8.1.0 Release Notes
| Release Date | Product/Version | Platform | Notes |
|---|---|---|---|
| March 29, 2023 | HYPR Workforce Access Client for Windows 8.1.0 | Windows (10, 11) | Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots |
| March 29, 2023 | HYPR Workforce Access Client for Mac 8.1.0 | macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura) | Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots |
| March 29, 2023 | HYPR Mobile App for Android 8.1.0 | Android 8.0+ | |
| March 29, 2023 | HYPR Mobile App for iOS 8.1.0 | iOS 12.4+ | |
| March 29, 2023 | HYPR Server 8.1.0 | Server | Upgrade to 7.10 required before upgrading to 8.0.0 or higher |
| March 29, 2023 | HYPR Android SDK 8.1.0 | Android 8.0+ | |
| March 29, 2023 | HYPR iOS SDK 8.1.0 | iOS 12.4+ |
All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.
New Features
(HYPR Mobile App - All) My Security Keys section in the HYPR Mobile App menu
HYPR Mobile App now includes a menu category, My Security Keys which displays paired security keys, including HYPR Enterprise Passkeys.
(HYPR Mobile App, HYPR iOS and Android SDK) QR Fallback
When pairing with a QR Code via either the HYPR Device Manager/Magic Link or via the Workforce Access Client, or logging into a workstation using a QR Login, but the user cannot use the device's camera, an option is provided to initiate a manual activation code entry. The code is presented to the user on-screen, and then entered into the HYPR Mobile App to complete pairing or authentication. Additionally, when using a Keycloak authentication flow, the UI has been updated to honor QR Fallback via the HYPR Mobile App.
(Platform) HYPR Enterprise Passkey
HYPR is proud to present a unique offering that will turn your device's HYPR Mobile App into a security key when authenticating via Azure AD. This method is certified as a Microsoft-compatible FIDO2 security key.
HYPR plans to extend this functionality across other IdPs in the near future.
(Platform - Integrations) User Enrollment Drawer
HYPR Integrations now offer a more standardized experience around Integrations' Enroll Users drawer. Users can now be added in bulk or individually, and can be uploaded using a .csv file. Enrolling users can be done regardless of the Enabled/Disabled state of the integration.
(Workforce Access Client - Windows) Non-exportable Private Keys / Certificate Template for Security Keys
When enabled, non-exportable private keys prevents the private key stored on a physical security key from being exported; likewise, the key is generated on the security key, so it never leaves, and never can. This feature is mutually exclusive to Recovery PINs.
Enhancements
(Control Center) FIDO2 Configuration Options
FIDO2 Settings now includes more robust FIDO2 configuration options in addition to the Client Origin URL:
- Discoverable Credentials
- User Verification Mode
- Attestation Type
All of these properties are also reflected under integrations' Login Settings -> FIDO2 Settings panel. See FIDO2 Settings for a full description.
(Control Center) Support for Multi-region Installations
Multiple servers in different regions replicate the database to guarantee persistence for enrolled users.
(Platform - Integrations - Azure AD) HYPR Native Login (previously existing Azure AD Integration)
- Azure AD Integration is now entitled HYPR Native Login; it optionally can take advantage of Conditional Access Policy Templates
- The Domain Name Administrator role must be added to the HYPR Service Account in Azure, or CC will generate an error stating, "Insufficient privileges to complete the operation," when attempting to Enable or Disable the Integration
(Workforce Access Client - Mac) Security Key Support on macOS
macOS users now can enjoy basic workstation Security Key support for verified PIV-capable security key models. See Requirements for the full list of supported models. macOS Security Key Support does not include the following functionality:
- Recovery PINS for security keys
- Non-exportable private keys
- Certificate Renewal for security keys
Events
QR_FALLBACK_PAYLOAD_RETRIEVED
Indicates when a QR fallback cache request is made, regardless of whether the attempt was successful or not. This is handled entirely by Control Center and occurs when the new endpoint /rp/device/pendingqr receives a request.
For a full list of HYPR Events, see Event Descriptions.
Error Messages
- (HYPR Mobile App for IOS - QR Fallback) 101089:
HYPRErrorUserAgentManualCodeEntryFailed
To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.
APIs
- FIDO2
/attestation/resultrequest accepts three new fields:transports,authenticatorAttachment, andclientExtensionResults
{
...
"response": {
...
"transports": [...]
},
"authenticatorAttachment": ...,
"clientExtensionResults": {
"credProps": {
"rk": true
}
}
}
- FIDO2
/assertion/resultrequest accepts a new field:authenticatorAttachment
You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.
General Improvements
- (Control Center) Sensitive or redacted attributes don't appear in the log clear text; unknown values default to an empty value
- (Device Manager) "Begin Pairing" has been removed and the QR code now auto-refreshes every 60 seconds
- (HYPR Mobile App) Improved labeling of the Support button to bolster Accessibility support
- (Platform - Integrations - Okta) Add "Desktop SSO" capability to "Login Settings"
- (SDK for Android) Allow Background to Cancel registration
- (Workforce Access Client for Mac) Support for macOS Ventura (v.13)
Upcoming Changes
Early Access: Single Registration
HYPR now only requires a pairing in one component of the HYPR system, instead of pairing separately with the Device Manager or the Workforce Access Client. When paired in one, you will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication options for that RP Application.
HYPR Branding Changes
You may have noticed HYPR content shifting to include a fingerprint theme; likewise, we are changing some of our product names in 8.2.0 to standardize their labeling. Some are still the old familiar titles you know and love.
We've included the full list here:
| New HYPR Name | Legacy HYPR Server Name |
|---|---|
| HYPR Cloud | HYPR Cloud |
| HYPR ON Prem | HYPR On Prem |
| RADIUS | HYPR RADIUS Server |
| New HYPR Name | Legacy HYPR Mobile App Name |
|---|---|
| HYPR for iOS | HYPR Mobile App for Android |
| HYPR for Android | HYPR Mobile App for iOS |
| HYPR Enterprise Passkey | HYPR FIDO2 Mobile Authenticator |
| New HYPR Name | Legacy HYPR Workforce Access Client Name |
|---|---|
| HYPR Passwordless for Windows | HYPR Workforce Access Client for Windows |
| HYPR Passwordless for Mac | HYPR Workforce Access Client for Mac |
| New HYPR Name | Legacy HYPR SDK and API Names |
|---|---|
| HYPR SDK for iOS | HYPR SDK for iOS |
| HYPR SDK for Android | HYPR SDK for Android |
| HYPR SDK for Golang | HYPR SDK for Golang |
| HYPR SDK for Java | HYPR SDK for Java |
| HYPR SDK for JavaScript | HYPR SDK for JavaScript |
| HYPR SDK for Python | HYPR SDK for Python |
| HYPR Server APIs | Server API |
| New HYPR Name | Legacy HYPR Integration Name |
|---|---|
| HYPR for Okta | Okta |
| HYPR for Workspace | Google Workspace |
| HYPR for OneLogin | OneLogin |
| HYPR for Azure | Azure |
| HYPR for Ping DaVinci | Ping DaVinci |
| New HYPR Name | Legacy HYPR Feature Name |
|---|---|
| HYPRspeed | Desktop SSO |
| New HYPR Name | Legacy HYPR Plugin Name |
|---|---|
| HYPR for AD FS | AD FS |
| HYPR for Ping Federate | Ping Federate |
| HYPR for SiteMinder | SiteMinder |
| HYPR for ForgeRock | ForgeRock |
Bug Fixes
- (Platform - Integrations - Azure) QR authentication remains functional after updating the integration
- (Platform - Integrations - OneLogin) User roles added when the integration was enabled persist when the integration is disabled
- (Platform - Integrations - Ping DaVinci) Redirect URLs are now validated before being allowed
- (Workforce Access Client - Mac) When using Touch ID, the login dialog no longer persists
- (Workforce Access Client - Windows) User presence check during registration is no longer broken by Windows Update
Known Issues
- (Workforce Access Client - All) QR Fallback APP NAME value, if long enough, cuts off at the edge of the dialog box instead of wrapping
- (HYPR Mobile App - Android) QR Fallback PIN must be lowercase but allows uppercase characters; if the PIN is not all lowercase, the Submit button will not activate
- (Workforce Access Client - macOS) If a user is paired with more than one device (either security key or mobile phone), macOS might prompt the user for a password to unlock the keychain; this occurs because the operating system ties the keychain token to only one unique certificate, while each HYPR device certificate pair is unique