Skip to main content

9.1.0 Release Notes

HYPR 9.1.0 is an Enterprise Channel Release.

The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.

The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements. All Standard Release features are available in the next scheduled Enterprise Release.

New Section

To enable our customers to be more proactive in anticipating industry changes that affect HYPR architecture and topology needs, we have created the Breaking Changes section of the Release Notes. This section may be updated after the GA Release as information becomes available to HYPR.

Minimum Supported Versions

Release DateHYPR ProductMinimum RequirementNotes
April 10, 2024HYPR Passwordless for Windows 9.1.0Windows (10, 11)Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots
April 10, 2024HYPR Passwordless for Mac 9.1.0macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0])Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots
April 10, 2024HYPR Mobile App for Android 9.1.0Android 8.0+
April 10, 2024HYPR Mobile App for iOS 9.1.0iOS 12.4+
April 10, 2024HYPR Server 9.1.0Java Development Kit (JDK) 17+Upgrade to 7.10 required before upgrading to 8.0.0 or higher
April 10, 2024HYPR SDK for Android 9.1.0Android 8.0+
April 10, 2024HYPR SDK for iOS 9.1.0iOS 12.4+
April 10, 2024HYPR SDK for Java 9.1.0Java Development Kit (JDK) 17+
Backward Compatibility

All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.

New Features

[All HYPR] Certificate Services
To provide greater visibility to administrators regarding users' certificate renewal and revocation, certificate serial numbers and expiration dates are included in HYPR device logs, and can now be accessed using the Bulk Export API commands

[Control Center - Integrations] FIDO2 Gateway
As a fallback mechanism when mobile devices lack one of the radio protocols (WiFi or BLE) used for workstation authentication via the FIDO2 Mobile Authenticator, the HYPR server can be utilized as a gateway that can provide the communication transport between the workstation and the mobile device. The FIDO2 Gateway provides the conduit for routing all FIDO2 traffic between the workstation and mobile device in the absence of other methods.

[Control Center] Generic Enterprise Passkey
Use HYPR Enterprise Passkey/FIDO2 Mobile Authenticator with any RP Application. Controls now appear in RP Application Login Settings (including Integrations) and Workstation Settings.

[HYPR Mobile App - Both] Tap to Scan
A widget for mobile device desktops has been added to enable one-touch launch of a HYPR QR login.

[Passwordless Client for Windows] Support for Yubico Biometric Keys
Joint efforts between HYPR and Yubico bring support for multi-protocol biometric keys that can be used for web and workstation authentication in the HYPR ecosystem.

[Passwordless Client for Windows] Support for Idemia Smart Cards
Joint efforts between HYPR and Idemia bring support for Idemia smart cards that can be used for authentication in the HYPR ecosystem.

[docs.hypr.com] - Fresh Documentation Portal
The Product Documentation site has been updated to honor customer feedback and to accommodate recent branding changes. Take a few minutes to understand the new layout. For now, 9.1 and forward are the only versions in the new Documentation portal; 9.0 and earlier versions now live at classicdocs.hypr.com.

Enhancements

  • [All HYPR] General security hardening
  • [All HYPR] The authentication screen explaining 'Your Login Options Have Changed' and introducing HYPR UI passkey labeling has been removed
  • [Control Center] Content Security Policy (CSP) has been implemented for Control Center to mitigate the possiblity of cross-site scripting attacks
  • [Control Center] User Management has been standardized across Control Center to deliver a common experience across the UI
  • [Control Center - Extensions] Uploading new extensions to a HYPR managed Control Center is disabled
  • [Control Center - Integrations] FIDO2 Gateway rawData field length was extended
  • [Control Center - Integrations] Improved Okta handling of accounts to accommodate the possibility of users having different values assigned to email addresses, universal principal names (UPNs), and usernames
  • [Control Center - Integrations] Mentions and images of Microsoft Azure AD have been updated to reflect the nomenclature change to Entra ID
  • [Control Center - Integrations - Okta] Superfluous integrations data has been removed from internal API responses
  • [HYPR Adapt] UI Improvements
    • Custom Policies can now be edited in code format
    • Choose from previously saved versions of your policies
    • Documentation has been relocated to a drawer
    • AI Assist helps you build safe policies
  • [HYPR Adapt] Event Handler Code form checks for invalid properties on ctx objects
  • [HYPR Adapt] Functionality has been added in the Control Center UI to allow Event Handlers to be renamed
  • [HYPR Adapt] Minor improvements to action events
  • [HYPR Adapt] Risk Policies can be configured as Logging Only, where HYPR generates Audit Trail Event entries but Keycloak does not enforce the policies; API calls can be used to toggle Logging Only capability for risk policies
  • [HYPR Adapt] The Risk Reports pane has been added to display policy results; it will still capture results when HYPR Adapt policies are flagged as Logging Only (q.v.)
  • [HYPR Adapt; HYPR Mobile App - Both] Removed redundant signal data
  • [Passwordless Client for macOS] Implemented a workaround for the Sonoma screensaver leaving the desktop exposed after locking the machine
  • [Passwordless Client for Windows] HYPR generates an EXTERNAL_AUTH_COMPLETE Event for non-HYPR logins even if the user has no devices paired with HYPR.
  • [Passwordless Client for Windows] Security key pre-registration flow improvements to better handle certificate data
  • [HYPR Affirm] Approver assignment can now be Someone Else in addition to existing choices
  • [HYPR Affirm] Auto-credentialing (no manager approval needed) is enabled
  • [HYPR Affirm] Affirm supports using the IdP username or email or UPN as an initial identifier
  • [HYPR Affirm] Affirm links have been added to the Keycloak authenticator screens where use cases apply
  • [HYPR Affirm] Additional steps have been added to the IdV flow to help ease the user experience
  • [HYPR Affirm] General UI and editorial improvements
  • [HYPR Affirm] The Activity Log's Document Verification Result, Image File Name, and Registration fields now report correctly
  • [HYPR Mobile App - Both; HYPR SDKs for Android and iOS] Advanced Data Protection (ADP), the FIDO Client Adapter (FCA) and the HYPR Firebase Notification Adapter are fully deprecated in HYPR
  • [HYPR SDK for iOS] In compliance with Apple's policy for privacy manifest records, data collection reasons are now included in the info.plist file
  • [Platform - Keycloak] HYPR now uses Keycloak version 23.0.6
  • [Platform - Control Center] HYPR now uses spring-boot 3
    • Deployments using Vault for data source parameters require no changes
    • Deployments using environment variables will need to adjust parameters:
      • Specifically parameters of the form spring.redis.xxx are now spring.data.redis.xxx
      • For parameter keys ending in hibernateDialect the value changes from org.hibernate.dialect.MySQL8Dialect to org.hibernate.dialect.MySQLDialect
    • Deployments that package Control Center for their own docker images should start Control Center via org.springframework.boot.loader.launch.PropertiesLauncher in place of org.springframework.boot.loader.PropertiesLauncher
    • spring-boot 3 switches from javax.servlet.xxx to jakarta.servlet.xxx; all Control Center extensions should be recompiled against the 9.1 version of the Control Center extension API
    • spring-boot 3 requires Java 17. Deployments that package Control Center for their own docker images or run the application as a java executable need to provide propper Java version.

Events

  • [HYPR Affirm] Identity Verification Events have been streamlined to include fewer fields
  • [HYPR Mobile App - Both] Dynamic link Device Manager registrations initiated using a browser on a mobile device now differentiate themselves by logging OOB_WEBSITE_REG, then OOB_DEVICE_LOGIN_COMPLETE when successfully pairing
  • [HYPR Mobile App - Both] MOBILE_CANCELLED_NEW_CERTIFICATE Event has been added to the Web Registration Event category
  • [HYPR Mobile App - Both] WEBSITE_AUTH Event has been added to the Authentication category to capture authentication failures for HYPR Adapt
  • [HYPR - All] Keycloak Events KEYCLOAK_ADMIN_EVENT and KEYCLOAK_USER_EVENT have been added to handle Keycloak Events separately
  • [HYPR Passwordless - Both] SMARTKEY_RECOVERY_PINS_RE_GENERATED has been added to capture security key recovery PIN renewal

See Event Descriptions for a list of all HYPR Events and parameters.

Error Messages

  • Error names (e.g., APPLICATION_NOT_FOUND_PROBLEM for Error 1202009) have been included with each error code entry
  • Added Errors:
    • 107237 HYPRErrorPalmAuthenticatorEnrollmentResultPalmMistmatchError
    • 107238 HYPRErrorPalmAuthenticatorVerificationResultPalmMistmatchError
    • 107239 HYPRErrorPalmAuthenticatorUserIsNotEnrolled
    • 114100 HYPR_DISPLAY_CODE_LOCATION_DENIED_OR_DISABLED
    • 114101 HYPR_DISPLAY_CODE_LOCATION_NO_CLIENT_AVAILABLE
    • 114491 HYPR_DISPLAY_CODE_OP_FEATURES_NO_VALID_APP_PROFILES
    • 114492 HYPR_DISPLAY_CODE_OP_FEATURES_EXCEPTION
    • 114493 HYPR_DISPLAY_CODE_OP_FEATURES_NO_CONTEXT
    • 114680 HYPR_DISPLAY_CODE_OP_FIDO2_ADVERTISE_REQ_FIELDS_EMPTY
    • 114681 HYPR_DISPLAY_CODE_OP_FIDO2_ADVERTISE_INVALID_PAYLOAD
    • 114682 HYPR_DISPLAY_CODE_OP_FIDO2_ADVERTISE_PAYLOAD_ERROR
    • 114690 HYPR_DISPLAY_CODE_OP_FIDO2_SEND_REQ_FIELDS_EMPTY
    • 114700 HYPR_DISPLAY_CODE_OP_FIDO2_RECEIVE_REQ_FIELDS_EMPTY
    • 114701 HYPR_DISPLAY_CODE_OP_FIDO2_RECEIVE_ERROR
    • 1114020 HYPR_DISPLAY_CODE_PALM_AUTH_NOT_RECOGNIZED
    • 1201024 CLIENT_REG_EC
    • 1201025 REQUEST_NOT_FOUND_EC
    • 1201028 UAF_ERROR_RESPONSE_FROM_SERVER_EC
    • 1202073 INT_KC_FLIP_QR_PROBLEM
    • 1202074 INT_KC_API_PROBLEM
    • 1207010 VERIFICATION_FLOW_PROBLEM
    • 1207011 USER_VERIFICATION_REQUEST_PROBLEM
    • 1540003 SecurityDevicePairingDisabled
    • 1540004 SecurityDeviceValidationFailed
    • 1540005 SecurityDeviceRejectedByServer
  • Deprecated Errors:
    • 10112 HYPRErrorLicenseSetupFailed has been removed along with License Key options
    • 10128 Operation cancelled by user.
    • 10129 Data verification failed.
    • 10200 Secure Enclave failed.
    • 10201 ADP failed.
    • 10300 Key not found.
    • 104050 Operation failed. This app needs permission to use the camera. Please enable it in the application's settings.
    • 104060 Server error. Please try again or contact your Support for more details.
    • 1072037-1072039 Operation failed.
    • 115300 Current device is null.
    • 116113 Get Registrations Activity dereg callback invalid method.
    • 1202005 LICENSE_SERVER_SETUP_PROBLEM_EC has been removed along with License Key options
    • 1202008 LICENSE_SERVER_PROBLEM has been removed along with License Key options
    • 1202501 LICENSE_VALIDATION_PROBLEM has been removed along with License Key options
    • 1203005 FIDO_SERVER_UNREACHABLE_EC

To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Tables.

APIs

  • [HYPR Affirm] Identity verification flow management for your apps, your users, and for individual workflows
  • [HYPR Adapt] The following evaluation points/policy types have been added to the Adapt API calls where appropriate:
    • PRE_WORKSTATION_UNLOCK
    • POST_WORKSTATION_UNLOCK
  • HYPR Support Access API is enabled only to see which emails are allowed

You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.

Upcoming Changes

  • HYPR Error Codes & Troubleshooting Table, previously found in ZenDesk, has been moved to the Guides section of the new HYPR Documentation site

  • All public ZenDesk articles will be deprecated in ZenDesk after the 9.3 Enterprise Channel GA, and will be found at docs.hypr.com

Bug Fixes

  • [Control Center - Device Manager] Device status is now re-synced upon successful deletion to ensure ghost entries do not persist
  • [Control Center - Device Manager] The welcome email for RP applications other than Control Center Admin now leads to the Onboarding page and not the Device Manager index
  • [Control Center - Integrations - Azure] User cleanup and duplication issues solved
  • [Control Center] Audit Trail timestamp is now being reported correctly from within the selected time filter
  • [HYPR Adapt] Android signals previously sent with 'REQUEST_SENT' status now use 'COMPLETE' status
  • [HYPR Adapt] Risk engine Authentication Attempt Time Window has been changed from 7 days to respect the limits set for the policy
  • [HYPR Adapt] Upon user authentication fallback after failure, 'Authentication Upgraded Message' now displays consistently
  • [HYPR Adapt; HYPR Passwordless for Windows] Signal data now includes 'no location available' if Location settings are disabled on the machine; previously in this case no data was included to indicate its state
  • [HYPR Affirm] Affirm no longer prompts you to upgrade if Affirm is not enabled
  • [HYPR Affirm] Approver cannot approve the requestor before they complete all required steps defined in the IdV flow
  • [HYPR Affirm] Fixed duplicate entries in the Activity Log upon rejection and approval
  • [HYPR Affirm] Fixed error 500 when attempting to relogin into Control Center after completing the Affirm IdV flow
  • [HYPR Affirm] Handling has been added for unsupported image file types
  • [HYPR Affirm] Improved Face ID verification recognition
  • [HYPR Affirm] More forgiveness has been included for second pass attempts to retain information already entered in the first attempt; and when handling unexpected navigation choices
  • [HYPR Affirm] Personally Identifiable Information (PII) has been removed from reports and logged Events
  • [HYPR Affirm] Phone SMS Error Fixes:
    • Country Code defaults to that of the United States of America if it is omitted during the phone number check
    • Incorrectly entered numbers are now handled gracefully
    • Handling added for when the associated IdP lacks a user's phone number
  • [HYPR Affirm] Solved a race condition that prevented video from displaying the chat dialog as expected
  • [HYPR Affirm] Solved labeling discrepancies in the Activity Log and main pages
  • [HYPR Affirm] The Upgrade now link on the Upgrade banner has been fixed
  • [HYPR Affirm] Various 500 errors are now handled gracefully with a redirect to the start of the IdV flow:
    • After multiple SMS requests
    • Clicking the link on the email after it's been activated on your phone
    • After completing the approver flow
    • If the session has expired and the link is opened again
    • Opening the Affirm page while the feature is disabled now states instead, "To enable Affirm, you must upgrade to the paid version."
  • [HYPR Affirm] When an integration is deleted, or if Affirm is turned off, Affirm implementation is now cleaned up more thoroughly
  • [Passwordless Client for macOS] TrustKit now handles unsupported algorithms gracefully

Known Issues

  • [HYPR Control Center - Adapt] FIDO2 authentication attempts are not blocked when FIDO2 is not exempted and the Authentication Failure Threshold is exceeded

  • [HYPR Enterprise Passkey + HYPR Mobile App for Android] When deregistering the linked security key for a hybrid account, the workstation pairing is also removed

  • [HYPR Mobile App for iOS] The text below the logo on the home screen still says "True Passwordless Security" and has not been updated to "Identity Assurance"

  • [HYPR Device manager] Registration via Safari will only succeed if Asynchronous Registration is enabled

Breaking Changes

Android Configuration (Migration from 8.7.X to 9.1.X)

  • Project-wide:

    targetSdk 33 -> 34
    minSdkVersion 23 -> 26
    kotlin version  1.7.22-> 1.9.20

  • gradle-wrapper.properties:

    https\://services.gradle.org/distributions/gradle-7.6-bin.zip -> https\://services.gradle.org/distributions/gradle-8.4-bin.zip

  • project:build.gradle:

    kotlin version  1.7.22-> 1.9.20
    com.android.tools.build:gradle:7.2.2 -> com.android.tools.build:gradle:8.1.4
    com.google.gms:google-services:4.3.14 -> com.google.gms:google-services:4.4.0
    com.guardsquare:dexguard-gradle-plugin:1.3.24 -> com.guardsquare:dexguard-gradle-plugin:9.4.21

  • app:build.gradle:

    • Implementation:

        androidx.appcompat:appcompat:1.5.1 -> androidx.appcompat:appcompat:1.6.1
        com.google.android.material:material:1.7.0 -> com.google.android.material:material:1.10.0
        androidx.lifecycle:lifecycle-process:2.5.1 -> androidx.lifecycle:lifecycle-process:2.6.2
        com.google.code.gson:gson:2.10 -> com.google.code.gson:gson:2.10.1
        org.apache.commons:commons-lang3:3.12.0 -> org.apache.commons:commons-lang3:3.13.0
        com.google.mlkit:barcode-scanning:17.0.0 -> com.google.mlkit:barcode-scanning:17.2.0
        androidx.core:core-ktx:1.9.0 -> androidx.core:core-ktx:1.12.0
        androidx.lifecycle:lifecycle-viewmodel-ktx:2.5.1 -> androidx.lifecycle:lifecycle-viewmodel-ktx:2.6.2
        org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.7.22 -> org.jetbrains.kotlin:kotlin-stdlib:1.9.20
        com.google.firebase:firebase-messaging:23.1.0-> com.google.firebase:firebase-messaging:23.3.1

    • annotationProcessor:

      androidx.lifecycle:lifecycle-common-java8:2.5.1 -> androidx.lifecycle:lifecycle-common:2.6.2

  • You might need to add this (depending on your setup) in app:build.gradle:

    android {
      ...
          compileOptions {
              sourceCompatibility = JavaVersion.VERSION_1_8
              targetCompatibility = JavaVersion.VERSION_1_8
          }
          kotlinOptions {
              jvmTarget = "1.8"
          }
      ...
    }