Skip to main content
Version: 10.5.0

10.5.0 Release Notes

HYPR 10.5.0 is an Enterprise Channel Release.

The Enterprise Release Channel follows a quarterly upgrade cycle, ensuring a stable and predictable update process. This schedule provides organizations with ample time to test, adapt, and implement changes while minimizing disruptions to business operations. With each release, customers receive the latest security, performance, and feature enhancements, allowing them to stay up to date with improvements while maintaining operational stability.

New Section

To enable our customers to be more proactive in anticipating industry changes that affect HYPR architecture and topology needs, we have created the Breaking Changes section of the Release Notes. This section may be updated after the GA Release as information becomes available to HYPR.

Minimum Supported Versions

Release DateHYPR ProductMinimum RequirementNotes
September 24, 2025HYPR Passwordless for Windows 10.5.0Windows (10 "1803", 11)Reboot required if upgrading from 7.6 or below; Security Key Support for YubiKey 5 Series with firmware 5.X, YubiKey Bio Multi-Protocol Edition, IDEMIA ID-One on Cosmo 8.2, Feitian K9 Plus and K40 Plus and its offshoots
September 24, 2025HYPR Passwordless for Mac 10.5.0macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0])Security Key Support for YubiKey 5 Series with firmware 5.X and Feitian ePass K9 Plus, K40 Plus and their respective offshoots
September 24, 2025HYPR Mobile App for Android 10.5.0Android 9.0+
September 24, 2025HYPR Mobile App for iOS 10.5.0iOS 12.4+
September 24, 2025HYPR Server 10.5.0Java Development Kit (JDK) 17+Upgrade to 7.10 required before upgrading to 8.0.0 or higher
September 24, 2025HYPR SDK for Android 10.5.0Android 9.0+
September 24, 2025HYPR SDK for iOS 10.5.0iOS 12.4+
September 24, 2025HYPR SDK for Java 10.5.0Java Development Kit (JDK) 17+
Backward Compatibility

All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.

Breaking Changes

  • [Authenticate for Windows] Removed support for HID C2300 cards due to a mini‑driver issue that prevents unpair/re‑pair without a reboot

  • [Control Center] FIDO2 MDS legacy APIs deprecation — with the introduction of granular AAGUID allow/deny controls, legacy metadata management APIs are scheduled to be deprecated beginning in 11.3. Update integrations to the new controls under cc/api/rp/api.

New Features

  • [Affirm] [Beta] Advanced Deepfake/Motion Detection

    • Enhanced identity verification with motion-based liveness detection to prevent spoofing attempts and improve security.
    • Additional deepfake detection and real‑time capture feedback enhancements planned for future releases.
    • Editorial refinements to PII indicators and related copy for consistency.

  • [Affirm] [Beta] End-to-End Help Desk Support

    • Comprehensive, role-based Help Desk solution for verification workflows: agent onboarding, authenticated access (SSO/IdP or credentials), and scoped permissions.
    • Centralized Help Desk configuration in Control Center: PIN lifecycle policies, agent roles, auditing and future reporting dashboard.
    • End-to-end case handling: search and view workflow activity, assist requesters, manage recovery actions and coordinate outcomes without exposing sensitive data.
    • Clean session management and consistent UX across web and mobile; supports deep linking from tickets/tools and magic-link initiation where permitted by policy.

  • [Authenticate for Windows] [Beta] HID Global — PIV Integration (Crescendo 4000 Cards/Keys)

    • Beta support for HID Global Crescendo 4000 smart cards and USB keys across all HYPR Passwordless authentication flows.
    • Enables contactless operation via NFC where supported, including registration and unlock workflows.
    • UI labels distinguish "Crescendo Cards" and "Crescendo Keys" for clarity while maintaining existing HYPR Passwordless user experience.
    • Help Desk and admin workflows align with existing smart card/security key support in Control Center.

  • [Control Center] OAuth API Tokens

    • OAuth-based access tokens across Control Center APIs to replace legacy bearer tokens and improve security, manageability and interoperability.
    • Strengthens protection for signal endpoints by leveraging signed/validated tokens instead of static bearer credentials.
    • Java SDK updated to support OAuth token flows, simplifying adoption for integrators and automation.
    • Performance validated for high-throughput scenarios.

  • [Enterprise Passkey] Offline Use Cases

    • Offline desktop login on Entra‑joined devices using encrypted, per‑user Offline PINs with a locally stored passkey bundle.
    • Policies and limits are managed in Control Center; attempts are audited and PINs rotate automatically after successful online unlocks.

  • [Enterprise Passkey] Third‑Party Passkey Provider (3PPP)

    • HYPR One acts as a native passkey provider on iOS and Android, enabling Windows OS and browser sign‑in with synced, end‑to‑end encrypted passkeys.
    • Provides session passkey SSO after desktop login and QR‑based fallback when needed.

Enhancements

  • [Adapt] Security hardening: event hook request/response now redacts sensitive fields better to prevent exposure in logs

  • [Affirm] Added URL validation for Redirect to URL in injectable outcomes to prevent invalid inputs and server errors

  • [Affirm] Architecture improvements — optimized activity log retrieval to reduce database load and improved performance testing coverage

  • [Affirm] Clarified /unblock endpoint responses — improved status codes and messaging to distinguish not‑blocked users, invalid login IDs and successful unblocks

  • [Affirm] Fixed copy mismatch on the Take a Selfie screen — button/text now use consistent wording

  • [Affirm] Fixed: Creating or editing a workflow now no longer sometimes results in a white screen; the editor loads and saves as expected all the time

  • [Affirm] Fixed: Denied outcome results now display the 6‑digit code instead of the workflow ID

  • [Affirm] Fixed: Phone verification screens now show the correct last 4 digits (previously truncated) across all relevant views

  • [Affirm] Improved UX for step failure outcomes — screens now indicate the failed step and automatically advance to the next step when configured, reducing user interaction

  • [Affirm] Made step settings in the flow editor collapsible to streamline configuration and reduce scrolling

  • [Affirm] Restored previous visual alignment for the Steps screen to improve readability and consistency

  • [Affirm] Stability: simplified state machine — removed verification flow ID after Login ID step and unified API/UI flow behaviors to rely on the workflow instance

  • [Affirm] Stability: terminology consistency — standardized the term "Requester" across UI, APIs and docs

  • [Affirm] Updated friction level handling so CC admin flows account for outcomes that require redirect to Decision Maker, reducing extra configuration steps

  • [Authenticate] Added COMPLETE events to FIDO-only flows so internal/external reporting and ADAPT analytics can reliably detect successful attempts across FIDO-only authentication and registration traces

  • [Authenticate] Fixed validation for machine user principal name to prevent erroneous failures in workstation flows

  • [Authenticate] Mobile EPK registration experience — start from web or deep link in HYPR One; single passkey works for desktop and web, including Entra‑joined/hybrid Windows unlock and mobile 3PPP web auth

  • [Authenticate for Mac] Added Recovery PINs for security keys on macOS — Help Desk can issue recovery PINs from Control Center, admins can enable/disable and configure PIN policies, and operations are fully audited; aligns user experience and workflows with Windows

  • [Authenticate for Windows] Adopted Azure Trusted Signing for Windows code signing to streamline certificate management and improve supply chain assurance

  • [Authenticate for Windows] Added option to disable SSL pinning by setting the pinning hash to "DISABLE" (via installer configuration or post‑install registry); provides flexibility for constrained environments

  • [Authenticate for Windows] Excluded Enterprise Passkey authentications from external authentication events so analytics and adoption reporting don't misclassify EPK; regular FIDO2 security key authentications remain included

  • [Authenticate for Windows] Included Windows authentication sub‑status codes in audit events sent to Control Center for failed logins, improving troubleshooting fidelity

  • [Authenticate for Windows] Security device enhancements across supported keys and smart cards, including improved fingerprint enrollment error handling and UX refinements

  • [Authenticate for Windows] EPK — Roaming and RunAs support (where available); improved UX and Provisioning API error messaging

  • [Authenticate for Windows] EPK — Provisioning API error messaging improvements (clear guidance for PRT refresh and policy-required actions)

  • [Control Center] Added an associated user lookup API to efficiently retrieve users linked by shared devices, improving handler performance and scalability for large tenants

  • [Control Center] Added Force Re‑Enroll action in User Management to initiate certificate reenrollment for selected users/devices directly from the UI

  • [Control Center] Enforced minimum value validation (≥ 1) for "time window" fields in Monitor Authentication, CrowdStrike ZTA and CrowdStrike IdP policies, with clear UI error messages

  • [Control Center] FIDO2 MDS granular control — added allowlist/denylist management for authenticator identifiers with per‑RP App visibility and controls to strengthen authenticator governance

  • [Control Center] Improved security for sensitive data

  • [Control Center] Improved validation messaging for Adapt Login Limits policies — the UI now surfaces user‑friendly errors from the risk engine (e.g., when User blocked duration is less than the Auth window) to explain why a save fails

  • [Control Center] Reduced database load from landing page statistics for large tenants — optimized statistics queries and loading behavior to avoid CPU spikes on login; added safeguards/timeouts for long‑running audit queries to prevent runaway CPU usage

  • [Control Center] Standalone IP Geolocation Service — introduced a reusable service with POST lookup endpoint, validated IP address input, and extensible response models; integrated with Affirm and Adapt, and updated Affirm geolocation to use distance‑matrix rather than drivable routes

  • [HYPR One App for Android] Added a user-facing low-remaining Offline PINs warning that appears when ~20% of the configured PIN allotment remains, improving awareness before depletion

  • [HYPR One App for Android] Added user approval prompt for deep link-initiated authentication (e.g., QR/Web), reusing the push approval UI to mitigate deep link abuse

  • [HYPR One App for Android] Default workstation handling improved — existing default persists when pairing additional workstations; default re-selection logic clarified after deletes

  • [HYPR One App for Android] Fixed UI update latency so success/error toasts and newly generated Offline PINs appear immediately without additional user interaction

  • [HYPR One App for iOS] Various editorial improvements to copy and UI text for consistency and clarity

  • [Integrations - Entra] Federation/admin UX — moved to Client Credential Grant (with backward compatibility), improved MFA handling (federatedIdpMfaBehavior), clearer client secret/cert setup, improved naming and type labels, least‑privilege permissions

  • [Integrations - Keycloak] Custom theme support & branding controls — configurable background image, logo, up to four custom links on QR/Login screens (rendered only when label and URL are set), and custom CSS via Control Center branding settings

  • [Integrations - Keycloak] QR code now displays a dynamic link instead of a landing page to streamline registration handoff

  • [Server/Authenticate] WebSocket long‑polling is now disabled by default platform‑wide to reduce infrastructure load; remains opt‑in via configuration

Events

The following Events are now deprecated:

  • MOBILE_NOTIFIED_OF_CERTIFICATE_RENEWAL

  • MOBILE_CONFIRMED_CERTIFICATE_RENEWAL

See Event Descriptions for a list of all HYPR Events and parameters.

Error Messages

To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.

APIs

  • [Identity Verification (IDV)]

    • POST /cc/api/idv/user/unblock
      • Request: application/jsonUserUnblockRequestDto
      • Behavior: Response semantics clarified to distinguish not‑blocked users, invalid login IDs and successful unblocks. Route and method unchanged from 10.3.4; messaging refined in 10.5.

  • [User & Device Management]

    • POST /cc/api/versioned/rpUser/registered/associations
      • Request: application/jsonAssociatedUser
      • Purpose: Retrieve users associated via shared devices to support Help Desk and large‑tenant workflows. Route present previously; 10.5 includes performance and consistency improvements.

  • [Statistics]

    • GET /cc/api/versioned/stats/uniqueActiveUsers
      • Query: request (schema: ActiveUsersRequest)
      • Purpose: Unique active user reporting; 10.5 includes reliability and consistency improvements.

  • [IDV Help Desk]

    • GET /cc/api/idv/helpdesk/workflows
      • Query: request (schema: ActivityHelpdeskWorkflowSearchRequest)
      • Purpose: List verification workflows/activity for Help Desk; used by the E2E help desk experience.

  • [Adapt Configurations]

    • GET /cc/api/appconfig/adapt/assignments
      • Response: application/jsonRPAppToAdaptConfig[]
      • Purpose: Fetch all RP App Adapt assignments; used for policy assignment introspection at scale.

You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.

Upcoming Changes

  • [Enterprise Passkey] Third-party Passkey Provider Support

    • Enterprise Passkey can transform the HYPR One App for Android and iOS into a Third-Party Passkey Provider, creating a consistent user experience with other passkeys providers, either platform or third-party.
    • Users can use a registered Enterprise Passkey in the HYPR One App through the native passkey support in Android and iOS, enabling native and browser mobile use cases.

  • [Authenticate] [Preview] Single Registration — Certificate Renewal through Control Center

    • Provides administrators with visibility into certificate expiration status and enables automatic certificate renewal for mobile pairings through Control Center.
    • Eliminates manual workstation-based renewal processes and improves consistency for Single Registration/Web Registration deployments by centralizing renewal.
    • Mobile temporarily holds the current and new certificates and sends both during Unlock until workstation confirms acceptance.
    • Workstation prefers the new certificate when VPN/AD is reachable; otherwise it unlocks with the current certificate and prompts the user to connect VPN and try again.

  • [Authenticate] [Preview] Single Registration — Bi‑Directional

    • Enables both Web‑initiated and Workstation‑initiated Single Registration flows within the same tenant.
    • Establishes scenarios, constraints and UX convergence goals to "pair anywhere, authenticate everywhere," informing future development and demos.

  • [Adapt] HYPR Adapt for Microsoft Edge for Business Integration

    • HYPR Adapt policy risk engine seamlessly integrates with Microsoft Edge for Business to bolster enterprise security by extending signal collection and exchange with your corporate browsers.
    • This integration provides access to device signals directly through the browser, providing broader coverage for device signals by accessing attested information not available from regular web application contexts.

  • [Integrations - Keycloak] OAuth authentication

    • As we incorporate OAuth as an authorization mechanism across the HYPR Platform, our integration is planned to adopt OAuth exchanges in place of bearer tokens to increase security and flexibility.

  • [Affirm] Deepfake detection & real‑time feedback

    • Additional capabilities beyond Motion — including expanded deepfake detection and richer real‑time capture feedback — planned for later releases.

If you're interested in experiencing any of these upcoming features before they're released to the general public, please contact HYPR support to participate in the early access program.

Bug Fixes

  • [Adapt] Fixed: Secret values defined in custom policies (e.g., fields marked as secret) could appear in logs and policy evaluation results; these are now properly masked and excluded from outputs (affected older 9.4.x versions)

  • [Adapt] Fixed: Monitor Authentication with "Block User On Failed Authentication Attempt" did not block users after unsuccessful attempts due to incorrect event evaluation; users are now blocked as configured

  • [Adapt] Fixed: “Learn more” links on Signal Handler metrics and Error Logs pages now navigate to the correct documentation instead of 404 pages

  • [Adapt] Fixed: Risk Engine stops ingesting events immediately after tenant deletion to avoid unnecessary processing and log floods

  • [Adapt] Fixed: Action Events are now emitted and consumed by the Event Bus when Adapt is enabled, restoring enforcement for policies like Login Limits

  • [Affirm] Fixed: OIDC configuration fields now save correctly when cleared; previously, editing to blank preserved the old value

  • [Affirm] Fixed: Fixed copy mismatch on the Take a Selfie screen — button/text now use consistent wording

  • [Affirm] Fixed: Web video liveness now times out and prompts users to redo when a face isn’t detected; improved user feedback and result reporting

  • [Affirm] Fixed: Creating a Decision Maker outcome without an associated RP App now returns a clear validation error (was previously allowed or showed an unrelated URL error)

  • [Affirm] Fixed: Deleted flow messages now display the flow name instead of empty quotes

  • [Affirm] Fixed: Location step no longer offers “Retry” after the configured retry limit is reached

  • [Affirm] Fixed: IDV settings were missing from verification flow settings in the UI; settings are now available and configurable

  • [Affirm] Fixed: Activity Log and Help Desk now show the correct factor label (Email vs Phone) based on the factor used; unused factor remains N/A

  • [Affirm] Fixed: Activity Log shows Phone passed when phone verification runs without OTP enabled (previously displayed N/A)

  • [Affirm Help Desk] Fixed: Refreshing the page while viewing Verification Flows no longer shows "Access Denied"/invalid session; the page now reloads correctly

  • [Affirm] Fixed: Liveness step now correctly fails the overall flow when injectable outcomes are configured (previously overall result could pass)

  • [Affirm] Fixed: Requester OIDC step no longer requires a pre‑set Affirm auth context; OIDC prompts correctly in requester flows

  • [Affirm] Fixed: Resolved authorization_request_not_found during OIDC callback in requester flows; callbacks now complete and the flow continues as expected

  • [Affirm] Security hardening: improved protection and reliability in custom code configuration workflows, with enhanced safeguards for sensitive data handling

  • [Affirm] Fixed: Setting a Redirect outcome with an invalid URL now shows the correct URL validation error instead of an unrelated rpApp requirement message

  • [Authenticate for Mac] Fixed: App name and icon now update correctly in Spotlight search, Applications, Launchpad and Dock, including CustomSkin-configured branding after install and upgrade

  • [Authenticate for Windows] Fixed: When a YubiKey Bio fingerprint database is full, pairing no longer shows a generic error; the flow skips redundant enrollment and displays a clear message

  • [Authenticate for Windows] Fixed: Removed exception logged during Enterprise Passkey authentication; certificate-only code path no longer executes for EPK

  • [Authenticate for Windows] Fixed: After canceling fingerprint enrollment and pressing the biometric key, the next enrollment attempt now succeeds instead of failing

  • [Authenticate for Windows] Fixed: Applied security key touch policy during enrollment when non‑default touch policy is configured; enrollment path no longer bypasses touch requirement

  • [Authenticate for Windows] Fixed: The Passwordless User tile now shows the domain name in the “Sign in to” field on domain‑joined machines instead of the computer name

  • [Control Center] Fixed: Audit Trail export returned HTTP 406 and produced "undefined" in CSV output; it now returns HTTP 200 with accurate CSV data in UI and automation workflows (issue affected older 8.7.x deployments)

  • [Control Center] Fixed: In Advanced UI, selecting an access level for role‑less IdP‑assigned users no longer pushes the button focus into the margin

  • [Control Center] Fixed: CC Users page shows consistent time zone for Last Active values in both summary and device views

  • [Control Center] Fixed: Deleting a paired device from Control Center now fully removes the pairing across Control Center, Windows (WFA) and mobile apps

  • [Control Center] Fixed: EPK workstation-pairing deregistration now removes the pairing in both mobile apps and Control Center, aligning all systems on delete

  • [Enrollment Service] Fixed: Service no longer deletes its API token on unexpected HTTP 401 responses from Control Center; handles transient/auth anomalies without invalidation

  • [HYPR One App for Android] Fixed: Transaction approvals failed when the app was opened from a push notification while running in the background; background launch handling now completes verification successfully

  • [HYPR One App for Android] Fixed: Workstation Lock could fail with error 1201030 after device token refresh or when switching between workstations with short token expiry; token lifecycle handling now maintains valid locks and deregistration responses

  • [HYPR One App for Android] Fixed: QR unlock could fail for hybrid users in roaming scenarios on paired workstations; unlock now completes successfully

  • [HYPR One App for Android] Accessibility: double‑tap with TalkBack now activates lock/unlock on Entra‑only workstation bubbles (no longer triggers long‑press actions)

  • [HYPR One App for iOS] Fixed: On iOS 18 with macOS Sequoia, Offline PINs and Recovery PINs were not refreshed after an online unlock; PIN pools now repopulate correctly after successful online unlocks

  • [HYPR One App for iOS] Fixed: Third-party passkey provider registration with Microsoft and webauthn.io could fail and deleting the paired passkey could freeze/crash the app; registration and deletion flows now complete reliably

  • [Integrations - Keycloak] Fixed: Removed legacy brute force detection in custom authenticator to prevent unintended lockouts and align with HYPR flow control

  • [Integrations - Keycloak] Fixed: Brute-force messaging now logs only when enforcement occurs; removed misleading WARN logs that implied detection without enforcement

  • [Server] Fixed: Unicode/full‑width character handling for usernames in older 8.7.x deployments — improved normalization and equality checks prevent mismatches that could cause FIDO2 authentication and device registration failures; added tests and additional database validation to ensure consistency across character encodings

  • [Server] Fixed: Reduced the amount of WARN logs when FIDO2 settings are not configured for an RP App — messages are suppressed unless FIDO2 is enabled or a real configuration error occurs

  • [Windows/Enrollment Service] Fixed: HYPRWinCrypto now uses per‑application data directories for TPM artifacts to prevent cross‑application interference between WFA and Enrollment Service

Known Issues

  • [Adapt] Upon a cold start of the risk engine (e.g., after an upgrade) blocked policy might not be applied

  • [Authenticate] The HYPR Service does not always restart as intended after resuming from Modern Standby or hibernation, sometimes resulting in multiple restart attempts and network recovery failures

  • [Control Center] Server still sends push notifications with incorrect proxy credentials

  • [HYPR Passwordless for Windows] The text messages in the Windows login screen are replaced with incorrect text by HYPR Passwordless credential provider under certain circumstances

  • [HYPR Passwordless for Windows] If the YubiKey mini-driver is updated by HYPR Passwordless installer, a reboot is required

  • [HYPR One App for iOS] The text below the logo on the home screen still says "True Passwordless Security" and has not been updated to "Identity Assurance"

  • [HYPR One App for iOS] Registration isn't blocked and no alert is displayed when a version enforcement policy is set in Control Center for a future date

  • [Integrations - Okta] The Enroll button is displayed for Control Center admins who are not in the Okta directory

  • [Integrations - Okta] New integrations cannot be added due to 'Default Policy' errors

  • [Integrations - Okta] Users deleted from the Integrations rpApp do not get unassigned from the Okta app

  • [Integrations - Keycloak] Missing HYPR theme in local environment

  • [HYPR One App for iOS] Passkey creation may fail for Entra Federation integration (AccessDenied on creation options)

  • [HYPR One App for iOS] Two-keys flow: app may not navigate away from My Security Keys after deleting the last passkey

  • [HYPR One App for iOS] When two workstations are paired (x509 + Entra hybrid), unlock sometimes fails on both

  • [HYPR One App for iOS] Intermittent crash when de-registering WS bubble or web rpApp

  • [Control Center] EPK workstation deregistration audit events missing