9.5.0 Release Notes
HYPR 9.5.0 is an Enterprise Channel Release.
The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.
The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements. All Standard Release features are available in the next scheduled Enterprise Release.
To enable our customers to be more proactive in anticipating industry changes that affect HYPR architecture and topology needs, we have created the Breaking Changes section of the Release Notes. This section may be updated after the GA Release as information becomes available to HYPR.
Minimum Supported Versions
Release Date | HYPR Product | Minimum Requirement | Notes |
---|---|---|---|
Sept 11, 2024 | HYPR Passwordless for Windows 9.5.0 | Windows (10, 11) | Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots |
Sept 11, 2024 | HYPR Passwordless for Mac 9.5.0 | macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0]) | Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots |
Sept 11, 2024 | HYPR Mobile App for Android 9.5.0 | Android 8.0+ | |
Sept 11, 2024 | HYPR Mobile App for iOS 9.5.0 | iOS 12.4+ | |
Sept 11, 2024 | HYPR Server 9.5.0 | Java Development Kit (JDK) 17+ | Upgrade to 7.10 required before upgrading to 8.0.0 or higher |
Sept 11, 2024 | HYPR SDK for Android 9.5.0 | Android 8.0+ | |
Sept 11, 2024 | HYPR SDK for iOS 9.5.0 | iOS 12.4+ | |
Sept 11, 2024 | HYPR SDK for Java 9.5.0 | Java Development Kit (JDK) 17+ |
All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.
New Features
[All HYPR] Single Registration: Support for Multi-Domain Enrollment
- Look up users in multiple Active Directory domains
- Issue certificate requests for users across Active Directory domains
[Adapt] Crowdstrike Implementation
- Includes a built-in Adapt Policy for CrowdStrike
- Service to communicate with the CrowdStrike API
[Affirm] IdV Reporting Monitor performance and make informed decisions based on comprehensive and reliable IdV data.
- Advanced data collection mechanisms to capture more granular metrics
- Reporting tools that offer customizable dashboards and real-time data visualization
- Integrated analytical features for trend analysis and predictive insights
[Affirm] HYPR Affirm Approver Escalation HYPR Affirm now enables chat escalation for OnFido IDV failure cases in the verification flow, launching a chat and/or video session with an assigned Approver in response.
[Control Center] Custom Branding HYPR Custom Branding empowers HYPR customers to brand the HYPR experience for Control Center users:
- Add a custom logo and linked URL
- Customize background imagery and colors
- Brand your Device Manager for a consistent experience
[Control Center] [Beta] HYPR Enterprise Passkey - FIDO2 Gateway Fallback
- Enterprise Passkeys using the FIDO2 Gateway now enjoy roaming capabilities
- The traceId attribute is synchronized across HYPR for a given Event
- New Events have been added relevent to the FIDO2 Gateway; see the Events section of this article for a list of new Events
[Control Center] Quicksight Analytics Dashboards HYPR harnesses the power of Amazon QuickSight graphs in our Analytics Dashboards, including views for Identity Assurance, Authenticate, Adapt, and Affirm that provide intuitive and easily manipulable results designed with your feedback in mind.
[Control Center - Integrations] [Beta] External Authentication Methods Microsoft's Entra ID External Authentication Method (EAM) is now supported by HYPR, including HYPR integration user enrollment, Audit Trail logging, and a quick setup. Contact HYPR Support to get it for your users.
[Control Center - Integrations] Generic Enterprise Passkey HYPR Enterprise Passkey is now available to non-Azure customers. Contact HYPR Support to get it for your users. HYPR provides a fallback mechanism in the event which an existing WiFi or BLE configuration has challenges. HYPR Mobile App will communicate through Control Center to complete CTAP operations with the HYPR Passwordless client.
[HYPR Mobile App] [Beta] Native Camera QR Scan HYPR Supports native camera QR code scan via dynamic short links; you don't even have to open the HYPR Mobile App first. Contact HYPR Support to get it for your users.
Enhancements
-
[All HYPR] Small UI Improvements
- Padding and spacing standardized
- Text escaping the UI
- Legacy fonts removed
- Current fonts standardized
- Buttons standardized
-
[Adapt] Control Center Events now consume the
policyName
returned by the Risk Engine, and will use this value in addition topolicyId
to identify policies -
[Adapt] Policies
- Date Created columns has been added to the main pane list
- A side panel has been added to replace the Actions column, and now handles Configuration and Deletion of the policy
- Support has been added to enable management of policy assignments under Policy Configuration
- A test pane has been added for built-in policies.
- The Adapt landing page links documentation and includes links to create policies
-
[Adapt] Signal Handlers
- Where it appears, the term Event when used in context of HYPR Adapt has been changed to Signal
- The Adapt landing page links documentation and includes links to create handlers
- A side panel has been added to replace the Actions column, and now handles Configuration and Deletion of the handler
- Date Created columns has been added to the main pane list
- A status indicator has been added in the upper right to show Active or Disabled status for the selected Signal Handler
- A Metrics column has been added to the Signal Handlers list, including a drawer displaying invocation successes/failures and quick access to view error logs for the handler invocations
- Support has been added for Signal Handler versioning and reversion
- Default signal content now populates the test tab depending on which type of signal is chosen
- The code Test tab pane has been condensed into a single page with Input and Log panes
- Signal Handler Flow and UI improvements
-
[Affirm] General improvements to the IdV escalation process
-
[Affirm] Events have been redefined and updated to better accommodate flows; see the Events section in this article
-
[Affirm] HYPR modals have been updated to deliver a more unified experience
-
[Affirm] The 'Record' button now changes to indicate it has been pushed
-
[Affirm] When a new Approver joins the chat, the Requester is informed that the Approver has changed
-
[Affirm] When the Requester is waiting for an Approver, a message now informs them when the wait has timed out
-
[Affirm] A message has been added to the Requester to indicate that the Continue button has become available
-
[Affirm] The Flow ID is now shown in the flow UI
-
[Affirm] Veribage added to set user expectations for lengthy processing times
-
[Affirm] Improved error handling in code customization calls
-
[Affirm] Twilio chat and video dependencies have been removed from photo ID and liveness checks
-
[Affirm] HYPR enables you to return either an empty object
{}
in cases when the user directory record cannot be obtained, or a custom error{ error: "My error message"}
to handle whichever errors or conditions you prefer -
[Affirm] Microsoft Verified ID is now included as a possible successful Affirm outcome
-
[Control Center] The Add Configuration dialog offers only one option, removing the legacy Firebase configuration dialog option, and including a JSON entry field in the updated dialog
-
[Documentation] HYPR Passwordless device authentication dialogs displayed by the OS and/or browser during registration, authentication, deregistration, and, where applicable, PIN/PUK management
-
[HYPR Mobile App - Both] Conditional Enrollment: Administrators can determine whether or not a HYPR account using Single Registration will pair with a corresponding computer account during the enrollment process
-
[HYPR Mobile App for Android; HYPR SDK for Android; API] Offline and Recovery PINs are now available when pairing through Single Registration
-
[HYPR Mobile App for iOS] FIDO2 pairing and authentication for WiFi, BLE, and the FIDO2 Gateway transports are individually toggleable in Control Center
-
[HYPR Mobile App for iOS] Keychain profiles are cleared upon first launch of the HYPR Mobile App to prevent pre-population with incorrect values
-
[HYPR Passwordless for macOS] The time between sending HYPR PAsswordless to the trash and uninstalling the product has been shortened
-
[HYPR Passwordless for Windows] Serial numbers for Feitian keys have been stabilized
-
[HYPR Passwordless for Windows] Updated the bundled YubiKey mini-driver to version 4.6.3
-
[HYPR Passwordless for Windows] YubiKey Bio MPE verbiage improvements
-
[Platform - Keycloak] Improved messaging to better acommodate multiple users
-
[Platform - Keycloak] Keycloak has been updated to version 24.0.3
Events
The field eventLoggedBy
has added ENROLLMENT_SERVICE as an option.
New Affirm Events:
-
AFFIRM_WORKFLOW_STARTED
-
AFFIRM_WORKFLOW_APPROVER_REDEEMS_INVITE
-
AFFIRM_WORKFLOW_PHONE_NUMBER_ENTERED
-
AFFIRM_WORKFLOW_VIDEO_APPROVER_ENABLED
-
AFFIRM_WORKFLOW_VIDEO_REQUESTER_ENABLED
-
AFFIRM_WORKFLOW_DOCUMENT_UPLOAD
-
AFFIRM_WORKFLOW_ATTESTATION_OUTCOME_TYPE
-
AFFIRM_WORKFLOW_IDV_START
-
AFFIRM_WORKFLOW_IDV_FINISH
-
AFFIRM_WORKFLOW_CHAT_ESCALATION
-
Added
userRole
field to Affirm Events
FIDO2 FacetID Events:
-
UAF_FACETID_ADDED
-
UAF_FACETID_REMOVED
FIDO2 Gateway Events:
-
HYPR_GATEWAY_WORKSTATION_DRIVER
-
HYPR_GATEWAY_AVAILABLE
-
HYPR_MOBILE_DATABASE
Other Events:
-
FIDO_ONLY_TRANS
-
WORKSTATION_INSTALL_TOKEN
See Event Descriptions for a list of all HYPR Events and parameters.
Error Messages
The following errors have changed:
- 1207013 has been reworded: "There was an issue with the code customization."
The following errors have been added to HYPR:
To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.
APIs
-
[HYPR Adapt API]
-
Event (Signal) Handler search and metrics operations have been added:
-
GET /cc/api/integrations/adapt/eventhandler/{eventHandlerId}
: List all Event handlers for the tenant and handler id. -
GET /cc/api/integrations/adapt/eventhandler/{eventHandlerId}/{version}
: List all Event handlers for the tenant and handler id and version. -
allVersions
attribute has been added to the GET Event (Signal) Handler responses
-
-
-
[HYPR Affirm API] Code customization CRUD operations have been added:
-
GET /cc/api/idv/code-customization/:codeCustomizationId
Get a single code customization andGET /cc/api/idv/code-customization
Get all code customizations have been moved under a newly created folder, Code Customization -
POST /cc/api/idv/code-customization
Create a code customization. -
POST /cc/api/idv/code-customization/test
Test a code customization. -
DELETE /cc/api/idv/code-customization/codCustomizationId
Delete a code customization. -
POST /cc/api/idv/code-customization/update
Update a code customization.
-
-
[FIDO2 Gateway] Send/Receive calls have been added for devices and workstations:
-
POST /rp/deviceapi/fido2/advertise
Mobile device starts/stops advertising. -
POST /rp/deviceapi/fido2/receive
Device receives CTAP request from the FIDO2 Gateway. -
POST /rp/deviceapi/fido2/send
Mobile device sends CTAP response. -
POST /rp/wsapi/fido2/listen
Workstation listens for mobile device advertisements. -
POST /rp/wsapi/fido2/receive
Workstation receives CTAP request from the FIDO2 Gateway. -
POST /rp/wsapi/fido2/send
Workstation sends the CTAP request.
-
You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.
Upcoming Changes
Smart Card PIN Unblocking Key (PUK) PIN Reset HYPR accommodates smart card and security key PUK PIN reset functionality from the desktop.
HYPR Documentation Reorganization In the 10.x series, HYPR Documentation will undergo minor but still notable changes in the way articles are grouped. Instead of adhering to the legacy format mirroring the UI layouts, based on feedback from customers, we are making accommodations in an attempt to better reflect the user's journey.
Bug Fixes
-
[Adapt] Fixed: If Adapt has never been used before, the Create Policy dialog shows a blank page
-
[Adapt] Fixed: User is not getting blocked when FIDO2 failure threshold is crossed
-
[Affirm] Fixed:
login-id
endpoint and ftl template naming convention generates a fallacious 'Dangerous site' warning -
[Affirm] Fixed: Broken links
-
[Affirm] Fixed: HYPR retention policy change breaks Onfido
-
[Affirm] Fixed: Multiple entries in the Activity Log are generated, as one per approver is created
-
[Affirm] Fixed: Remove
barcode
attributes in the document report for uploaded ID documents -
[Affirm] Fixed: Text code message exceeds the bounds of the text block
-
[Affirm] Fixed: The Activity Log type records 'Recovery' when initiated by the API
-
[Affirm] Fixed: The client secret is not hidden in the OIDC Settings
-
[Control Center] Custom Branding - Fixed: Hexadecimal color character counter warns when a letter is in the value, and fails to save when there is no warning
-
[Control Center] Custom Branding - Fixed: Save buttons don't save; image upload fails
-
[Control Center] Custom Branding -Fixed: Background color not accepting HEX characters A-F
-
[Control Center] Custom Branding- Fixed: Saving causes 400 on image endpoint but doesn't add an image
-
[Control Center] Enterprise Passkey - Fixed: With the Entra Provisioning API enabled, the Passkey pairing flow which is also shown for local and Non Hybrid-AD accounts fails with an error; when the Entra provisioning API is disabled, the flow still asks the user to go to the Microsoft Management portal to create the passkey
-
[Control Center - Integrations] Okta - Fixed: Broken UI link in Integration Setup dialog
-
[Control Center - Integrations] Okta - Fixed: If two users have the same email, when 'send email' is clicked for one of the users, it changes to 'Sent' for both
-
[Control Center - Integrations] Okta - Fixed: The Email field defaults to "N/A" under User Management in Advanced Mode
-
[HYPR for AD FS] Fixed: When authentication is denied via the Deny button, no confirmation message is shown to user
-
[HYPR Mobile App - Both] Fixed: The link to Entra pairing documentation is broken
-
[HYPR Mobile App for Android] Fixed: The icon displayed along with notifications is the old HYPR logo
-
[HYPR Mobile App for Android] Fixed: When registering from web to workstation, if TalkBack is enabled, HYPR does not generate a push notification
-
[HYPR Mobile App for iOS AND HYPR Passwordless for Windows] Fixed: The white label in
hypr.json
andtenantId
for the Device Manager link doesn't initiate Desktop SSO -
[HYPR Passwordless for macOS] Fixed: Failure to contact Certificate Authority if the user is accessing a shared folder
-
[HYPR Passwordless for Windows] Fixed: During QR Fallback the tenant name is truncated when it is too long
-
[HYPR Passwordless for Windows] Fixed: With Enterprise Passkey enabled, The HID minidriver FIDO key setup prompts for a system restart
-
[Platform - Keycloak] Fixed: Incorrect Event labels for Keycloak brute force Events
Known Issues
-
[HYPR Mobile App for iOS] The text below the logo on the home screen still says "True Passwordless Security" and has not been updated to "Identity Assurance"
-
[HYPR Passwordless for Windows] Deleting a fingerprint from the middle of the list doesn't re-order the rest of the list
-
[HYPR Passwordless for Windows] HYPR displays an error when a paired Yubikey Bio MPE has the maximum number of fingerprints stored already
-
[Control Center] Analytics Dashboard link in Advanced Mode does not launch the Analytics Dashboard. The workaround is to use it in Standard Mode.
-
[Control Center] Server still sends push notifications with incorrect proxy credentials
Breaking Changes
Android Configuration (Migration from 8.7.X to 9.1.X)
-
Project-wide:
targetSdk 33 -> 34
minSdkVersion 23 -> 26
kotlin version 1.7.22-> 1.9.20 -
gradle-wrapper.properties
:https\://services.gradle.org/distributions/gradle-7.6-bin.zip -> https\://services.gradle.org/distributions/gradle-8.4-bin.zip
-
project:build.gradle
:kotlin version 1.7.22-> 1.9.20
com.android.tools.build:gradle:7.2.2 -> com.android.tools.build:gradle:8.1.4
com.google.gms:google-services:4.3.14 -> com.google.gms:google-services:4.4.0
com.guardsquare:dexguard-gradle-plugin:1.3.24 -> com.guardsquare:dexguard-gradle-plugin:9.4.21 -
app:build.gradle
:-
Implementation:
androidx.appcompat:appcompat:1.5.1 -> androidx.appcompat:appcompat:1.6.1
com.google.android.material:material:1.7.0 -> com.google.android.material:material:1.10.0
androidx.lifecycle:lifecycle-process:2.5.1 -> androidx.lifecycle:lifecycle-process:2.6.2
com.google.code.gson:gson:2.10 -> com.google.code.gson:gson:2.10.1
org.apache.commons:commons-lang3:3.12.0 -> org.apache.commons:commons-lang3:3.13.0
com.google.mlkit:barcode-scanning:17.0.0 -> com.google.mlkit:barcode-scanning:17.2.0
androidx.core:core-ktx:1.9.0 -> androidx.core:core-ktx:1.12.0
androidx.lifecycle:lifecycle-viewmodel-ktx:2.5.1 -> androidx.lifecycle:lifecycle-viewmodel-ktx:2.6.2
org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.7.22 -> org.jetbrains.kotlin:kotlin-stdlib:1.9.20
com.google.firebase:firebase-messaging:23.1.0-> com.google.firebase:firebase-messaging:23.3.1 -
annotationProcessor
:androidx.lifecycle:lifecycle-common-java8:2.5.1 -> androidx.lifecycle:lifecycle-common:2.6.2
-
-
You might need to add this (depending on your setup) in
app:build.gradle
:android {
...
compileOptions {
sourceCompatibility = JavaVersion.VERSION_1_8
targetCompatibility = JavaVersion.VERSION_1_8
}
kotlinOptions {
jvmTarget = "1.8"
}
...
}