/appconfig/adapt/assignments

You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.

Upcoming Changes

  • [Enterprise Passkey] Third-party Passkey Provider Support

    • Enterprise Passkey can transform the HYPR One App for Android and iOS into a Third-Party Passkey Provider, creating a consistent user experience with other passkeys providers, either platform or third-party.
    • Users can use a registered Enterprise Passkey in the HYPR One App through the native passkey support in Android and iOS, enabling native and browser mobile use cases.

  • [Adapt] HYPR Adapt for Microsoft Edge for Business Integration

    • HYPR Adapt policy risk engine seamlessly integrates with Microsoft Edge for Business to bolster enterprise security by extending signal collection and exchange with your corporate browsers.
    • This integration provides access to device signals directly through the browser, providing broader coverage for device signals by accessing attested information not available from regular web application contexts.

  • [Adapt] Composite Policies

    • HYPR Adapt now allows administrators to combine multiple existing policies into one unified policy, giving you greater control and flexibility in managing your security settings.

If you're interested in experiencing any of these upcoming features before they're released to the general public, please contact HYPR support to participate in the early access program.

Bug Fixes

  • [Adapt] Fixed: Assigning a policy to the POST_FIDO_AUTH evaluation point causes the registration to fail

  • [Adapt] Fixed: The login QR code can be incorrectly placed outside out of the relevant pop-up dialog boxes in the sample web app if the QR code generation is attempted several times

  • [Adapt] Fixed: The ADAPT_POLICY_EVAL_USER_BLOCKED event does not always trigger when users are blocked by login limits

  • [Affirm] Fixed: Infinite loop during the chat screen during the Affirm flow

  • [Affirm] Fixed: Infinite loop during the Onfido selfie check during the Affirm flow

  • [Affirm] Fixed: When the other approver is set as the requester, no error is thrown and the flow can complete, but the approver encounters a failure when attempting to join

  • [Affirm] Fixed: Incorrect aspect ratios for custom branding logos

  • [Affirm] Fixed: The Continue button does not appear after approver leaves the chat; refreshing the page takes the user to the Control Center login page

  • [Affirm] Fixed: Affirm Dashboard contains missing/broken report metrics

  • [Affirm] Fixed: An extra quotation mark appears on the "could not send a message to you" email screen

  • [Affirm] Fixed: Updating another approver with a phone number does not become active until the email is changed, preventing the flow from being saved when only the phone number is updated

  • [Affirm] Fixed: DM outcome fails when code customization returns a custom login ID that differs from the user's entered login ID

  • [Affirm] Fixed: New device email uses user.email instead of user.namedUser, resulting in the email referencing the user's email address rather than their named user identifier

  • [Affirm] Fixed: A specific typo in identity verification results and approver screens

  • [Affirm] Fixed: The word "Checkbox" is displayed next to the server PKCE support checkbox

  • [Affirm] Fixed: Incorrect wording in PhoneNumber/Email verification on Control Center UI

  • [Affirm] Fixed: The Help Desk application does not display data for approved flows, with a blank screen displayed when selecting a successful flow

  • [Affirm] Fixed: API fields PHONE_OR_EMAIL_STEP_CORPORATE_EMAIL_DOMAIN and PHONE_OR_EMAIL_STEP_ENFORCE_CORPORATE_EMAIL_DOMAIN_VALIDATION are required but have no effect, and should not be required until supported in the product

  • [Affirm] Fixed: the document verification step isn't able to detect that no documents have been uploaded

  • [Authenticate] Fixed: Users can sometimes be authenticated in CC Server via fido-only authN even if the fido-only profile is no longer available in the database

  • [Authenticate] Fixed: Registration flow fails with a 404 error when using an Azure rpApp on a non-Azure, on-premises AD VM logged in with a domain user. This release addresses a regression where this configuration previously worked.

  • [Authenticate] Fixed: Control Center incorrectly labels security key serial numbers as certificate serial numbers

  • [Authenticate] Fixed: The /rp/wsapi/client/verification/complete API endpoint returns a "404 not found" error, even though the registration itself is successful

  • [Authenticate] Fixed: When Roaming User and Non-persistent VDI are both enabled for Azure rpApp during WFA installation, QR code generation fails and an incorrect FIDO2_MOBILE_AUTHENTICATOR feature flag error is shown even though the flag is enabled

  • [Authenticate] Fixed: The Recovery PIN cannot be used to unlock the workstation

  • [Authenticate] Fixed: Recovery PINs are not being re-generated after unlocking the workstation

  • [Authenticate] Fixed: Hybrid registration fails for a specific hybrid user type

  • [Authenticate] Fixed: Deregistering a device from WFA on an Entra-only workstation generates an OOB_DEVICE_UNPAIRED event instead of the expected WORKSTATION_INITIATED_DELETE event

  • [Authenticate] Fixed: On Hybrid Joined workstations, unlocking with Online Unlock or Offline PIN requires clicking the FIDO Security key tile twice for a successful unlock

  • [Authenticate] Fixed: On Hybrid Joined workstations, unlocking with an Offline PIN sometimes fails even after multiple retries or generating new Offline PINs

  • [Authenticate] Fixed: Hybrid WS - Deregistering a user registration that is not synced with AAD does not remove the details of the user and the device from Control Center user management

  • [Authenticate] Fixed: When the CrowdStrike service is broken, requesting the aid can take up to 10 seconds due to a timeout, slowing down the authentication process and increasing the risk of timeouts

  • [Authenticate] Fixed: HyprUnlock is sometimes unable to open the FIDO2 HID device, preventing successful EPK pairing after the machine has been running for a while or resumes from sleep or hibernation

  • [Authenticate for MacOS] Fixed: HyprOneService sends too many events to Sentry

  • [Authenticate for Windows] Fixed: After a fresh installation of WFA, EPK registration fails on the first few attempts and only succeeds after specific troubleshooting steps such as signing out, restarting services, or rebooting the workstation

  • [Authenticate for Windows] Fixed: In very specific cases, HyprCredProvider may attempt to call the EventLog API before the EventLog service is ready, resulting in "The RPC server is unavailable" errors and unhandled exceptions

  • [Authenticate for Windows] Fixed: In a specific Windows environment, WFA fails to launch and crashes with an ntdll.dll error when started by double clicking the desktop shortcut

  • [HYPR One App for Android] Fixed: EPK registration does not handle TraceId values correctly during network latency, causing inconsistencies when registering multiple workstations

  • [HYPR One App for Android] Fixed: After pairing with a non-persistent VDI machine, the mobile app bubble shows the default computer image instead of the QR code image until clicked

  • [HYPR One App for Android] Fixed: The Android app crashes when navigating to web paired accounts after registration with single registration enabled tenant

  • [HYPR One App for Android] Fixed: Sometimes, the status bar is invisible on version 15 of Android

  • [HYPR One App for Android] Fixed: The workstation registration can unexpectedly vanish from the "My computer" screen on an Android device, even if it is not explicitly deregistered.

  • [HYPR One App for Android] Fixed: The 10.1 Android app crashes if the tenant from which the account was paired is deleted

  • [HYPR One App for Android] Fixed: On Android, attempting to register a passkey with Microsoft or webauthn.io by scanning a QR code from the desktop results in an error on the mobile device and may cause the app to crash

  • [HYPR One App for Android] Fixed: On Android, the workstation registration can unexpectedly vanish from the "My computer" screen even though it was not explicitly deregistered

  • [HYPR One App for Android] Fixed: Pushes to the reference app would sometimes fail if the app was open at the time of the push

  • [HYPR One App for Android] Fixed: On Android, QR unlock fails for hybrid users and displays an "Authentication failed" error on the mobile device when attempting to unlock from another VM in a roaming scenario

  • [HYPR One App for iOS]Fixed: Issues relating to duplicate QR codes

  • [HYPR One App for iOS] Fixed: On iOS, EPK registration fails with an invalid JSON payload error when scanning the QR code

  • [HYPR One App for iOS] Fixed: On the 10.1 iOS app, deleting a paired account in Single Reg does not display the warning message in red letters as expected

  • [HYPR One App for iOS] Fixed: On iOS, EPK unlock fails and displays an "Authentication failed" error even when the device is already paired and previously worked

  • [HYPR One App for iOS] Fixed: On iOS, an incorrect error message is displayed during registration when the HYPR app version enforcement policy for the current date is set in Control Center and the installed app version is below the minimum required

  • [Integrations] Fixed: Users can generate unlimited OTP codes by repeatedly starting flows with email OTP enabled, instead of being throttled after multiple attempts

  • [Integrations] Fixed: Users are incorrectly blocked when FIDO2 is set as an allowed authenticator because FIDO2 attempts are still counted toward the pending authentication threshold

  • [Integrations - Control Center] Fixed: Access level for role-less IDP assigned users is no longer displayed, and the ability to edit access level or access the Control Center user roles link is missing

  • [Integrations - Crowdstrike] Fixed: Creating a new Crowdstrike handler in Control Center 10.1 with Adapt Risk Engine 9.7 can result in a JSON decoding error

  • [Integrations - Keycloak] Fixed: Keycloak screen flashes during in-line registration

  • [Integrations - Keycloak] Fixed: In Keycloak, using only a background without a logo for branding does not work as expected

  • [Integrations - OIDC] Fixed: Control Center incorrectly displayed an "invalid URL" error when a URN was entered in the Resource field for OIDC configuration.

Known Issues

  • [Adapt] The user is not being blocked even after an unsuccessful Monitor Authentication login attempt

  • [Adapt] Upon a cold start of the risk engine (e.g., after an upgrade) blocked policy might not be applied

  • [Authenticate] The HYPR Service does not always restart as intended after resuming from Modern Standby or hibernation, sometimes resulting in multiple restart attempts and network recovery failures

  • [Control Center] Server still sends push notifications with incorrect proxy credentials

  • [HYPR Passwordless for Windows] The text messages in the Windows login screen are replaced with incorrect text by HYPR Passwordless credential provider under certain circumstances

  • [HYPR Passwordless for Windows] HYPR displays an error when a paired Yubikey Bio MPE has the maximum number of fingerprints stored already

  • [HYPR Passwordless for Windows] If the YubiKey mini-driver is updated by HYPR Passwordless installer, a reboot is required

  • [HYPR One App for iOS] The text below the logo on the home screen still says "True Passwordless Security" and has not been updated to "Identity Assurance"

  • [HYPR One App for iOS] Registration isn't blocked and no alert is displayed when a version enforcement policy is set in Control Center for a future date

  • [Integrations - Okta] The Enroll button is displayed for Control Center admins who are not in the Okta directory

  • [Integrations - Okta] New integrations cannot be added due to 'Default Policy' errors

  • [Integrations - Okta] Users deleted from the Integrations rpApp do not get unassigned from the Okta app

  • [Integrations - Keycloak] Missing HYPR theme in local environment