Changelog

Entries are in timeline order by date, going backwards in time down the page.

10.0.0 - GA 2025-02-12

Enhancements

[Adapt] Feature Requests
- [Adapt] Show Logging Only flag value in the Policy details drawer
- [Adapt] Store the OAuth2 CrowdStrike API key in Adapt for calls
- [Adapt] Fixed: CrowdStrike IdP Policy evaluation IdP score check is not working as expected
- [Adapt] Fixed: ZTA policy enhancement fires STORED_API_ZERO_TRUST_ASSESSMENT whenever ZTA score is manually retrieved
- [Adapt] Fixed: Crowdstrike policies allowed=true when unable to obtain score
- [Adapt] Fixed: Logging Only Enabled/Disabled status is not tracked in the Audit Trail
- [Adapt] Fixed: CrowdStrike Signal Handler: Add Bulk API call to cover ZTA machine statuses for user web calls
[Adapt] General Improvements
- [Adapt] Consolidate policy evaluation calls in Keycloak Select Login Method module
- [Adapt] Policy assignment event should be tagged as ADAPT_POLICY_ASSIGNMENT and should have policyName
- [Adapt] Add tests for the Login Limits template
- [Adapt] Create diagrams/documentation notes for Firebase KT
- [Adapt] Fixed: Policy / Handler search doesn't work with ID, works only with name
[Adapt] Risk policy chaining PoC
- [Adapt] Composite policy chaining
[Adapt] UI/UX Updates
- [Adapt] Decrease width of version selection field
- [Adapt] Run a new signal search on username change
- [Adapt] Enable searching in the Rego editor
- [Adapt] Confirm exit on unsaved changes
- [Adapt] Prompt for configuration Save upon form change
- [Adapt] Add a refresh button for Signal Handler metrics
- [Adapt] Signal Handler metrics: UX feedback points
- [Adapt] Signal Handler metrics: Info icon with rollover text explaining the use and source of the metric
- [Adapt] Fixed: Manual evaluation input gets overridden on evaluation request
[Affirm] Feature Requests
- [Affirm] Add resource field to OIDC
- [Affirm] Add resource field to OIDC in the UI
- [Affirm] Add an outcome option to redirect on failure
- [Affirm] Add Consent screen
[Affirm] Workflow Friction level for predefined Verification Step templates
- [Affirm] Create the new Friction enum and add it to the UI
- [Affirm] Create workflow defaults by Friction
[Affirm; Integrations; Platform - Keycloak] Keycloak, Affirm and Integrations-related tasks
- [Affirm] Add unit tests to AffirmUserService.kt
- [Affirm] When creating a new workflow, force the user into the full modal
[All HYPR] UX/UI component library updates
- [All HYPR] Generate build of component library
[Passwordless for Windows] Security Device Enhancements
- [Passwordless for Windows] Show smart card device type at registration
- [Passwordless for Windows] Touch policy for YubiKey (presence verification)
- [Passwordless for Windows] Configurable security device lockout number
- [Passwordless for Windows] Fixed: Not getting firmware version from Feitian keys
- [Passwordless for Windows] Fixed: When Smart Card Pairing Enabled is disabled, we cannot pair an IDEMIA card
[Passwordless for Windows] Tech Debt Q1 2025
- [Passwordless for Windows] Change default so HyprKsp does NOT do CRL and user account checks
- [Passwordless for Windows] Extend copyright year to 2025
- [Passwordless for Windows] Fixed: HyprServiceInstallError system environment variable may be set following the Passwordless client installation
- [Passwordless for Windows] Fixed: Checking wrong error code after DiInstallDriver
[SDK for FIDO2 Web Browser] HYPR FIDO2 Web SDK Improvements 10.0
- [SDK for FIDO2 Web Browser] Consolidate Type imports
[Adapt ] Event Handlers Beta
[Adapt] Logging facility for Policies
[Adapt] Risk and Signal Handler versioning Template [Backend]
[Control Center - Integrations] Enterprise Passkey: Third-party passkey provider API for macOS [Alpha]
[Mobile App for Android] Current profile improvements: MachineStatus and token refresh
[Mobile App for Android] Hyprlinks: sample code reference app
[Mobile App for Android] Provide responses for MASA revalidation
[Mobile App for iOS] Update EULA text
[Passwordless for Windows] Update EULA text on the workstation client
[Platform - Keycloak] Keycloak to send authenticated events

Bug Fixes

[Passwordless for macOS] Q2 2025 Security Device Enhancements
- [Passwordless for macOS] Fixed: Cannot set "securityKeyPinComplexity" in hypr.json
- [Passwordless for macOS] Fixed: Passwordless doesn't enforce PIN Complexity
[Affirm] Integration Bug Fixes
- [Affirm] Fixed: Control Center UI Verification Flows table Description sort leads to a white screen
- [Affirm] Fixed: Generic error when updating verification flow that isn't assigned an rpAppId
- [Affirm] Fixed: After the Consent screen, instead of redirecting to chat, it redirects to the Control Center login page
- [Control Center - Integrations] Fixed: Azure: All three transport types are may be successfully disabled
[Adapt ] The risk policy name is displayed as 'NA' in the Integrations page when the policy is deleted
[Login Limits Policy] The user remains blocked even after the User Blocked Duration is configured
[Passwordless - Both] QR_Fallback: QR icon is large in size when compared to the line of text
[Passwordless for Windows] Fix warning introduced

9.7.2 - GA 2025-02-07

Enhancements

[Affirm] PoC: Helpdesk Support
[Affirm] Helpdesk CC UI Changes
[Affirm] Helpdesk endpoint details UI
[Affirm] Helpdesk endpoint main table UI
[Affirm] Helpdesk IdV UI changes
[Affirm] Helpdesk PoC - combine/connect the web UI all together
[Affirm] Helpdesk scaffolding code for the new endpoint
[Affirm] New feature flag for Help Desk functionality
[Affirm; Integrations; Platform] Q1/2025 Keycloak, Affirm and Integrations related tasks
[Integrations - Entra] Use the Keycloak url from vault
[Integrations - Okta] Don't assign an application when adding a device
[Mobile App - Both] Make SMS keyword responses adhere to convention (stop, help, etc.)

Bug Fixes

[Entra] Federation: After updating the password of a service account, users can no longer authenticate

9.7.1 - GA 2025-01-07

Enhancements

[Adapt] Additional CrowdStrike functionality and fixes
- [Adapt] Store OAuth2 CrowdStrike API Key in Adapt for calls
- [Adapt] Fixed: ZTA policy enhancement: Fire INBOUND_EVENT_HOOK whenever the CrowdStrike ZTA score is manually retrieved
- [Adapt] Fixed: Crowdstrike IdP Policy: The evaluation IDP score check is not working as expected
- [Adapt] Fixed: Add Bulk API call to cover CrowdStrike ZTA machine status for user web calls
- [Adapt] Fixed: CrowdStrike policies allowed=true when unable to obtain score
- [Adapt] Fixed: CrowdStrike IdP Policy: Policy evaluation failed due to error 'failed to create policy evaluation context'
- [Adapt] Fixed: CrowdStrike ZTA policy: Previously generated STORED_API_ZERO_TRUST_ASSESSMENT is not being used for policy eval
[Affirm] Third party jars/tools production readiness tasks
- [Affirm] Add SMS reference data
- [Affirm] Use the latest pinpoint SDK (version 2)
- [Affirm] Configure rate limits
- [Affirm] Update IAM policy for accessing end-user messaging API
[All HYPR] Observability Tasks
- [API] Enhance API Tokens Traceability
- [Control Center] Consistent server request logging
- [Errors] DBMigration service logs should use the 'Info' log level instead of the 'Error' log level
- [Events] Define Event information requirements
- [Events] FIDO_ONLY_AUTH and FIDO_ONLY_REG attempts do not have an associated COMPLETE event
- [Events] Saving an Event failure should not fail flows
- [Errors] Fixed: Remove error codes for successful Event logs
- [Events] Fixed: The deviceId is null in Event logs when other device data is known
[All HYPR] Use same traceId for reg process
[Mobile App - Android] QR Code handling of additional parameters
- [Mobile App for Android] Custom field added to qrpayload
[Passwordless - Both; API] Workstation thundering herd mitigation
- [API] Move security key last used date to batching
- [Control Center; API] Block or throttle selected Control Center calls
- [Passwordless - Both] Mitigate workstation Audit call flood
- [Passwordless - Both] Workstation status warm session cache needs optimization
[Platform - Keycloak] Protect against Evilnginx first phase
- [Platform] Confirm that protections against Evilnginx will work in production

Bug Fixes

[Affirm; Control Center - Integrations] Q1/2025 bugs fixed
- [Affirm] Fixed: Switching approver to HYPR from Manager is not taking still get emails and texts
- [Affirm] Fixed: The results API returns a query when invalid/nonexistent workflowId is provided
- [Affirm] Fixed: Code Customizations: ACCEPT and CONTENT_TYPE headers are being appended twice
- [Affirm] Fixed: A blank page appears because of a React error when the user selects a value from the Type dropdown in the Affirm Approver Management page
- [Control Center] Fixed: Adding a Control Center admin user shows on both the Registered and Pending lists
- [Control Center] Fixed: After successful registration on mobile using a passkey, the passkey is not displayed
- [Control Center - Integrations] Fixed: Okta: Two users with same email; only one is able to register with HYPR
[Adapt] Fixed: Signal Handlers: TOR Data Collector handler times out when a signal is triggered
[Affirm] Fixed: Add better logging to Affirm for production releases
[API] Fixed: /rp/wsapi/securitykey/updatepinreset returns 200 with invalid existingPuk
[Control Center - Integrations] Fixed: HYPR Enterprise Passkey: Double user presence (UP) prompt periodically occurs during authentication
[Control Center - Integrations] Fixed: HYPR Enterprise Passkey: Unexpected signature counter received
[Mobile App for iOS] Fixed: Web-to-workstation QR scan to login fails with 1202006

9.7.0 - GA 2024-12-11

New Features and Feature Changes

[Adapt] Implement Adapt for Workstation - Beta
[Adapt] Policy & Signal Handler UI v9.7 Cleanup
- [Adapt] Login Limits Policy Unit Test
- [Adapt] Signal Handlers: Template and tests organization
- [Adapt] Fixed: Login limits policy allows negative values in the config and the policy evaluation fails
- [Adapt] Fixed: Signal Handlers: Values flicker when the mouse is hovered on the success or failure percentage tooltip
[Adapt] UX Updates II
- [Adapt] Add version tags to templates
- [Adapt] Enhance Signal Handler Error Details
- [Adapt] Add View Raw option for signal search results
- [Adapt] Add Search by Signal Handler button
- [Adapt] Saved Event View in Signal Search
- [Adapt] Add Console Log Pane to Policy Test Page
- [Adapt] Revert code view change for built-in entities
- [Adapt] Policy Config Form - Support Textarea field
- [Adapt] UI - Update Doc Portal
- [Adapt] Signal Handlers page should show the pipeline - i.e. Sort by Status, Priority & then Last Modified
- [Adapt] Signal Handler Metrics - UX feedback items
- [Adapt] Fixed: ‘Policy Assignments Updated’ success message interrupts the Policy assignment
- [Adapt] Fixed: The exceptions for date selection in the Signal Search page aren't handled properly, which leads to an empty page being displayed
[Affirm] Control Center login first time Admin with Affirm
- [Affirm] Remove AffirmUserService.kt from all sonar exclusions
[Affirm] Custom Workflow Enhancements & Management in UI
- [Affirm] Back End: Create an end point to allow the UI to get all the available workflows
- [Affirm] Remove Application Setup Tab
- [Affirm] Front End: Add the verifications flow tab table
- [Affirm] Update workflow drawer UI
- [Affirm] Select a workflow step in the drawer should zoom into the step in the modal
- [Affirm] Workflow Modal: Save and revert should work per tab
- [Affirm] Remove the first step of the web UI
[Affirm; Control Center - Integrations] Q4/2024 Integrations and Affirm bug fixes and unplanned work
- [Adapt; Events] Add 'locationIpDistance=' and 'locationReverseGeocodeDistance=' to GOOGLE_LOCATION_ADDRESS operation payloads
- [Affirm] Add logins to logs for Affirm to help get info for debugging and future issues
- [Affirm] Upgrade/migration path to populate missing values in new Affirm table
- [Affirm] If only 1 Approver/escalation Approver is listed, do not show a timeout
- [Affirm] Add close button to verification flow modal
- [Affirm] Lint & Format affirm cc ui code to be in unison with proper configs.
- [Control Center] Email templates need to be updated with the new office information
- [Platform - Keycloak] Authenticator page text changes
- [Affirm] Fixed: if user is stuck in the upload document we should time out after a set amount of time
- [Control Center] Fixed: Deleting a Control Center user deletes the user but shows an error in the model and both a success and failure message on Control Center
- [Affirm] Fixed: Some users are not able to type in the chat and are not able to click on the type here to chat
- [Affirm] Fixed: API missing "status": and "type": for new table flows
- [Affirm] Fixed: Approver chat is not loading for requester or approver
- [Affirm] Fixed: Creating a flow via the API in 9.7 does not allow "OUTCOME_STEP_REDIRECT_URL": "Dynamic
- [Affirm] Fixed: Cannot create a workflow approver time must be 0 for last approver
- [Affirm] Fixed: Data too long for column error and 500 internal error
- [Affirm] Fixed: Lock header and footer in place for the model
- [Affirm] Fixed: CC Admin flow unable to register device/ 500 on device registration
- [Affirm] Fixed: Twilio video no longer loading for affirm on Firefox/Edge
- [Affirm] Fixed: Workflow Inactive/active does nothing flows can be run in either state
- [Affirm] Fixed: Entering nothing in the input field for text messages verification number goes to site cannot be reached
- [Affirm] Fixed: Better UX around the please wait screens
- [Affirm] Fixed: Better wording around the text received by users with the verification code
- [Affirm] Fixed: Better branded error messages for 403 errors after a link is clicked
- [Affirm] Fixed: OIDC approver not persisting after save on new table
- [Affirm] Fixed: Attempting to select type on affirm new table shows under applications when selected
- [Affirm] Fixed: Better error message around missing type
- [Affirm] Fixed: 2 approvers are able to join the chat
- [Affirm] Fixed: Remove assigned approvers if escalate to live chat is inactive - don't allow add escalation approver to be added unless it is active
- [Affirm] Fixed: With no data present - on advanced customizations we are showing them on the workflow management as active when they are not
- [Affirm] Fixed: Deleting last workflow causes user not to be able to close the slider and can delete an empty workflow
- [Affirm] Fixed: Remove the 'this link expires in time' from the approver email.
- [Affirm] Fixed: Set timeouts for approvers saved at 5 minutes on save are set to 0 minutes
- [Affirm] Fixed: CC Admin second flow being added to a tenant where a CC admin flow exists for the tenant throws a null pointer
- [Affirm] Fixed: Approvers missing on the slider view
- [Affirm] Fixed: Workflow validation for if HYPR approver is required says approver type none
- [Affirm] Fixed: When turning off escalation approvers when should clean up the existing approvers to not confuse the user
- [Affirm] Fixed: Change status for rotation /cc/ui/idv/verify/document-upload-video to not be error
- [Affirm] Fixed: "null" String value as oidcClientConfigId in Approvers
- [Affirm] Fixed: Error when saving workflow after adding escalate to live chat
- [Affirm] Fixed: Creating customization and then opening modal, will not re-fetch list, but instead user needs to refresh the page
- [Control Center] Fixed: User Management: Can't create/delete admin users
- [Control Center] Fixed: Branding: UI on QR auth and QR fallback pages has HYPR style showing
- [Control Center] Fixed: Device Manager: Scan the QR code icon in the instructions; the QR is able to be picked up by camera
- [Control Center] Fixed: Fix the email to match the re-worked design
- [Control Center - Integrations] Fixed: Okta: Manually sending invite to a fake user leads to a server error
- [Control Center - Integrations] Fixed: Okta: Two users with same primary email, but different usernames, both get assigned to the Okta app
- [Control Center - Integrations] Fixed: Okta: Control Center showing blank error after failed attempt to add an Okta integration
- [Control Center - Integrations] Fixed: Okta: IDP provider is created/not deleted during failed attempts to add the integration
- [Platform] Fixed: Validation error in Datadog after brute force attempt
- [Keycloak] Fixed: NullPointerException when running with debug log in the old authenticator
- [Platform - Keycloak; Mobile App for Android] Fixed: Keycloak UI: Poor UX for Android user-agent to Android device.
- [Platform - Database] Fixed: Oracle-incompatible database migration
[All HYPR] Customer Issues Brought In
- [All HYPR] Single Registration: Web-to-Workstation: Extend validity of the FIDO session to cover enrolment/complete step on slow environments
- [All HYPR] Address server CVE
- [Control Center] Find a way to not have feature enabled for controlCenterAdmin
- [Mobile App for Android] Current Profile Improvements - Phase 1
- [Passwordless for Windows] Adjust SSO command line parsing to allow for Chrome breaking our URL
- [Control Center; Passwordless - Both] Fixed: InternalServerErrorException error returned for settings call
- [Passwordless for Windows] Fixed: Locale mismatch leads to invalid certificate expiration reported to CC
- [Passwordless for Windows] Fixed: Unlock fails with "Bad username or password" for a local user account when running in an RDP session
[All HYPR] Q4 2024 Authenticate Application Security Items
- [Platform] Redis: Encrypt ML
[All HYPR] Q4 2024 Branding and Customization
- [Affirm; Control Center] Back End: Adjust branding interceptor (CC/Affirm/DM) to enable disable branding based on the product calling it
- [Control Center] Front End: Fix responsiveness of cards and forms + handle loading states & error states in a nicer way
- [Control Center] Back End: Fix existing Device Manager data to use the correct end point
- [Control Center; API] Front End: Add Typescript support + switch api calls to use RTK for Custom Branding sections
- [Mobile App - Both] Back End: Add Mobile section to the customization
- [Mobile App - Both] Back End: Add Mobile section to the customization
- [Platform - Keycloak] Back End: Bring Logo and Background to Keycloak
- [Platform - Keycloak] Back End: Adjust Keycloak logic x branding by the enableLogoAndBgForKC flag
- [Platform - Keycloak] Keycloak branding customization should apply to all dialogs, not just the initial one.
[Control Center - Integrations] Entra: EAM Integration - Beta
- [Control Center - Integrations] Code cleanup around Entra integration
- [Control Center - Integrations] External Authentication Methods: Integration is enabled despite error message
[Control Center - Integrations] Entra: User Management Authenticator Removal
- [Control Center] UI: Use Generic User Management component in v1 Control Center users
- [Control Center] Settings: Use Generic User Management component
- [Control Center - Integrations] User Management: Paired with Azure: Display option to "Remove Workstation" or "Remove Web Domain" from mobile device
- [Control Center - Integrations] User Management: Paired with HYPR/Enrolled: Display option to "Remove Workstation" or "Remove Web Domain" from mobile device
[Control Center - Integrations] HYPR Enterprise Passkey: Tap to Login UX PoC
[Control Center - Integrations] Okta: Inline registration
- [Control Center - Integrations] Okta: Create the integration
[Control Center; Platform] UX/UI Auxiliary - v9.7
- [Platform] HYPR UI Component Library: Upgrade to Storybook 8
- [Control Center] Workstation Settings: Require User Presence UI
[Passwordless - Both] Q4 2024 Passwordless UI Improvements
- [Passwordless for Windows] Remove Desktop SSO "success" notification
[Passwordless - Both] Security Device Enhancements - Q4 2024
- [Control Center] HYPR IE SmartCard Hook not provided the type of the card
- [Passwordless for macOS] HYPR IE SmartCard Hook not provide type of the card
- [Passwordless for macOS] Security Key pre-registration hook before certificate is requested
- [Passwordless for Windows] Client doesn't enforce PIN complexity
- [Passwordless for Windows] Fixed: Unable to enter current PIN with special characters if securityKeyPinCharacters is not Any
- [Passwordless for Windows] Fixed: Deleting a fingerprint from the middle of the list doesn't re-order the rest of the list
- [Passwordless for Windows] Fixed: Security key registration is successful without entering values in New PIN and Confirm New PIN fields
[Passwordless for Windows] Passwordless Tech Debt Q4 2024
- [Passwordless for Windows] Fix build of PairedDevices tool
[Passwordless for Windows] (PUK) Security Device Unlock Code Support
- [Passwordless for Windows; API] Send "deletePuk" option in /rp/wsapi/smartkey/unenroll API
- [Passwordless for Windows] Multiple small fixes for Passwordless 9.5.1
- [Passwordless for Windows] Improve setting new PUK during security key enrollment
- [Passwordless for Windows] Client doesn't allow Feitian/YubiKey key to be reset when the wrong PUK is entered.
- [Passwordless for Windows] Server seems to give the wrong PUK or the client isn't accepting the right PUK
- [Passwordless for Windows] Client doesn't show UI to obtain PUK when we lock PIN through unpair workflow
- [Passwordless for Windows] Unable to unlock YubiKey with old firmware's using PUK
[Platform] Ops Tasks
- [Platform] Deploy latest 9.5 image for EOG
- [Platform] Enable Adapt signals for EOG tenants
[Platform - Keycloak] Q4 2024 Keycloak module improvements
- [API] Use POST instead of GET for usernames
- [Control Center - Integrations; Platform - Keycloak] Update code to use the new keycloak.fqdn address for Keycloak access
- [Platform - Keycloak] Upgrade to the latest Keycloak 25
[SDK for iOS] Mobile SDK Size Reduction - Implementation
- [SDK for iOS] Remove Cached Audit Event Mechanism

Enhancements

[Adapt] Inbound Event hooks ingestion
[Adapt] JSONDecodeError WEBAUTHN event
[Adapt] Signal Handlers: Add more functions to the ctx API
[Adapt; Documentation] Articles review and improvement/update
[Adapt; Platform - Keycloak] Hardening II - v9.7
[API] Switch /checksettings request justVerifySerialNumber to justValidateSerialNumber
[Control Center] (PUK) Security Device Unlock Code Support
[Control Center - Integrations] AD FS Plugin v2: Add support for Desktop SSO/HYPRSpeed
[Control Center - Integrations] HYPR Enterprise Passkey: Entra ID FIDO2 Provisioning APIs Security Hardening Integrations - Beta
[Mobile App - Both] Transaction Extras in QR code
[Mobile App for Android] Single Registration: Call status/registration when needed every time the app starts (instead of relying on Fallback button)
[Passwordless for Windows] Figure out PRT Validation

Bug Fixes

[Adapt] Bug Fixes
- [Adapt] Fixed: Exclude untrusted events
- [Adapt] Fixed: Evaluation Response Unavailable on Fallback Assignments appears null for old assignments
- [Adapt] Fixed: The attribute "eventTags" in the /cc/ui/audit/search call has "HYPR CC" or "KC" text appended to existing value
- [Adapt] Fixed: CrowdStrike event gets stored with eventName as 'null'
- [Adapt] Fixed: Policy home page > Assign policy: No RP App Evaluation Points to choose from
- [Adapt] Fixed: Missing/misformatted fields in ADAPT_POLICY_EVAL_USER_BLOCKED events
- [Adapt] Fixed: Events aren't valid JSON and are failing to route to the Event bus
- [Adapt; Control Center - Integrations] Fixed: Okta inbound hook handler code has undefined object error
[Adapt] Fixed: Signal Handlers: Crowdstrike: HMACTestSecretKey works only for one of the test Events
[All HYPR] Fixed: Single Registration: We don't see Recovery PINs for iOS/Android
[Control Center] Fixed: Custom Branding: Device Manager redirect URL not saving on Control Center, and not seeing the prompt or redirect link on Device Manager
[Events] Fixed: Traceids are not consistent through Enterprise Passkey Event flow
[Mobile App for Android] Fixed: Enterprise Passkey: User presence prompt contents are being read incorrectly
[Passwordless for Windows] Fixed: Enterprise Passkey: Accessibility: Incorrect element being read on the on Entra pairing success screen
[Passwordless for Windows] Fixed: Enterprise Passkey: Accessibility: Name property for the buttons are null in Wi-Fi/BLE selection screen
[Passwordless for Windows] Fixed: Intermittent issue with the client UI when we delete YubiKey registration with the API

9.5.3 - Patch 2024-11-18

Enhancements

[Passwordless for Windows][ Create fully independent messages for PIN unlock
[Control Center - Integrations] Okta: Allow confguration of user removal from an Okta application

Bug Fixes

[Affirm] Using customized email leads to an invalid link while inviting user to chat

9.5.2 - Patch 2024-11-01

New Features and Feature Changes

[Adapt] General Improvements
- [Adapt] Exclude untrusted Events
- [Adapt] Add the version bump code to the Risk engine pom
- Bug Fixes:
  - [Adapt] Fixed: Unable to deploy 9.5.2 Risk engine to STG environment due to auto-bump issue
  - [Adapt] Fixed: Missing/misformatted fields in ADAPT_POLICY_EVAL_USER_BLOCKED Events
  - [Adapt] Fixed: Events aren't valid JSON and are failing to route to the Event bus
  - [Control Center; API; Events] The attribute "eventTags" in /cc/ui/audit/search call has "HYPR CC" or "KC" text appended to existing value
[Adapt] Solve JSONDecodeError when parsing Events
- [Adapt] Fixed: JSONDecodeError WEBAUTHN Event
- [Adapt] Fixed: JSON Parsing: investigate and solve AttributeError
[Platform] Ops Tasks
- [Platform] Deploy latest 9.5 image for EOG
- [Platform] Enable Adapt signals for EOG tenants

Enhancements

[Adapt] Push is treated as an allowed authenticator under the Login Limits policy if QR is configured
[Control Center] During upgrade, uaftxn expiration loop defenses
[Passwordless for Windows; Platform; Keycloak] Desktop SSO: Remove "Logging in just got easier" screen from Keycloak
[Passwordless for Windows] De-registration success text can be customized
[Passwordless for Windows] Remove Desktop SSO "success" notification
[Passwordless for Windows; API] Include Passwordless activity in smartkey/checksettings request payload

Bug Fixes

[Affirm] Fixed: Flows with no configured rpAppId using custom directory source data Events are not making it to the Audit Trail

9.6.0 - GA 2024-10-01

New Features and Feature Changes

[Adapt] UI (Phase 4)
- [Adapt] Adapt Unavailable feedback: Display a warning message that for all the users Authentication would be blocked
- [Adapt] Allow user to change time period of Signal Handler metrics
- [Adapt] Custom policy secret values instructions are missing
- [Adapt] Dedicated Signal Search UI
- [Adapt] Set icons for Signal Handler templates
- [Adapt] Signal Handler metrics overview
- [Adapt] Update RP App Policy assignment table
[Affirm] Custom Workflow Enhancements and Management in UI
- [Affirm] Custom Outcome if denied
- [Affirm] Connect between custom user directory/SMS/Email and the rpApp selection in the UI
- [Affirm] Connect between the OIDC and the Requester/Approver in the UI
[All HYPR] UX/UI Auxiliary I
- [All HYPR] UI Accessibility Checklist
- [Control Center] Update Control Center UI Gitlab README

Enhancements

[Adapt] Add Signal Handler tests
[Adapt] Crowdstrike Inbound Webhook: Need 2 HMAC keys for both the Signal Handler and test Event to work
[Adapt] Risk Reports: Replace policyID column name to policyName
[Adapt] Signal Handlers Test tab: rename the ‘Test’ tab and disable the Code tab; but still show the code for 'Builtin' type
[Adapt] Signal Handlers: Add templates for Event Enricher
[Affirm] Upgrade to the latest OnFIDO
[Control Center] Create device registration notification enablement
[Control Center] Custom Branding: Adjust Logo and Background section to contain toggles that enable/disable branding by product
[Control Center] Device Manager: Unauthorized DELETE call
[Control Center] Inline Registration: create Enablement
[Control Center] Send an email when a user create/pair new device
[Control Center - Integrations] Entra EAM: Username should be pre-populated
[Passwordless for macOS] Add extra logging to detect TouchID usage from OS before displaying unlock dialog
[Passwordless for Windows] HYPR IE SmartCard Hook not provide type of the card
[Passwordless for Windows] Password Prompt Removal for Windows - PoC/Alpha
[Platform - Keycloak] Custom migration for existing tenant to move Azure integration to use the new Keycloak SAML flow/authenticators
[SDKs for Android and iOS] Mobile SDK Size Reduction

Bug Fixes

[Adapt] Fixed: Risk Reports Events are not sorted by eventTimeInUTC column
[Affirm] Fixed: Escalation approver should not have automated approver as an option
[Control Center] Fixed: Settings user table alignment on username and email are misaligned, higher than the others
[Mobile App for Android] Fixed: Enterprise Passkey: Android stops issuing the /deviceapi/fido2/receive calls on trying to register Security key again after de-registering previous Entra pairing
[Mobile App for Android] Fixed: Transaction Flow Fails to Render Activity Screen
[Passwordless for macOS] Fixed: Failed to contact Certificate Authority if user is accessing a shared folder
[Passwordless for macOS] Fixed: QR Fallback: rpApp name is cut on Passwordless dialog if tenant name is too long
[Platform - Keycloak] Fixed: Select your login page ^ covers text on screen while hovering over the HYPR Mobile App

9.5.0 - GA 2024-09-12

New Features and Feature Changes

[Adapt] Crowdstrike - Beta
- [Control Center - Integrations] Create Adapt Policy for Crowdstrike
- [Control Center - Integrations] Create Tests for Crowdstrike Service
- [Control Center - Integrations; Adapt] Improve Crowdstrike Policies description, policy evaluation messages
- [Control Center - Integrations; API] Create Service for Crowdstrike API
- Bug Fixes:
  - [Adapt] CrowdStrike and Okta Signal Handlers: Name update and parsing error in handler code
  - [Adapt] Crowdstrike ZTA policy: Workstation Unlock fails as there is no ZTA score retrieved
  - [Adapt] CrowdStrike ZTA policy doesn't fail if the score threshold difference is '0.5'
  - [Adapt; API] Crowdstrike Policies: CrowdStrike API field is not secret and API calls fail if the field is made as a secret
  - [Platform - Vault; Adapt] Adapt webhook fails because 'hypr.cc.crowdStrikeWebHookKey' gets removed after updating the Control Center image
[Adapt] Policy and Signal Handler UI (Phase 3)
- [Adapt] Policies: Add Support For Managing Policy Assignments in Policy Configuration
- [Adapt] Policies: Create Test Pane for Built-in Policies
- [Adapt] Policies: Update Creation Flow
- [Adapt] Policies: Update Table View
- [Adapt] Risk policy and Signal Handlers: Add 'Date created' column
- [Adapt] Signal Handlers: Scroll not visible, View logs button name change, add handler type info
- [Adapt] Signal Handlers: Test Tab: In the Sample Signal dropdown, the first item in the dropdown should be selected by default
- [Adapt] Signal Handlers, Policies: Replace 'Event' with 'Signal'
- [Adapt] Signal Handlers: Add Invocation Metrics
- [Adapt] Signal Handlers: Add Status Badge to Configuration Page
- [Adapt] Signal Handlers: Add templates for Action Executor type
- [Adapt] Signal Handlers: Add Versioning Support
- [Adapt] Signal Handlers: Rename "Event Handlers" to "Signal Handlers"
- [Adapt] Signal Handlers: Test data should match the test data from signal handler template
- [Adapt] Signal Handlers: Test tab 'Send Event' button
- [Adapt] Signal Handlers: Update Code Pane
- [Adapt] Signal Handlers: Update Creation Flow
- [Adapt] Signal Handlers: Update Table View
- [Adapt] UI Post Product Review Fixes
- [Adapt] UI Technical debt
- [Adapt] Update Landing Page
- [Adapt; API] Signal Handlers: API to support UI changes
- [Adapt; Documentation] Create articles for Signal Handlers and Risk Policy templates
- Bug Fixes:
  - [Adapt] Fixed: Data collector Signal Handler gets invoked as per cron schedule but doesn't execute the code
  - [Adapt] Fixed: Signal Handlers: Add documentation for Signal handlers
  - [Adapt] Fixed: Signal Handlers: AWS ARN info is displayed in the logs
  - [Adapt] Fixed: Signal Handlers: BUILT_IN_SAVE_EV_HANDLER doesn't always execute if one of the handler executions fails
  - [Adapt] Fixed: Signal Handlers: Configuration fields are missing
  - [Adapt] Fixed: Signal Handlers: Cron schedule link broken and Control Center logs issue
  - [Adapt] Fixed: Signal Handlers: Error logs are not shown on the UI
  - [Adapt] Fixed: Signal Handlers: Existing Signal Enricher handler is getting executed when it is not expected
  - [Adapt] Fixed: Signal Handlers: New signal handlers gets executed in regular intervals even though there is no cron schedule set
  - [Adapt] Fixed: Signal Handlers: Some of the handlers take longer than 6s and don't get processed
  - [Adapt] Fixed: Signal Handlers: The clear assignments pop-up is not responsive
  - [Adapt] Fixed: Signal Handlers: User unfriendly error message is displayed when there is no data
  - [Adapt] Fixed: UI Code Editing Broken
  - [Adapt; Documentation] Fixed: Welcome screen: Create policy documentation link is broken
[Affirm] Outcome: Microsoft Verified ID
- [Affirm] Add Outcome for Microsoft Verified ID
[Affirm] Improvements on the way to GA
- [Affirm] Add message to Requester to tell them the continue button has become available
- [Affirm] Add padding to inputs to have better visibility
- [Affirm] Adjust padding in the phone number verification screen in input field to improve visibility
- [Affirm] Align behavior of custom user directory source and standard integration user lookup when 4xx or 5xx
- [Affirm] Change login-id endpoint and FTL template
- [Affirm] Chat input text message field should be the same height as video/send buttons
- [Affirm] Chat window is wider than other windows this should match the rest of the screen
- [Affirm] Check over and make sure the examples for code customizations are correct JS
- [Affirm] Code customizations, optimize Requester/Approver lookups
- [Affirm] Display flow id in the flow UI
- [Affirm] Event for workflow escalation
- [Affirm] Icon missing on Approver screens
- [Affirm] Implement chat escalation process for OnFido IDV failure cases in the verification flow
- [Affirm] Improve error handling in code customization calls
- [Affirm] Make buttons feel more responsive when clicked
- [Affirm] OIDC and other advanced settings UI improvement adding ID
- [Affirm] OnFIDO background is currently blue, change it to white to match the rest of the flow
- [Affirm] Remove Twilio chat and video dependencies from Photo ID and Liveness
- [Affirm] Requester timeout on chat
- [Affirm] Text code message is out of the text block shorten the message.
- [Affirm] Text sizes and fonts for all screens
- [Affirm] UX: Change size of model to better match OnFIDO
- [Affirm] UX: Long Processing
- [Affirm] UX: No user knowledge that the record button has done anything or is attempting to get the image captured
- [Affirm] UX: When a new Approver joins the chat there is no feedback to the Requester that the Approver has changed
- [Affirm; API] Fix Affirm APIs in Arch tests
- [Affirm; Documentation] Article on error handling for code customizations; custom user directory source (no record found, generic error)
- [Affirm; Documentation] Broken Links in the Affirm configuration UI
- [Affirm; Events] Add user role field to Affirm Events
- Bug Fixes:
  - [Affirm] Fixed: Activity Log type says recovery when initiated by the API
  - [Affirm] Fixed: Client secret is not hidden on OIDC settings
  - [Affirm] Fixed: Custom Branding: Large icons cause buttons to break out of the model
  - [Affirm] Fixed: Data mismatch on Activity Log for Approver when secondary Approver approves
  - [Affirm] Fixed: Duplicated records in idv_user_info table when both Approvers and escalation Approvers contain MANAGER or the same SOMEONE_ELSE email
  - [Affirm] Fixed: Escalation Approvers/Approvers are overlapping each other (no distinguishing between Approver being regular/escalated one in idv_user_info table)
  - [Affirm] Fixed: Buttons in both Requester and Approver flow
  - [Affirm] Fixed: Multiple entries in the Activity Log caused by showing a entry per Approver in the Activity Log
  - [Affirm] Fixed: No Approvers were found on workflow error
  - [Affirm] Fixed: When liveness check fails and you are sent to chat escalation the Approver report card does not show the face capture
  - [Affirm; Documentation; API] Fixed: API doc content-type: application/json is missing in all GET requests in Postman JSON
[Affirm] Q4 2024 Integrations and Bug Fixes and Unplanned Work
- [Affirm] Cost tracking details for OnFIDO
- [Affirm] Add dynamic Approvers in the create single user flow API
- Bug Fixes:
  - [Affirm] Fixed: Duplicate workflowId on Approver better error messages and logging
  - [Affirm] Fixed: OIDC for Requester stuck on blank page
  - [Affirm] Fixed: Affirm selfie match going full screen on mobile devices during regression.
  - [Affirm] Fixed: Azure incorrect email error showing incorrect error message
  - [Affirm] Fixed: Adding long strings to the chat
  - [Affirm] Fixed: If time for Approvers is over 10 minutes throw an error on the front end since we now have a 10 minute timeout
[Affirm; Events] Reporting (Enhance reporting features or capabilities, including support for collection of metrics); Event Alignment
- [Affirm; Events] AFFIRM_WORKFLOW_CONFIGURATION_CHANGED Event
- [Affirm; Events] AFFIRM_WORKFLOW_IDV_FINISH Event
- [Affirm; Events] AFFIRM_WORKFLOW_IDV_START Event
- [Affirm; Events] AFFIRM_WORKFLOW_PHONE_NUMBER_ENTERED Event
- [Affirm; Events] APPROVER ACCEPTED INVITE Event
- [Affirm; Events] DOCUMENT UPLOAD Event; photo ID liveness
- [Affirm; Events] OUTCOME TYPE Event
- [Affirm; Events] PARITY API/UI FLOW EDITING Events
- [Affirm; Events] USER STARTS FLOW Event
- [Affirm; Events] VIDEO Event
[Affirm; Control Center] Branding and Customization
- [Affirm] Custom Branding for the Control Center UI
- [Affirm] Custom Branding: Custom Icon - custom icon should be correctly scaled on affirm flows
- [Affirm] Custom Branding: Support custom background URL
- [Control Center] Backend: Device Manager Section
- [Control Center] UI: Device Manager Section
- Bug Fixes:
  - [Affirm] Fixed: Custom Branding: Background color missing # on Hex while parsing to Affirm
  - [Affirm] Fixed: Custom Branding: Background color not accepting HEX characters A-F
  - [Affirm] Fixed: Custom Branding: Background needs to be background; not model background
  - [Affirm] Fixed: Custom Branding: Box sizes are not responsive and can cut off links
  - [Affirm] Fixed: Custom Branding: Hexadecimal color character counter warns when a letter is in the value, and fails to save when there is no warning message
  - [Affirm] Fixed: Custom Branding: Preview for company logo not displaying uploaded image
  - [Affirm] Fixed: Custom Branding: Save buttons in Control Center Settings Custom Branding don't save; Image Upload fails
  - [Affirm] Fixed: Custom Branding: Saving causes 400 on image end point without adding an image
  - [Affirm] Fixed: Custom Branding: When saving logo or background Hex in Control Center the Save button spins
[All HYPR} Single Registration: Web-to-workstation Enhancements - Offline PINs
- [Mobile App for Android] Process signingCert in OfflineAccess object for web registration flow
- Bug Fixes:
  - [Passwordless for macOS] Fixed: Workstation-to-web: Mobile App for Android crashes when unlocking machine after use of Offline PIN
  - [Passwordless for macOS] Fixed: Workstation-to-web: Mobile App for iOS crashes when unlocking machine after use of Offline PIN
[All HYPR] Support native camera QR Code scan via dynamic short links - Beta
- [Control Center] Support Parsing Dynamic Link
- [Mobile App for Android] Support Parsing Dynamic Link
- [Mobile App for iOS] Support Parsing Dynamic Link
[Control Center - Integrations] Entra External Authentication Methods (EAM) Integration [Beta]
- [Control Center - Integrations] Entra EAM: Create feature enablement
- [Control Center - Integrations] Entra EAM: Entra Integration backend; User Management
- [Control Center - Integrations] Entra EAM: Fix integration UI
- [Control Center - Integrations] Entra EAM: Integration backend; Entra artifacts
- [Control Center - Integrations; Documentation] Entra EAM Integration
- [Control Center - Integrations; Events] Entra EAM: Add EAM value to integrationType field in Event logs
- [Control Center - Integrations; Platform - Keycloak] Entra EAM: Entra integration backend; Keycloak artifacts
[Control Center - Integrations] HYPR Enterprise Passkey: Entra ID FIDO2 Provisioning APIs - Beta
- [Documentation] Provisioning API flow
- [Mobile App for Android] Provisioning API UI Updates
- [Mobile App for iOS] Provisioning API UI Updates
- [Passwordless for Windows] Provisioining API UI Updates
- Bug Fixes:
  - [Mobile App for Android] Fixed: Link to Entra Pairing documentation is broken
  - [Mobile App for iOS] Fixed: Link to Entra Pairing documentation is broken
  - [Mobile App for iOS] Fixed: Link to Entra Pairing documentation is broken (again)
  - [Passwordless for Windows] Fixed: Entra Enterprise Passkey pairing prompted for Local/Non-Hybrid AD accounts fails with an error
  - [Passwordless for Windows] Fixed: Entra Enterprise Passkey: Local/Non-Hybrid AD Accounts has 'pairing incomplete/Not fully paired' link, which triggers Entra pairing flow
  - [Passwordless for Windows] Fixed: Entra Enterprise Passkey: Mobile device logo is missing within the mobile device image on the Passkey naming screen
  - [Passwordless for Windows] Fixed: Entra Enterprise Passkey: System restart prompted to complete HID minidriver FIDO key setup
[Control Center - Integrations] HYPR Enterprise Passkey: FIDO2 Gateway Fallback - 3
- [Control Center - Integrations] Add Observability AT Events
- [Control Center - Integrations] Sync TraceId across Observability Flow
- [Documentation] FIDO2 Gateway articles
- [Mobile App for Android] Add Observability AT Events
- [Mobile App for Android] Add Roaming Capabilities to EPK with Gateway
- [Mobile App for Android] Sync TraceId across Observability Flow
- [Mobile App for Android] Update feature logic for transports
- [Mobile App for Android] Update feature UI for transports
- [Mobile App for iOS] Add Observability AT Events
- [Mobile App for iOS] Add Roaming Capabilities to EPK with Gateway
- [Mobile App for iOS] Sync TraceId across Observability Flow
- [Mobile App for iOS] Update feature logic for transports
- [Mobile App for iOS] Update feature UI for transports
- [Mobile App for iOS] Update FIDO2 Observability Audit Trail Event
- [Passwordless for Windows] Add Observability AT Events
- [Passwordless for Windows] Sync TraceId across Observability Flow
- Bug Fixes:
  - [Mobile App for Android] Fixed: Enterprise Passkey FIDO2 Gateway: Advertise request does not restart on deleting one of the registered Workstation
  - [Mobile App for Android] Fixed: Incorrect traceId in the advertise request on registering second workstation with same rpApp
[Mobile App - Both] Single Registration: Conditional Enrollment
- [Mobile App for Android] Conditional Enrollment: Add enablement and hide the Pending bubble
- [Mobile App for Android] Conditional Enrollment: Parse QR field and send it back to the server
- [Mobile App for iOS] Conditional Enrollment: Add enablement and hide the Pending bubble
- [Mobile App for iOS] Conditional Enrollment: Parse QR field and send it back to the server
[Passwordless for Windows] (PUK) Security Device Unlock Code Support
- [Passwordless for Windows] Create stable serial number for Feitian keys
- [Passwordless for Windows] Implement PUK support (internal bits)
- [Documentation] Security Key PUK support in HYPR Passwordless UI
[Platform - Keycloak] Q3 2024 Authenticator Modules
- [Platform - Keycloak] Allow new Azure integration to use the new Keycloak SAML flow/authenticators

Enhancements

[Adapt; Affirm] Hardening/Beta
[Adapt; Documentation] Add intro in the Signal Handlers page
[Adapt] Control Center Events to consume the PolicyName returned by Risk Engine
[Adapt] Multiple Entities in Policy
[Adapt] Risk Reports: After a 30-minute timeout, the session doesn't get automatically refreshed
[Affirm] Embed Dashboard in Control Center
[Affirm] Make idv-card CSS class expandable and adjustable to screen size, so that it fits its content nicely
[Affirm] Make OnFIDO screen borders look the same as rest of the Affirm Verification Flow
[Affirm] QuickSight Dashboard
[Affirm; API] Add Code Customization API descriptions to Affirm API docs
[All HYPR] Americans with Disabilities Act Fixes
[All HYPR] Remove Dinot font
[All HYPR] Single Registration Multi-Domain Enrollment
[API] API /info calls should not call Redis
[Control Center] Dashboard Enhancements
[Control Center] Firebase SDK: Update UI to allow uploading multiple
[Control Center] Remove legacy Analytics Dashboard (Google React charts) in all environments
[Control Center] User Manager Role access denied to workstations
[Control Center - Integrations] HYPR Enterprise Passkey - Generic Control Center Integration - II
[Documentation] Entra ID Docs: Replace internal domain with something more generic
[Documentation] Firebase Admin SDK setup articles
[Documentation] New/removed Analytics Dashboards
[Documentation] Substitute tiny URLs for embedded UI links to docs; maybe also to external sources
[Documentation] Update Compatibility Matrix article
[Mobile App for Android; Documentation] Fix deprecated links
[Mobile App for Android; Events] WS_AUTH_COMPLETED logging wrong traceID
[Mobile App for Android] Notification icon update
[Mobile App for Android] Single Registration: Allow white label flow
[Mobile App for iOS] FIDO2 Re-Enable WiFi and BLE
[Mobile App for iOS] Remove profiles on Mobile App first launch
[Passwordless - Both] Q3 2024 Passwordless UI improvements
[Passwordless for macOS] Reduce the time occurring between sending Passwordless to the Trash and uninstalling the product
[Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.6.3
[Passwordless for Windows] YubiKey Bio MPE verbiage improvements
[Platform - Database] Startup error after upgrade to 9.1.0
[Platform - Keycloak] Add Vault entry for Keycloak k8s service address to remove NAT GW IPs in allowlist
[Platform - Keycloak] Improve multi-user messaging
[Platform - Keycloak] Perfomance tuning Phase 2
[Platform - Keycloak] Upgrade to 24.0.3
[SDK for FIDO2] Security Audit

Bug Fixes

[Adapt] Fixed: All the evaluation points are not getting invoked in the authentication flow
[Adapt] Fixed: Monitor authentication policy not blocking after FIDO2 failures
[Adapt] Fixed: Upon a cold start of a tenant, Create Policy shows blank page
[Adapt] Fixed: User is not getting blocked when FIDO2 failure threshold is crossed
[Affirm] Fixed: OnFIDO break with retention policy change
[Affirm] Fixed: Photo ID liveness takes a second to load but the buttons render immediately
[Control Center] Fixed: Access Token: When Affirm is not enabled and a user tries to generate an access token with Affirm scope, no user-friendly log message
[Control Center] Fixed: Missing HYPR Logo and color scheme
[Control Center] Fixed: Optimized payload missing Asynchronous Registration in RP App features
[Control Center - Integrations] Fixed: ADFS Plugin: When authentication is denied, no message is shown to user
[Control Center - Integrations] Fixed: Generic OIDC: Correct the reference to BeyondTrust
[Control Center - Integrations] Fixed: Okta: Broken UI Link in Okta Integration
[Control Center - Integrations] Fixed: Okta: Email field is set to "N/A" under user management in advanced mode
[Control Center - Integrations] Fixed: Okta: If two users have the same email, the Enrollment drawer doesn't behave correctly when users clicks 'send email' for either user
[Control Center - Integrations] Fixed: Okta: NullPointerException after generating a Magic Link
[Events] Fixed: EventRequestObject.kt shows incorrect Event labels for Keycloak brute force Events
[Mobile App - Both] Fixed: Single Registration: Workstation-to-web: "Add Linked Workstation" button is longer on iOS than on Android
[Mobile App - Both; API] Fixed: Mobile unable to perform the right action(lock/unlock) as /rp/versioned/device/query/ws/status is returning 302
[Mobile App for Android] Fixed: FIDO2 Gateway Roaming: Delay observed during login to workstation by scanning the QR on credential provider
[Mobile App for Android] Fixed: FIDO2 Gateway: traceID is empty in the mobile gateway request headers
[Mobile App for Android] Fixed: Shortcut to unlock workstation crashes the app
[Mobile App for Android] Fixed: Singe Registration: Web-to-workstation: When we enable TalkBack, we can't manually trigger a push
[Mobile App for Android] Fixed: Single Registration: Web-to-workstation: App is unresponsive when we trigger a push to receive a certificate
[Mobile App for Android] Fixed: Single Registration: Web-to-workstation: When deleting web account, we see text hidden
[Mobile App for iOS; Passwordless for Windows] Fixed: White label in hypr.json and tenant ID for Device Manager link doesn't start Desktop SSO
[Mobile App for iOS] Fixed: Single Registration: Deleting pairings from Device Manager doesn't remove the accounts on the Mobile App
[Mobile App for iOS] Fixed: Single Registration: Workstation-to-web: Clicking "Add Linked Workstation" when the certificate is not ready generates an error
[Mobile App for iOS] Fixed: Single Registration: Workstation-to-web: We see Offline PINs as an option even though successful online unlock wasn't made
[Mobile App for iOS] Fixed: Single Registration: Workstation-to-web: When pairing is deleted from app, we see number of accounts as 1 on list
[Passwordless for Windows] Fixed: Intermittent issue: Enterprise Passkey: Azure Provisioning API: FIDO2 security key creation fails with a fault exception
[Passwordless for Windows] Fixed: QR Fallback application name is cut on Passwordless if tenant name is too long
[Platform - Database] Fixed: Remove "barcode" properties in the document report in the DB
[Platform - Keycloak] Fixed: Keycloak 9.5 fails the Datadog health check

9.3.2 - Patch 2024-08-23

Enhancements

[All HYPR] Remove dinot font
[API] Switch check settings request justVerifySerialNumber to justValidateSerialNumber
[Mobile App for iOS; SDK for iOS] Customer TrustKit
[Passwordless for Windows] Create 9.1.3 and 9.3.2 hotfix releases to pick up YubiKey mini-driver 4.6.3

Bug Fixes

[Platform - Keycloak; Control Center] Fixed: Control Center to Keycloak HttpClient issues

9.3.1 - Patch 2024-08-07

Enhancements

[Control Center] Custom Branding: No flow to delete custom icon
[Control Center - Integrations] HYPR Enterprise Passkey: Entra ID FIDO2 Provisioning APIs - Alpha
[Documentation; Events; Errors] Security Key PUK support Events and Error codes
[Mobile App for Android] Fix timing issue on startup
[Mobile App for Android] Single Registration: Add possibility to add multiple workstations even if one is already present
[Mobile App for Android; Documentation] Fix dead links
[Passwordless for Windows] Incorporate visual indicator that there's a timed process
[Platform - Keycloak] Keycloak is displaying the old favicon; update to current favicon for Mobile App

Bug Fixes

[Affirm] Fixed: Font differences between web and mobile UI
[Affirm] Fixed: OnFIDO breaks with retention policy change
[Control Center - Integrations] Fixed: Remove client secrets from server's response
[Control Center] Fixed: Custom branding boxes should be matched in size for icon and background
[Control Center] Fixed: Sanitize logs for Firebase
[Mobile App for iOS] Fixed: Single Registration: Web-to-workstation: Two computer bubbles appear in iOS after pairing
[Passwordless for Windows; Documentation] Fixed: Link to Entra pairing documentation is broken
[Platform - Keycloak; Control Center] Fixed: Audit Trail: Keycloak Events are not getting generated

9.4.0 - GA 2024-07-24

New Features and Feature Changes

[Adapt; Affirm] Hardening/Beta
- [Affirm] Test out new Affirm redirect for viability
- Bug Fixes:
  - [Affirm] Fixed: Affirm module is not added to HYPR authenticator after upgrade to 9.3
[Adapt; API] Protection for Signals Endpoint
- [API] Add JWKS endpoint support for verifying JWT
- [Adapt; API; Events] Third-party Event ingestion API for Adapt
- [Adapt; API] OAuth credentials: Test button to check if the JWKS endpoint is a valid endpoint
- [Adapt; API] OAuth credentials: Test button to check if the JWKS endpoint is a valid endpoint
- [Control Center; API] Access Token scopes such as Adapt and Affirm should be enabled only if respective features are enabled
- Bug Fixes:
  - [Control Center; API] Fixed: Access Tokens: Affirm endpoints throw 500 Internal server error with non-affirm related tokens
  - [Control Center; API] Fixed: Access Token Scopes: Few Endpoints can be accessed with wrong permissions
  - [Control Center; API] Fixed: Access Tokens: ADAPT_WRITE_POLICY, HYPR_CC_APPLICATIONS token works for ADAPT_TEST_POLICY
[Mobile App for Android] Feature Enablement Performance
- [Control Center] Feature Enablement performance SSL path
- [Mobile App for Android] Update Feature Enablement API call to specify features
- [API] etag not refreshing for settings API call
[SDK for FIDO2] Design, Code
- [SDK for FIDO2] Create centralized repository for source code
[SDK for FIDO2] FIDO2 Javascript SDK II Implementation
- [SDK for FIDO2; Control Center] Update SDK code in Control Center
- [SDK for FIDO2; Platform - Keycloak] Update SDK code in Keycloak
- [SDK for FIDO2] Update SDK code in Sample Web App
- [SDK for FIDO2] Publish to public NPM registry
- [SDK for FIDO2] Setup Artifactory Deployment
- [SDK for FIDO2; Documentation] Update Public Documentation

Enhancements

[Adapt] Analytics Dashboards
[Adapt] Custom Policy: Secret values should be redacted from the UI and logs just like Event Handlers
[Adapt] Signal Handlers: Default 'Test action event' JSON improvements
[Affirm ] Control Center Branding and Customization
[All HYPR] Q2 Authenticate Application Security Items
[API] Returning nodeCount instead of result of publish; device/wfa/status doesn't work on cluster
[Control Center] Add Perf Timestamps where missing
[Control Center] Identity Assurance Dashboard Alpha (Prod)
[Control Center] Add IP address to "New device added" email
[Events] Populate Event Tags where they are null for Control Center Events
[Passwordless - Both] Adjust Workstation Unlock to include optional Workstation Signal field
[Passwordless for macOS] Investigate Improving Login Speed
[Passwordless for Windows] Update Enrollment Service to operate in multi-domain forest
[Platform] Allow starting hypr.rp.haasMode without Vault

Bug Fixes

[Adapt] Fixed: Policy assignment for Pre/post-integration Evaluation points 'Adapt Unavailable Fallback' value is not getting saved
[Adapt] Fixed: Policy assignment: 'Adapt unavailable' selected option is not getting saved properly
[Adapt] Fixed: Server is saving duplicate signals with when Send Workstation Signals is enabled
[Adapt] Fixed: When Adapt is enabled, 'Pre HYPR Integration' expects the policy to be assigned, or else Desktop SSO fails
[Adapt] Fixed: Workstation authentication policy assignment 'Adapt Unavailable Fallback' value is not getting saved
[Adapt; Affirm] Fixed: Combined policy 'Affirm Verification Flow ID' description is missing and the default value is - [object Object]
[Affirm] Fixed: OnFIDO break with retention policy change
[All HYPR] Fixed: Single Registration: Web-to-workstation: Deleting user devices from Control Center doesn't delete the pairing from devices
[API] Fixed: DELETE "${SERVER_URL}/cc/api/fido/facet" doesn't return valid JSON response
[Control Center] Fixed: Support Access: Email not wrapping on delete on popup modal
[Control Center; API] Fixed: Firewall: Swagger is getting blocked with 400 error
[Control Center - Integrations] Fixed: Entra ID External Authentication Method PoC
[Control Center - Integrations] Fixed: Google Workspace: Can't add integration
[Passwordless for Windows] Fixed: HyprLibFido2.dll version number isn't being updated
[Passwordless for Windows] Fixed: Link to Entra Pairing documentation is broken

9.3.0 - GA 2024-07-17

New Features and Feature Changes

[Adapt] Implement Adapt for Workstation - Alpha
- [Adapt] Passwordless Signals: Server to handle the client signal sent with 'client/authorize/unlock' request
- Bug Fixes:
  - [Adapt] Fixed: Passwordless Signals: SQL Exceptions are encountered whenever client signals are generated
  - [Adapt] Fixed: Passwordless authentication policy fails even when the client signal has relevant network name
  - [Adapt] Fixed: Consecutive client signals don't make it to Dynamo database
  - [Adapt] Fixed: Workstation authentication PRE_WORKSTATION_UNLOCK evaluation point doesn't get invoked before the FIDO request
  - [Adapt] Fixed: macOS signals are not getting saved in Dynamo database
  - [Adapt] Fixed: Workstation authentication POST_FIDO_AUTH evaluation point failure causes failed unlock
  - [Adapt] Fixed: Workstation authentication PRE_FIDO_AUTH evaluation point is not invoked
  - [Adapt] Fixed: Workstation authentication policy is getting evaluated twice for the POST_WORKSTATION_UNLOCK evaluation point
  - [Adapt] Fixed: Workstation authentication policy does not match the exact network name and allows unlock to pass
[Adapt] Leverage Affirm for re-verification POV1
- [Adapt] Make Adapt + Affirm integration policy as a template
- [Adapt] Policy with template 'Affirm/Adapt Integration' throws error on configuration page
- [Platform - KeyCloak] UX for Adapt + Affirm integration
[Adapt] Q2 Authenticate Signals Updates
- [Passwordless for macOS] Include system and CrowdStrike ID information in device signal
- [Passwordless for macOS] Signals: During unlock flow, send system, network, and location info
- Bug Fixes:
  - [API; Passwordless - Both] Fixed: Client signals are sent after rp/wsapi/client/authorization/complete instead of /rp/wsapi/client/authorize/unlock
  - [Passwordless - Both] Fixed: Network information is of String datatype instead of JSON object
[Adapt] Risk Policy Improvements I - Alpha
- [Adapt] UI/UX Feedback Part 2
- [Adapt] Custom policy page UX feedback Phase 2
- Bug Fixes
  - [Adapt] Fixed: Policy config page: Duplicates: /cc/ui/application and /cc/ui/appconfig/adapt
[Adapt] Risk Policy Visual Reporting Tool
- [Adapt] Risk Reports: Make Event date and timestamp match with the actual timestamp
- [Adapt] Risk Reports: Sort Policy evaluations Events table using eventTimeInUTC column
- [Adapt] Risk Reports: Policy evaluation should match the Audit Trail message
- Bug Fixes:
  - [Adapt] Fixed: Risk Reports: Minor UI issues
  - [Adapt] Fixed: Risk Reports: Tenant data for adaptreleaseint is not available for reports
  - [Adapt] Fixed: Risk Reports: The latest Policy Evaluation Data is not visible in the report; i.e., auto-refresh is not happening
  - [Adapt] Fixed: Risk Reports: Workstation authentication evaluation points are getting classified as Unknown
[Affirm] Control Center Branding and Customization for Affirm
- [Affirm] White labels, logo, and background
- [Affirm] Hide the new UI while we are building it
- [Affirm] Company Identity section
- [Affirm] Logo and Background section
- [Affirm] Backend Logo and Background section
[Affirm] Enhancements
- [Affirm] Ability to add multiple Approvers with progressive logic
- [Affirm] Ability to add multiple Approvers with progressive logic
- [Affirm] Add extension for Send Email; Customization Tab
- [Affirm] Add extension for SMS; Customization Tab
- [Affirm] Add Polyglot JS extension for User Lookup
- [Affirm] Add Polyglot JS extension for User Lookup
- [Affirm] Affirm flow status on cc = disabled, User can still complete affirm flow
- [Affirm] Approver attestation comment modal redesign
- [Affirm] Approver attestation screen redesign
- [Affirm] Approver final approval status screen redesign
- [Affirm] Approver pre-chat summary screen redesign
- [Affirm] Approver summary screen redesign
- [Affirm] Authenticate Approver
- [Affirm] Authenticate Approver configuration changes
- [Affirm] Chat screen redesign
- [Affirm] Enable application screen redesign
- [Affirm] Extension (SMS/Email) backend/API support
- [Affirm] Failure cases not beng handled gracefully by document-upload
- [Affirm] Fix web UI to be more consistent based on an agreed design
- [Affirm] Granular scopes (read and read/write) for CodeCustomizationController
- [Affirm] If reference image exists, skip document upload in Photo ID and Liveness
- [Affirm] Invalid link screen redesign
- [Affirm] Make Activity Log match the steps we have
- [Affirm] New users should be taken to Onboarding flow while existing users should be taken to the index page (current behavior)
- [Affirm] Password reset flow for okta
- [Affirm] Upgrade screen redesign
- [Affirm; Documentation] Affirm Ccontrol Center UI documentation
- [Affirm; Documentation] Affirm Web UI documentation
- [Affirm; Documentation; API] Affirm public API documentation
- Bug Fixes:
  - [Affirm] Fixed: After Approver leaves video call to approve the video remains but is frozen
  - [Affirm] Fixed: Faces do not match redo/retry button does not render correctly
  - [Affirm] Fixed: If Requester is in video before Approver the Approver cannot see the Requester in the video
  - [Affirm] Fixed: Name comparison status not showing results if results is consider
[Affirm] Improvements
- [Affirm] PKCE client secret issue
- [Affirm] Redirect URL can be dynamic in outcome type
- [Affirm] Rename escalateAfterMinutes for Approver field to reduce confusion with new escalate flow
- [Affirm] Update documentation for Okta Password Reset
- Bug Fixes:
  - [Affirm] Fixed: Affirm not pulling phone number from Azure correctly on Approver
  - [Affirm] Fixed: Error message causes button to escape highlighted box
  - [Affirm] Fixed: Three texts and three emails during Affirm flow
  - [Affirm] Fixed: Brute force detection on SMS needs better messaging to user
[All HYPR] Q2 Application Security Items
- [Control Center] Prevent rpUser update
- [API] Restrict user role access
- [Mobile App for iOS] Verify RP's response before attempting registration
[All HYPR] Single Registration: Workstation-to-web re-register/deregister cases
- [All HYPR] Single Registration: Workstation-to-web: User has to delete HYPR Mobile App for iOS during re-registration to see the web account
- [All HYPR] Single Registration: Workstation-to-web: Removal of pairing from Device Manager doesn't reflect on the Mobile App
- [All HYPR] Single Registration: Workstation-to-web: Deletion of user from Control Center doesn't remove pairings from Mobile
- [All HYPR] Single Registration: Workstation-to-web: User has to delete the HYPR Mobile App for Android during re-registration to see the web account
[All HYPR] Single Registration: Web-to-workstation: Deregistration/Re-enroll
- [All HYPR] Single Registration: Deregistration of one pairing should remove all associated pairing entries
- [Mobile App for iOS] Implement Single Registration on iOS Mobile app
- [Mobile App for Android] Single Registration: Web-to-workstation: Remove VDI when deregistering a workstation, to remove certificate from device
- Bug Fixes:
  - [All HYPR] Single Registration: Web-to-workstation: Deletion of web account doesn't always delete corresponding computer bubble on iOS
[API] (PUK) Security device unlock code support
- [Control Center] Server side for PIN PUK support
[Control Center] FIDO2: FacetID Management, Validation, Compatibility
- [Mobile App for iOS] Existing registrations cannot authenticate if FIDO Allowlist Facets is enabled afterward
- [Mobile App for Android] Existing registrations cannot authenticate if FIDO Allowlist Facets is enabled afterward
[Control Center] Fingerprint JS hosted
- [Control Center] Host Fingerprinting JS script
- [Passwordless - Both] Pass traceId into Desktop SSO link for Passwordless
- Bug Fixes:
  - [Control Center] Fixed: Two traceIds are created for authentication
[Control Center - Integrations] HYPR Enterprise Passkey: FIDO2 Gateway Fallback - 2
- [Control Center - Integrations] Backend: Expose BLE and WiFi transport options for Enterprise Passkey configuration
- [Control Center - Integrations] UX: Expose BLE and WiFi transport options for Enterprise Passkey configuration
[Control Center - Integrations; API] HYPR Enterprise Passkey: Entra ID FIDO2 Provisioning APIs - Alpha
- [Control Center - Integrations; API] Entra Provisioning API toggle in Control Center
- [Control Center - Integrations; API] Entra: Create the Provisioning API
- [Control Center - Integrations; API] Entra: Create endpoint for the Provisioning API
[Control Center - Integrations; Mobile App for Android] HYPR Enterprise Passkey: FIDO2 Gateway Fallback - Beta
- [Control Center] FIDO2 Gateway Advertise is False in background
- [Control Center - Integrations] Azure: Domain-joined environment: Delete workstation and then credential, and the user stays in paired with Azure
- [Passwordless for Windows] FIDO2 Gateway CTAP error responses are not being relayed to the USB HID driver
- [Mobile App for Android] Error information overlay displays on tapping over the successful authentication entries in login history screen
- [Mobile App for Android] Enterprise Passkey: Unable to unlock workstation using passkey if app is backgrounded on receiving the User Presence prompt
- [Mobile App for Android] Enterprise passkey: Error not displayed on completing authentication on the Mobile App that was resumed from background which had the User Presence prompt
- [Mobile App for Android] FIDO2 Gateway: When the workstation is unreachable, Android sends two advertise requests within 4s, repeating every 30s
- [Mobile App for Android] Login History screen displays more than 50 entries
[Control Center] Customer Tenant Access Approval/Support Access Bug Fixes
- [Control Center] Fixed: Support Access:Able to save on no action example custom date you can switch to custom date and save no change but save action is shown
- [Control Center] Fixed: Support Access:Date picker while flipping month causes 1st of month to be selected on future months/current month selects today's date
- [Control Center] Fixed: Support Access: Canceling swap of custom date vs. always access shows saved state banner
- [Control Center] Fixed: Support Access: Email list no wrapping on screen causes scroll bar
- [Control Center] Fixed: Support Access: Audit Trail not showing correct numbers showing 1-5 instead of the number of entries
- [Control Center] Fixed: Support Access: Audit Trail does not refresh on toggle off/on
[Passwordless for Windows] Q3 2024 Security Device Enhancements
- [Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.6.1
- Bug Fixes:
  - [Passwordless for Windows] Fixed: "YubiKey PUK Lock Enabled" feature is broken
  - [Passwordless for Windows] Fixed: Cannot log in with YubiKey Bio if Security Key PIN Minimum Length is set to 7 and current PIN is 7 on Windows 11
  - [Passwordless for Windows] Fixed: Fingerprint registration UI failed to appear resulting in error during YubiKey Bio MPE pairing, though registration was successful

Enhancements

[Adapt] Add new Workstation Unlock Evaluation Points
[Adapt] Add Polyglot JS User Lookup extension Test tab
[Adapt] Datadog logs flooding due to Event Handler-generated Events parsing issue
[Adapt] Event Handlers Alpha
[Adapt] Monitoring and alerting
[Adapt; Control Center - Integrations] Adapt is breaking the Okta integration
[Adapt; Documentation] Create and document a beginner policy
[Affirm] Enable sonar on Affirm code
[API] Returning nodeCount instead of result of publish; device/wfa/status doesn't work on cluster
[API] Take advantage of justVerifySerialNumber in checksettings payload
[Control Center] Asynchronous Registration: Push consent shouldn't be mandatory during registration
[Control Center] FIDO2/Login Settings
[Control Center] Finally removed the apostrophe/comma in the New Application dialogs
[Control Center] Server is not picking the proxy from the environment variable
[Control Center - Integrations] ADFS deeplinks issues
[Control Center - Integrations] Create maintenance job to add aliases to Okta Integration users
[Control Center - Integrations] Sanitize logs
[Control Center; Documentation] Update Control Center links to new Documentation portal
[Documentation] Entra ID Documents: Replace internal domain with something more generic
[Documentation] Generic OIDC articles
[Documentation] OAuth token usage
[Documentation; API] MDS API endpoints Part I
[Documentation; API] Security Key PUK support APIs
[Documentation; Errors] Error Code Cleanup
[Events] QR Authentication timeout, QR Authnentication scan are not generating Events
[HYPR Mobile App - Both] QR Authentication skip confirmation prompt
[Mobile App for Android] Android appeal in the Play Store
[Mobile App for iOS; SDK for iOS] Automation: Request to add ID for Transaction Amount and Text displayed
[Mobile App for iOS] Enterprise Passkey: Fix advertise called during FaceID
[Mobile App for iOS] Improve HYPR Mobile App speed
[Mobile App for iOS] Request for element Locator in error message screen
[Passwordless for Windows] Log every file submitted to DigiCert code signing service
[Passwordless for Windows] Optimize code signing during CI/CD builds
[Passwordless for Windows] Update ATR's for Feitian security keys
[Passwordless for Windows] Use same names for Feitian keys that Passwordless 8.X used
[Platform] Fix 404 Page
[Platform - Database; Events] Add Primary Key Index to idv_audit_event table
[Platform - Firebase] Firebase SDK: Multiple projects with OAuth config
[Platform - Keycloak] Custom migration for existing tenant to move Ping DaVinci and BeyondTrust integrations to use the new Keycloak OIDC flow/authenticators
[Platform - Keycloak] Match Keycloak UI to Control Center UI so the login options are the same
[Platform - Keycloak] Remove misleading brute force logs when error occurs

Bug Fixes

[Adapt] Fixed: HYPRSpeed is missing in Login limits template
[Adapt] Fixed: Policy management Event Search Window issues
[Adapt] Fixed: Push attack prevention policy: QR code is not getting displayed; i.e., Mobile option is going away and FIDO2 is displayed
[Adapt] Fixed: User forced to click "Configure Policy" after creating policy
[Affirm] Fixed: ApproverRequestResultsAction: Get reference image from the database, not only from the cache
[API] Fixed: Magic link call /cc/ui/rpUser/self is intermittently returning 404
[Control Center] Fixed: Device Manager template capturing
[Control Center] Fixed: QR Fallback: Control Center users cannot use QR Fallback to login
[Control Center] Fixed: SVG Display in UI management screen
[Control Center] Fixed: User Management page has extra padding above the 'Web Domains' table
[Control Center - Integrations] Fixed: Enrollment drawer doesn't show two users with same primary email address
[Control Center - Integrations; API] Fixed: Okta: On launching Device Manager from the Okta dashboard, 404 errors occur with the /cc/ui/rpUser/self endpoint
[Control Center; API] Fixed: Server expecting machineId populated in Audit API for FIDO-Only registration/authentication flows
[Control Center; Documentation] Fixed: Links to new Documentation portal
[Mobile App for Android] Fixed: All workstation registrations are being removed on de-registering one workstation pairing
[Mobile App for Android] Fixed: Single Registration: Workstation-to-web: Removal of pairing from Device Manager doesn't reflect on Mobile App
[Mobile App for iOS] Fixed: Device cannot authenticate if FIDO Allowlist Facets is enabled before registration
[Mobile App for iOS] Fixed: Single Registration: Workstation-to-web: Deletion of Computer Bubble doesn't delete Web Account
[Passwordless for macOS] Fixed: Signal reporting can answer with code 204
[Passwordless for macOS] Fixed: Single Registration: Web-to-workstation: Web account's Computer Bubble keeps getting hidden
[Passwordless for macOS] Fixed: Uninstalling client doesn't restore default unlock screen
[Passwordless for macOS; Mobile App for Android] Fixed: Single Registration: Web-to-workstation: All accounts on Android are deleted when user in web rpapp gets deleted on Control Center
[Passwordless for Windows] Fixed: CSR generation times out during IDEMIA smart card registration
[Passwordless for Windows] Fixed: WiFi and BLE icons on the "Choose Connection" screen are clipped
[Platform - Database] Fixed: rp_user_alias table not cleaned up after delete
[Platform - Keycloak] Fixed: Authentication failing with error 'Unexpected error when handling authentication request to identity provider'

8.7.2 - Patch 2024-06-13

Enhancements

[API] Implement token refresh retry on settings endpoint

8.4.2 - Patch 2024-06-13

Enhancements

[Mobile App for Android; SDK for Android] Android support in 8.4.2

9.1.2 - Patch 2024-05-29

New Features and Feature Changes

[Passwordless for Windows] Q3 2024 Security Device Enhancements
- [Passwordless for Windows] Implement UI for FIDO2 fingerprint management
- [Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.6.1
- Bugs Fixed:
  - [Passwordless for Windows] "YubiKey PUK Lock Enabled" feature is broken

Enhancements

[All HYPR] Americans with Disabilities Act (ADA) Fixes Pass 4
[API] Returning nodeCount instead of result of publish using device/wfa/status doesn't work on a cluster
[Control Center] FacetID Management, Validation, Compatibility
[Control Center] FacetID UI Accessibility Changes
[Control Center - Integrations] Okta Extension: Customer use case
[Control Center - Integrations] Okta Extension: Issues with customer upgrade
[Control Center - Integrations] Okta Extension: Use oktapreview when looking for client
[Mobile App for Android] Customer permission issue
[Passwordless for Windows] Successful pairing screen timeout
[Passwordless for Windows] Update ATR's for Feitian security keys
[Passwordless for Windows] Use same names for Feitian keys that Passwordless 8.X used

Bug Fixes

[Affirm] Fixed: Mobile IdV flow shows blank spinning screen after selecting document type to upload
[Control Center - Integrations] Fixed: Multiple problems with security key removal dialog
[Control Center - Integrations] Fixed: Security Key removal does not pop up in 9.1+
[Control Center] Fixed: Errors thrown with creation and deletion of duplicate facetIDs (UI)
[Mobile App for Android; SDK for Android] Fixed: App crash for Location permission with Signals enabled

9.1.1 - Patch 2024-05-01

New Features and Feature Changes

[Affirm] Enhancements
- [Affirm] Rename AFFIRM Event field 'costsTracking | isSuccessful' to enable efficient parsing
- [Affirm] Email Case Sensitivity
- [Affirm] Document-upload not handling failure cases gracefully
- [Affirm] When the IdV flow is Disabled, the Requester can still complete the Affirm flow
[Control Center] FIDO2: FacetID Management, Validation, Compatibility
- [Control Center] FIDO2: Add 'Delete' button for trusted facets
- [Mobile App for iOS] Existing registrations cannot authenticate if FIDO Allowlisted Facets is enabled afterward
- [Mobile App for Android] Existing registrations cannot authenticate if FIDO Allowlisted Facets is enabled afterward

Enhancements

[Adapt] Workstation authentication policy UI changes
[Adapt; Control Center - Integrations] Adapt is breaking the Okta Integration
[All HYPR] 'Azure' still appears in several places in the dialog options; change to 'Entra' or 'Microsoft Entra ID'
[All HYPR] Single Registration (Both) chsch sso issue
[API] Take advantage of justVerifySerialNumber in checksettings payload
[Mobile App for iOS] Enterprise Passkey: Fix advertise called during FaceID
[Mobile App for iOS] FIDO2 Disable WiFi and BLE
[Passwordless for Windows] Add support for YubiKey 5.7.0 firmware
[Passwordless for Windows] Allow security key registration to set alphanumeric PINs
[Platform - Keycloak] Bring jQuery changes to the Keycloak registrator

Bug Fixes

[Adapt] Fixed: Using the new Login Limits policy template, the user is getting blocked before the 'number of failed events' condition is met
[Control Center] Fixed: Device Manager registration fails on Safari browser
[Control Center - Integrations] Fixed: Azure domain-joined: Delete credential and then workstation; uer stays in "Paired with HYPR' in the Azure portal
[Control Center - Integrations] Fixed: User Management: Pending tab message still uses 'WFA' and should use 'Passwordless'
[Mobile App for Android] Fixed: Enterprise Passkey: On deregistering the linked security key for a hybrid account, the Workstation pairing is also being removed
[Mobile App for Android] Fixed: Passwordless Unlock: Location flickers and Unlock fails

9.2.0 - GA 2024-04-11

New Features and Feature Changes

[Adapt] Data retention Events TTL
- [Adapt] Set retention TTL to 5 years
[Adapt] Risk Policy Improvements I Alpha
- [Adapt] Fetch individual policy when rendering policy configuration
- [Adapt] Home page; Create Policy flow; built-in policy pages UX feedback
- [Adapt] Custom policy pages UX feedback
[Adapt; API] Protection for signal endpoint
- [Adapt; API] API security for the signal service
- [Adapt; Control Center; API] UI updates for OAuth API tokens
- [Control Center; API] OAuth API token: Token not getting created when OIDC related permissions are selected
- [Control Center; API] OAuth credentials: Creating a token with 999999s TTL throws error
- [Control Center; API] OAuth Credentials: Token TTL is not correctly reflected in the UI
- [Control Center; API] OAuth Credentials: Able to create a token with blank 'Use JWKS endpoint'
[Affirm] Enhancements
- [Affirm] Front end validations around redirect URL
- [Affirm] Update copy for Photo ID and Liveness
- [Affirm] Warning message cleanup UI for invalid configurations
- [Affirm] Public API - Design
- [Affirm] Activity Log Name Check field implementation
- [Affirm] Improve look of the email step
- [Affirm] Improve look of the phone step
- [Affirm] Improve look of the location step
- [Affirm] Improve look of the start step
- [Affirm] Improve look of the final wrapping up step for Requester
- Bug Fixes:
  - [Affirm] Fixed: Approver does not receives phone message with Requester detail and link to approve
  - [Affirm] Fixed: 500 on Approver clicking continue in Approver chat
  - [Affirm] Fixed: Phone number match not throwing error unless comparing last 3 digits
  - [Affirm] Fixed: Upon clicking Redo, "you'll" switches to "you'll"
  - [Affirm] Fixed: Camera is enabled but microphone is not causing extra click for user
  - [Affirm] Fixed: Background shifts when entering OnFIDO part of the flow
  - [Affirm] Fixed: Button sizes and style to match previous steps in Affirm flow
  - [Affirm] Fixed: Error message . vs . on Affirm email page
  - [Affirm] Fixed: Chat of Approver and Requester appears are different
  - [Affirm] Fixed: 500 on going directly to URL
  - [Affirm] Fixed: UI is not reactive to screen size
  - [Affirm] Fixed: Background of application connection default new login method does not cover the entire name for the drop-down
  - [Affirm] Fixed: Session timeout on cc/ui/idv leads to 'Access Denied' on refresh; when 'Log In' is clicked again opens a Control Center login instead of an Affirm landing page
[Control Center] Audit Trail Enhancement
- [Control Center] Audit Trail: Updating machineid, eventtags and deviceType validation and adding new TC in validation
[Control Center] Technical Debt
- [Control Center] Dropdown’s option is not visible on mouse-hover
- [Control Center] Audit trail selected date doesn't get displayed
- [Control Center] DEV env CSRF token fix
- [Control Center] React Google chart using deprecated version
[Control Center - Integrations] Generic OIDC Integration
- [Control Center - Integrations] Generic OIDC: Feature enablement
- [Control Center - Integrations] Generic OIDC: Create tile and Beta UI
- [Control Center - Integrations] Generic OIDC: Implement Integration
- [Passwordless for Windows] Uninstall doesn't deregister paired devices
[Control Center - Integrations] HYPR Enterprise Passkey: FIDO2 Gateway Fallback Part 2 - Beta
- [Passwordless for Windows] Client should reflect correct Enterprise Passkey status when brought into focus
- [Control Center] Custom Device Manager templates to aid customer migrations
[Mobile App - Both] Single Registration: Web-to-workstation Deregistration/Re-enroll Bug Fixes
- [Mobile App for Android] Fixed: Single Registration: Web-to-workstation: Displays bubble with the computer icon instead of a QR code after obtaining certificate
- [Mobile App for iOS] Fixed: Workstation bubble naming has machine name instead of username
[Passwordless for Windows] Missing removed registrations
- [Passwordless for Windows] Uninstalling the client doesn't deregister paired security keys
[Platform - Keycloak; Events; SDK - All] Keycloak Observability
- [Platform - Keycloak; Events] Propagate Keycloak Events to Control Center
- [Platform - Keycloak; Events] Enable Keycloak login Event for new integrations
- [Platform - Keycloak; Events] Send Keycloak modules login Events to Control Center
- [Platform - Keycloak; Events] Send Keycloak authentication/registration login Events to Control Center
- [Platform - Keycloak; Events] Tracing and Event improvements - traceId
- [Platform - Keycloak; Control Center - Integrations; Events] Create a custom migration to enable Keycloak login Events for all integrations
- [Platform - Keycloak; Events] Sending Events from Keycloak throws exceptions
- [SDK - All] SDK method to log successful Events
- [SDK for Java] Make sure all Java SDK calls use the traceId from the session

Enhancements

[All HYPR] CVE-2023-52428
[All HYPR] CVE-2024-22259(8.100000381469727)
[All HYPR] Single Registration (Both) chsch sso issue
[Control Center - Integrations] ADFS Plugin v2: Replace external IIS Web Server needed for the HYPR ADFS Plugin to a URL served via ADFS
[Control Center - Integrations] Entra ID: Create enablement for the APIs
[Control Center - Integrations] Extension web hooks
[Control Center; Adapt] Remove Login Limits local template from Control Center, point strictly to PolicyTemplates Risk Engine API in code
[Control Center] Add POV banner
[Control Center] ccdocs target is failing
[Control Center] Drop zipkin reporting
[Control Center] Update .jar dependencies
[Passwordless for macOS] Don't use System Events to start HYPR after the first reboot
[Passwordless for Windows] Add support for YubiKey 5.7.0 firmware
[Passwordless for Windows] Allow security key registration to set alphanumeric PINs
[Passwordless for Windows] Force Windows to refresh icons after client installation
[Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.6.0
[Platform - Keycloak] Create SAML integration APIs
[Platform - Keycloak] Custom migration for existing tenant to move Okta integration to use the new Keycloak OIDC flow/authenticators
[Platform] Upgrade owasp-dependency
[Platform] Upgrade Spring to 3.2

Bug Fixes

[Adapt] Fixed: Assign policy returns 200 with invalid policy ID and invalid rpApp
[Adapt] Fixed: Keycloak authentication defaulting to Push when both Mobile App and FIDO2 are registered
[Adapt] Fixed: Signals do not report local network information
[Affirm] Fixed: UI import issues
[Control Center] Fixed: Single Registratio: Workstation-to-web: No email associated with user doesn't create a web account with UPN
[Mobile App -Both] Fixed: Authentication message differs on Android and iOS
[Mobile App for Android] Fixed: Single Registration: Workstation-to-web: Hide the "Add Linked Workstation" button
[Mobile App for iOS] Fixed: Signals have duplicate values in many attributes
[Passwordless for macOS] Fixed: Ensure TokenDriver is available for the current user when the workstation is locked
[Passwordless for macOS] Fixed: Server crashes trying to read user info
[Passwordless for macOS] Fixed: Shows Android icon instead of iPhone icon when paired
[Platform - Keycloak] Fixed: QR authentication synchronous form submission blocks UI Automation

9.1.0 - GA 2024-04-10

New Features and Feature Changes

[Adapt] Event Handlers Alpha
- [Adapt] Event Handlers: Context functions
- [Adapt] Event Handlers: Rename: Front end
[Adapt] Risk Policy: Custom Code Configuration w/Dynamic UI [Beta]
- [Adapt] Add AI assist button
- [Adapt] Further separate built-in and custom policies
- [Adapt] Provide more context for versioning
- [Adapt] Relocate documentation
- [Adapt] Custom policies UI
- [Adapt; API] Custom policies CRUD API
[Adapt] Risk Policy Improvements I Alpha
- [Adapt] Risk Engine: Pass Events into Event attribute for test evaluations
- Bug Fixes:
  - [Adapt] Custom policy UI: 'My policy template' policy evaluation throws exception
[Adapt] Risk Policy: Visual Reporting Tool
- [Adapt] Policy evaluation results report
- [Adapt] Risk Report Highlights
[Affirm] Bug Fixes
- [Affirm] Control Center Activity Log page selector is not selectable and is blocked by the artifacts being populated in the table
- [Affirm] If all settings are off you get the basic error on IDV page
- [Affirm] No verification flow default selected if no application is set up for Affirm
[Affirm] Enhancements
- [Affirm] Make Document photo and video selfie step more user friendly (reference IdV steps)
- [Affirm; API] Public API Implementation
- Bug Fixes:
  - [Affirm] Configuration error TAP is allowed for Okta
  - [Affirm] Name check in Activity Log showing CLEAR even when not used in the flow
[Affirm] GA
- [Affirm] Add Affirm entry point on Keycloak authenticator
- [Affirm] Add Affirm entry point on Keycloak Modules
- [Affirm] Allow for auto-credentialing (no manager approval)
- [Affirm] BE add name extraction and cross-referencing with IdP
- [Affirm] BE Support for username as an initial identifier
- [Affirm] BE Support more flexible configuration options
- [Affirm] Control Center add name extraction and cross-referencing with IdP
- [Affirm] Control Center Allow for auto-credentialing (no manager approval)
- [Affirm] Control Center Support for username as an initial identifier
- [Affirm] Control Center Support more flexible configuration options
- [Affirm] IdV Support for username as an initial identifier
- [Affirm] Activity Log: Document Verification result field implementation
- [Affirm] Activity Log: Image File Name field implementation
- [Affirm] Activity Log: Reduce amount of queries for fetching Activity Log details
- [Affirm] Activity Log: Registration field implementation
- [Affirm] Add document load step to the Twilio flow; remove it from the chat window
- [Affirm] Add facial rekognition and SMS permissions to tenant IAM user
- [Affirm] Add new item to generated chat for continue for Requester chat
- [Affirm] Add picture taken step to the Twilio flow; remove it from the chat window
- [Affirm] Attacker can brute force phone number without any limitation at all
- [Affirm] Base settings/modified settings in Control Center front end HYPR Affirm component; refactor/consolidate so that there are fewer duplications in both default/modified settings representative objects
- [Affirm] Control Center UI changes to match the public API
- [Affirm] Check that Azure Users are active in data source before continuing Affirm flow
- [Affirm] Clean the Twilio chat step
- [Affirm] Create a simple error page for errors
- [Affirm] Face ID verification can be bypassed using any random blurry image
- [Affirm] Finish the implementation for Approver assignment
- [Affirm] Go over copy on the following messages
- [Affirm] Simplify Affirm Events
- [Affirm; Control Center - Integrations] Okta: Check that User is active in Data Source before continuing Affirm flow
- [Documentation] Technical Edits for HYPR Affirm
- [All HYPR] CVE-2023-26159
- Bug Fixes:
  - [Affirm] Fixed: 500 error after multiple SMS requests
  - [Affirm] Fixed: 500 error on Requester side if no Approver action is found
  - [Affirm] Fixed: 500 on Approver flow
  - [Affirm] Fixed: Activity Log details page shows recovery correctly while the index page shows it as onboarding
  - [Affirm] Fixed: Activity Log more details showing passport as document type but driver's license was used
  - [Affirm] Fixed: Misleading error message appears when Requester's Mobile Number is not added in IDP
  - [Affirm] Fixed: Attestation toggle needs to work with the current flow
  - [Affirm] Fixed: Auto approval not showing as approved and instead showing N/A
  - [Affirm] Fixed: Back button here leads to an error state remove
  - [Affirm] Fixed: Back button on video chat leads to a confirm form resubmission page
  - [Affirm] Fixed: Clean up current state of Affirm if it is turned off
  - [Affirm] Fixed: Duplicate entries on approval in Activity Log
  - [Affirm] Fixed: Duplicate entry on rejection in Activity Log
  - [Affirm] Fixed: Global toggle not showing model for Affirm enablement off
  - [Affirm] Fixed: Going to IDV page while disabled leads to 500
  - [Affirm] Fixed: HYPR auto Approver/Approver is blank
  - [Affirm] Fixed: If Approver approves Requester before they complete the chat verification the Requester cannot continue
  - [Affirm] Fixed: If session expires when you return to the page you get a 500
  - [Affirm] Fixed: If user does not have the country code for mobile phone in their IDP you fail the phone number check
  - [Affirm] Fixed: If you click the link on the email after you activate the link on your phone you get a 500
  - [Affirm] Fixed: Images failing to send on the front end after upload by Requester
  - [Affirm] Fixed: IP address in Activity Log PII
  - [Affirm] Fixed: More PII in the Datadog logs
  - [Affirm] Fixed: On second pass the geo location fails
  - [Affirm] Fixed: On second pass the user needs to select new phone or lost device and enter email twice
  - [Affirm] Fixed: OnFIDO Document Verification X button not returning to correct location
  - [Affirm] Fixed: Remove the upgrade model while the FF is off
  - [Affirm] Fixed: Requestor vs Requester in UI
  - [Affirm] Fixed: Second Approver link sent in same session redirects to main Affirm page
  - [Affirm] Fixed: Someone else Approver sending emails to Okta email address for manager
  - [Affirm] Fixed: Update copy on email for verification request
  - [Affirm] Fixed: Upgrade now link on banner does nothing
  - [Affirm] Fixed: Video doesn't display chat as expected
  - [Affirm] Fixed: When integration is deleted Affirm does not get cleaned up
[All HYPR] Enterprise Passkey: FIDO2 Gateway Fallback Bug Fixes
- [Mobile App - Both] Fixed: Enterprise Passkey: FIDO2 Gateway: Authentication does not fallback to FIDO2 Gateway transport when BLE is disabled on the Mobile device
- [Mobile App - Both] Fixed: Enterprise Passkey: FIDO2 Gateway transport is not available on enabling the feature on Control Center after a Control Center upgrade
- [Passwordless for Windows] Fixed: FIDO2 Gateway: Unable to register Enterprise Passkey using FIDO2 Gateway on Windows 11
[All HYPR] Single Registration: Workstation-to-web: rpApp model Alpha
- [Mobile App for iOS] Implementation
- [Passwordless - Both] Single Registration: Workstation-to-web: Certificate issue: chsh case
- [Passwordless - Both] Single Registration: Workstation-to-web: Multiple rpAppId
[Control Center - Extensions] Security Key pre-registration hook [Part II]
- [Passwordless for Windows] Passwordless Security Key pre-registration hook before certificate is requested
[Control Center - Integrations] HYPR Enterprise Passkey - FIDO2 Gateway Fallback - 1
- [Control Center - Integrations] FIDO2 Gateway PoC
- [Mobile App for Android] FIDO2 Gateway Implementation
- [Mobile App for Android] fido2gateway moving /advertise to longpool
- [Mobile App for iOS] fido2gateway moving /advertise to longpool
- [Passwordless for Windows] FIDO2 Gateway Implementation
- Bug Fixes:
  - [Mobile App for Android] Fixed: Wrong machineUserName on Azure FIDO2 Pairing Events (FIDO2_DEVICE_REG + FIDO2_DEVICE_REG_COMPLETE)
[Control Center - Integrations] HYPR Enterprise Passkey - Generic Control Center Integration
- [Control Center - Integrations; API] Add Enterprise Passkey data to the mobile endpoint
- [Control Center - Integrations; API] Add new API for Enterprise Passkey settings
- [Control Center - Integrations] Add Enterprise Passkey settings to Advanced / FIDO2 Settings tab
- [Control Center - Integrations] Add Enterprise Passkey settings to Standard Integration / Login Settings tab
- [Control Center - Integrations] Add Enterprise Passkey settings to Standard Workstation / Workstation Settings tab
- [Control Center - Integrations] Add username to rp_enrolled_credentials_data primary key
- [Control Center - Integrations] Change setup of Azure Native integration to use Generic Enterprise Passkey settings
- [Control Center - Integrations] Create FF FIDO2_GATEWAY
- [Control Center - Integrations] Enable FIDO2_DEVICE_REG_COMPLETE and FIDO2_DEVICE_DEREG logic for generic
- [Control Center - Integrations] Generic Enterprise Passkey: Add recovery PIN option to device details
- [Control Center - Integrations] Generic Enterprise Passkey: Use Generic User Management component in V1 user management
- [Control Center - Integrations] Generic Enterprise Passkey: Use Generic User Management component in Workstation user management
- [Control Center - Integrations] Migrate Azure Native restricted domains to Generic Enterprise Passkey settings
- Bug Fixes:
  - [Control Center - Integrations] After re-pairing workstation, user is present in two groups in Azure portal
  - [Control Center - Integrations] Generic Enterprise Passkey: Performing FIDO2 pairing with Ping Adapter overwrites the email in User Management
  - [Control Center - Integrations] User information not fully removed from Keycloak after user deletion
[Control Center - Integrations] Logo / Brand Updates
- [Control Center] Device Manager 2.0: Icon changes for 9.1
[Control Center - Integrations] Update All Branding
- [Control Center - Integrations] ADFS Plugin: HYPR Branding Implementation
- [Mobile App for Android] HYPR Brand Implementation (HYPR, SDK, Reference, FCA, Maven, Play Store)
- [Mobile App for iOS] HYPR Brand Implementation (HYPR, SDK, Reference, FCA, Swift Package, App Store)
- [Passwordless for macOS] HYPR Brand Implementation
- [Passwordless for Windows] HYPR Branding Update
[Documentation] New Documentation Portal
- [Documentation] Doc site external deploy - 9.1
[Events] Improve external authentication Event tracking
- [Events; Passwordless for macOS] Log macOS login with TouchID as an EXTERNAL_AUTH_COMPLETE Event
- [Passwordless for Windows] Generate EXTERNAL_AUTH_COMPLETE even if user has no paired devices
[Mobile App - Both] Q1 2024 Mobile App Tech Debt
- [Mobile App for Android] Stop support for FCA, Dev App, and All ADP
- [Mobile App for iOS] Create List of Device IDs for Apple Developer Program
- [Mobile App for iOS] Deprecate ADP TaADP
- [Mobile App for iOS] Deprecate HYPR Firebase Notification Adapter
- [Mobile App for iOS] Remove Dev version of HyprApp
- [Mobile App for iOS] Stop Support for FCA and all ADP
[Mobile App - Both] QR Scanning Widget
- [Mobile App for Android] QR to unlock Widget
- [Mobile App for iOS] QR to unlock Widget
[Passwordless for Windows] Basic Branding Customization for Windows
- [Passwordless for Windows] Apply customized branding during Passwordless upgrades
- [Passwordless for Windows] Basic Branding Customization
- Bug Fixes:
  - [Passwordless for Windows] Preserve "old style" UI customizations
[Passwordless for Windows] Q3 2024 UI improvements
- [Passwordless for Windows] Enter key should "click" the primary button
- [Passwordless for Windows] Force Windows to refresh icons after Passwordless installation
- [Passwordless for Windows] Make sure an appropriate control has focus
[Passwordless for Windows] Support for YubiKey Bio MPE Security Keys (Inline Fingerprint Registration)
- [Passwordless for Windows] FIDO2 fingerprint registration during PIV pairing
- [Passwordless for Windows] Copy text fingerprint enrollment messages
- [Passwordless for Windows] Extend SMARTKEY_AUTH_COMPLETE Audit Trail Event to indicate PIN or Fingerprint
- [Passwordless for Windows] Implement code to enroll fingerprints on YubiKey BIO MPE [1/2]
- [Passwordless for Windows] Implement code to enroll fingerprints on YubiKey BIO MPE [2/2]
- [Passwordless for Windows] Implement UI for FIDO2 fingerprint registration during PIV pairing [1/2]
- [Passwordless for Windows] Remove timeout during start of fingerprint enrollment process
- [Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.5.3
- [Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.6.0
- [Passwordless for Windows] Update post registration message for YubiKey Bio MPE devices
[Platform - Certificates] Certificate Services (Certificates Tracking)
- [Platform - Certificates; API] Make certificate information available for Bulk Export
- [Platform - Certificates] Add certificate serial numbers and expiration to device logs
[Platform - Keycloak] Authenticator Refactoring Phase 2
- [Platform - Keycloak] Bring Azure module to be up-to-date
- [Platform - Keycloak] Generalize Adapt code so we can use it in the new modules
- [Platform - Keycloak] 9.1 Upgrade to the latest Keycloak server

Enhancements

[Adapt; Control Center - Integrations] Adapt is breaking the Okta integration
[Adapt; Mobile App for Android] Remove the separate signal request during authentication as the signal payload is already sent with fido/get
[Adapt] Build out extension logic for workstation evaluation points
[Adapt] Create a workstation policy for network names (DEMO); Beta
[Adapt] Policy: Invoke Adapt for policy evaluation during workstation authentication
[Adapt] Risk engine should search the Events based on the policy and not hardcode to 7L
[Adapt] Risk Policy: Action Events
[Affirm] Make BasicApproverInfo and BasicManagerInfo one structure
[All HYPR] Americans with Disabilities Act (ADA) Fixes Pass 3
[All HYPR] Single Registration: Workstation-to-web: Multiple rpAppId setup; fix logging into ws
[All HYPR] Single Registration: setup
[Control Center] Add forwarding functionality for the IP allowlist
[Control Center] Custom Device manager templates/updates for customer
[Control Center] Enable facetid checking for FIDO UAF; add ability to delete facet IDs
[Control Center] Pass Time Filters into Audit Trail Requests in UI
[Control Center] Remove login option change UI
[Control Center] Switch background-image to background-gradient
[Control Center - Extensions] Add extension webhooks
[Control Center - Extensions] Add service account restiction
[Control Center - Extensions; API] Incorporate extension calls inside workstation Unlock APIs
[Control Center - Integrations] Okta: UPN in Integrations
[Documentation] Documentation modifications for breaking upgrades
[Documentation] Entra ID Documentation: Replace internal domain with something more generic
[Mobile App for Android] Remove Sensory
[Mobile App for Android] Update UI/color when possible
[Mobile App for iOS] Implement SDK Deprecations in consuming apps
[Mobile App for iOS] Provide custom iOS build
[Mobile App for iOS] Remove Sensory
[Mobile App for iOS] Update App privacy info manifest
[Mobile App for iOS] Update UI/color when possible
[Mobile App for iOS] Wording changes to accommodate Azure -> Entra
[Passwordless - Both] Remove pinned shortcut after uninstallation
[Passwordless for macOS] Implement workaround for Sonoma screensaver
[Passwordless for macOS] Packaging for Intune deployment
[Passwordless for macOS] Replace fa-devices.js with devices.js and remove login options prompt
[Passwordless for Windows] Advanced Branding Customization
[Passwordless for Windows] IDEMIA PIV/FIDO2 Badge Support
[Passwordless for Windows] Provide Passwordless build without obfuscation
[Passwordless for Windows] Support for YubiKey Bio MPE Security Keys
[Passwordless for Windows] Verify signing on package update
[Platform] Breaking upgrades to the server
[Platform - Database] Extend length of raw data
[Platform - FIDO2] Update Fido2Authenticator Lib with MASA fix
[Platform - Keycloak] Optimize feature enablement fetching
[Platform - Logging] fidogateway: Log decoded rawdata
[SDK for iOS] Make HYPRiOSReferenceApp consume XCFrameworks on master builds

Bug Fixes

[Adapt] Fixed: Login Limits fails push notification with error 'message attr missing in policy response'
[Adapt] Fixed: Push bomb prevention switches to QR authentication; PRE_WEB_AUTH evaluation point fails if QR authentication fails
[Adapt] Fixed: Settings: Table border is distorted due to the new column 'Adapt unavailable'
[Adapt] Fixed: Signals: CrowdStrikeAID information is missing in the resulting Signal report because of character casing used in Passwordless
[Adapt] Fixed: Unable to register device due to 'Failed to load extensionId: AdaptExtId' error
[Adapt] Fixed: Workstation Authentication policy 'network' field is missing and the option is present in the high-level drop-down
[Adapt; Mobile App for Android] Fixed: Android Signal is sent with authentication/requests 'REQUEST_SENT' status instead of 'COMPLETE' status
[Adapt; Mobile App for iOS] Fixed: Signals - app minimization generates 3 signal requests for each registration
[Adapt; Platform - Keycloak] Fixed: Keycloak's 'Authentication Upgraded Message' sometimes doesn’t get displayed
[Affirm] Fixed: 500 on attempting to relogin into Control Center after completing affirm flow
[Affirm] Fixed: Backward compatibility issue: Removal of Manager role in favor of Approver
[Affirm] Fixed: Cannot fetch Approver when its set to Manager and not Someone Else
[Affirm] Fixed: Data fields with null values populating with text string "null"
[API] Fixed: Adjust Broken FIDO2 Update User API URL
[Control Center] Fixed: Audit Trail says that registration of paired IDEMIA card is unknown
[Contorl Center] Fixed: Device Manager 2.0: Fails to update Device Name
[Control Center] Fixed: Device Manager 2.0: Failure to delete device with invalid date
[Control Center] Fixed: Device Manager 2.0 Onboarding: Welcome email for non-ControlCenterAdmin apps leads to standard Device Manager index page and not the Onboarding page
[Control Center] Fix Event listener assignment on login page
[Control Center] Fixed: Many instances of PersistenceException error
[Control Center] Fixed: RBAC (Haas): User is unable to redirect to Okta
[Control Center - Extensions] Fixed: Associate Extensions: WebHooksExtId option is not visible clearly
[Control Center - Extensions] Fixed: Webhooks: Authentication hook throws 'Failed to execute extension' error
[Control Center - Integrations] Fixed: Okta: Integration is not cleaned up when deleting Okta user whose username != email
[Control Center - Integrations] Fixed: Okta: Query for application fails
[Control Center - Integrations] Fixed: Okta: Remove integrations data from response
[Control Center - Integrations] Fixed: OneLogin: Cannot copy "Client Secret for OneLogin Trusted IdP"
[Control Center - Integrations] Fixed: RADIUS doesn't work with 9.1
[Control Center - Intgerations; Passwordless - Both] Fixed: Issue with Desktop SSO, Okta, and Aliases
[Mobile App - Both] Fixed: Enterprise Passkey: Mobile App crashes on authenticating after receiving the user presence prompt via WiFi
[Mobile App - Both; Events] Fixed: Fix Events during pairing via Device Manager in the Mobile App
[Mobile App for Android] Fixed: Device-specific: App crashes upon launching after install
[Mobile App for Android] Fixed: Scanner does not open and the QR icon is not displayed if the app is in the background and we tap “Start QR Scanner” via shortcuts
[Mobile App for iOS] Fixed: Mobile App foreground is not generating signals anymore
[Mobile App for iOS] Fixed: Screen Widget - Dark mode doesn't show the machine name
[Mobile App for iOS] Fixed: Workstation unlock crashes the app if location is not enabled
[Passwordless for macOS] Fixed: read qrCodeUrl configuration from hypr.json
[Passwordless for macOS] Fixed: TrustKit crashes on unsupported algorithm
[Passwordless for Windows] Fixed: Can't upgrade BofA special Passwordless 8.5.2 to Passwordless 9.1.0
[Passwordless for Windows] Fixed: Custom Branding: No spacing between "View More Instructions" button and Contact Support link
[Passwordless for Windows] Fixed: Multiple Audit Trail Events queued due to an exception caused by empty RpAppID during Passwordless service startup
[Passwordless for Windows] Fixed: Signal does not sent "no location avail" if Location is Disabled
[Passwordless for Windows] Fixed: UI in Enterprise passkey flow has extra line space between each line
[Passwordless for Windows] Fixed: Unable to complete login to Remote workstation using registered device
[Passwordless for Windows] Fixed: Passwordless should trim leading/trailing whitespace from registry values
[Platform - Keycloak] Fixed: Modules refactor - Push bomb prevention - QR code is not getting displayed
[Platform - Migration] Fixed: Migration from 8.7 to 9.1 fails with error
[SDK for Java/Android/iOS] Fixed: Authentication fails with Error 114060 error

8.7.1 - Patch 2024-01-24

New Features and Feature Changes

[All HYPR] American with Disabilities Act (ADA) Fixes
- [All HYPR] American with Disabilities Act (ADA) High Priority Items
- [All HYPR] American with Disabilities Act (ADA) High Priority Items Pass 2
[Control Center - Integrations] Azure: HYPR Enterprise Passkey: Support for different usernames and multiple credentials
- [Control Center - Integrations] Azure: User not moved back to 'Paired with HYPR' group after deleting the FIDO2 credentials from the Mobile App
- [Passwordless for Windows] Passwordless Client fails to validate pass\pin on local account pairing

Enhancements

[Adapt] Change the ‘WhiteList’ terminology ‘AllowList’ to be more politically correct
[Adapt] Extension and Evaluation points Documentation ticket
[Adapt] PolicyEvaluationService.evaluatePolicy - Fix the evalDataStartDate and evalDataEndDate values in the log
[Adapt] Remove 'Disable Adapt' toggle from Keycloak
[Adapt] Rename the policy evaluation point
[Adapt; Documentation] Documentation ticket
[All HYPR] CVE Fixes
[API] FIDO2: Should be able to update displayName
[API] Add username validation in fido/get
[Control Center] Allow Non-ASCII characters through Control Center firewall in request headers
[Control Center] Remove dynamic content in error parameter
[Control Center] Security key pre-registration hook before certificate is requested
[Passwordless for Windows] Allow more than five paired devices
[Platform - Keycloak] Adjust 'Use a dynamic link for web login on mobile devices' toggle logic to account for Adapt flow

Bug Fixes

[Adapt; Mobile App for Android] Fixed: Signals: Mobile App asks for location and phone call permission 'after' the registration is complete
[Adapt; Mobile App for Android] Fixed: Signals: machineId is used as 'machineUserName' instead of 'username'
[Adapt] Fixed: Event ADAPT_POLICY_ASSIGNMENT_REMOVED doesn't have policy ID info
[Adapt] Fixed: Keycloak doesn't display user friendly message when user is Blocked
[Adapt] Fixed: Login Settings: HYPR Adapt Settings section - 'Adapt Unavailable Fallback' column is not displayed
[Adapt] Fixed: Sending continuous signals for each profile
[Adapt] Fixed: Technical Edits
[Adapt] Fixed: Unable to assign policy to an rpApp using its own Access token
[Control Center] Fixed: Device Manager 2.0 Onboarding: Can't enroll two passkeys or two mobile devices back-to-back
[Control Center] Fixed: Device Manager: User is not able to complete authentication and UI shows "Your account has been temporarily blocked"
[Control Center] Fixed: Web Login Onboarding tour QR code refresh fails
[Control Center - Integrations] Fixed: Azure: Server needs to remove FIDO2 credential on FIDO2_DEVICE_DEREG not workstation delete ???
[Control Center - Integrations] Fixed: Enterprise Passkey: Grey workstation bubble displayed when same user is paired from a different workstation and a security key already exists
[Control Center - Integrations] Fixed: Enterprise Passkey: Issue with Windows 11 and BLE and iOS
[Control Center - Integrations] Fixed: Okta: Migration error when name != 'HYPR Authenticator'
[Control Center - Integrations] Fixed: Okta v1->v2 migration: Artifacts in Okta not deleted/Error when deleting users after migration/Side effect around existing users
[Control Center - Integrations; Mobile App for Android] Fixed: Enterprise passkey: Workstation bubble on Mobile App gets replaced on pairing two different workstations logged in with same Azure account
[Mobile App - Both] Fixed: Customer problem registering a device
[Mobile App for Android] Fixed: 404 error when Android OS 13 device trying to authenticate with QR via native camera scanner unless supported web addresses is enabled
[Passwordless for macOS] Fixed: PKG Scripts lead to root privilege escalation
[Passwordless for macOS] Fixed: Requesting certificate from AD fails with Kerberos error rpc_s_auth_not_us
[Platform - Keycloak] Fixed: Keycloak JSON logging
[Platform - Keycloak; Adapt] Fixed: Empty Adapt rpapp config parse error in Keycloak

9.0.0 - GA 2024-01-17

New Features and Feature Changes

[Adapt] Apply Workstation proximity Policy DURING computer unlock
- [Adapt] Ingest workstation signals
- [API] Add signals API for workstations
[Adapt] Event Handlers: Alpha
- [Adapt] Event Handlers: Code and Test JSON Event: Implement linter to handle syntax errors
- [Adapt] Event Handlers: Configuration and Test tab UI enhancements
- [Adapt] Event Handlers: Configuration tab - remove cron scheduler for ‘data enricher’ and ‘action executor’ type
- [Adapt] Event Handlers: Configuration tab - secured values like passwords, keys should not be shown as plain-text
- [Adapt] Event Handlers: Introduce 'logLevel' and add machineUserName in the test Event request body
- [Adapt] Event Handlers: Add support for DEFINING action executor
- [Adapt] Event Handlers: Add support for DEFINING pull data collectors
- [Adapt] Event Handlers: Add support for EXECUTING action executors
- [Adapt] Event Handlers: Add support for SCHEDULING pull data collectors
- [Control Center] UI: Add support for Event Handlers
- Bug Fixes:
  - [Adapt] Fixed: Event Handlers: ctx.httpPost() or ctx.saveEvent() is executing twice
  - [Adapt] Fixed: Event Handlers: Data collector keeps executing even when it is disabled
  - [Adapt] Fixed: Event Handlers: Each line of Handler code is logged as a separate log
  - [Adapt] Fixed: Event Handlers: Event enricher - Able to overwrite the existing columns such as machineUserName, eventName, sessionId, etc
  - [Adapt] Fixed: Event Handlers: Event saved from the Handler Code doesn't show up with search Events
  - [Adapt] Fixed: Event Handlers: Tests Events have missing Tenantld value
  - [Adapt] Fixed: NullPointerException in getAllServerPolicyAssignments()
[Adapt] Signal data from Workstation
- [Adapt] Signals: Workstation data II
- [Adapt] Signals: Workstation send additional signals data
[Affirm] Affirm Identity Verification Minimum Viable Product (MVP)
- [Affirm] OnFIDO MVP Integration
- [Affirm] Activity Log
- [Affirm] Activity Log details
- [Affirm] Activity Log table
- [Affirm] Application Settings: Application connection section with calls to the APIs
- [Affirm] Application Settings: Onboarding/recovery workflow settings section; Employee Location and Identity settings sections
- [Affirm] Application Setup tab
- [Affirm] Application Setup tab
- [Affirm] Approver Assignment tab
- [Affirm] Approver Assignment tab
- [Affirm] Audit trail tab
- [Affirm] Audit trail tab
- [Affirm] Control Center UI changes
- [Affirm] Changes in the report card
- [Affirm] Continue button on the chat/movie should be greyed out
- [Affirm] Costs tracking auditing additional details substructures + error auditing additional details substructures for various costs-generating third party services for Affirm
- [Affirm] Fix Control Center verification flow tab
- [Affirm] Fix Control Center verification model
- [Affirm] Onboard / recover flow chooser
- [Affirm] Phone step
- [Affirm] Phone step
- [Affirm] Rate Limiting and Blocking
- [Affirm] Referencing and saving image is broken
- [Affirm] Remove PII from logs
- [Affirm] Replace copy with generic copy; fix wording
- [Affirm] Settings: Create empty tabs view for further UI work; Application Settings/Audit Log/Activity Log
- [Affirm] Space in the SMS code fails
- [Affirm] TAP not done yet
- [Affirm] Use OnFIDO production credentials
- [Affirm] UX improvements: URLs pointing to specific places in the UI
- [Affirm] Verification Flow tab
- [Affirm] Verification Flow tab
- [Affirm; API] Application Connection API: Assigning/Unassigning/Enabling/Disabling
- [Affirm; API] Onboarding/Recovery workflow settings API; Approver/Approvers/Employee Location/Identity
- [Control Center] Remove legacy field and database toggleableByAdmin column from FeatureFlag entity and rp_feature_flags table for 9.0 release
- [Control Center] Introduce Affirm paid-tier plan feature enablement
- [Control Center; API] rp/api/versioned/features/toggle/{featureName} Add guard if-statement code for HYPR service account only (API endpoint) and add it only for on-cloud tenants V2 in Control Center backend server code
- Bug Fixes:
  - [Affirm] Fixed: additionalDetails needs to be .toString
  - [Affirm] Fixed: When first assigning an application, the verification flow settings require a page refresh to properly update
  - [Affirm] Fixed: If Okta application is assigned and you attempt to switch to Azure, Okta remains the application
  - [Affirm] Fixed: If you get an error generating TAP code you should display an error to the user
  - [Affirm] Fixed: Missing costs tracking method call in RequesterJoinsChatAction
  - [Affirm] Fixed: On a second pass of the same user, if they have a picture on file you can just go to video however you still need to do the document upload to continue
[All HYPR] Consuming Device Signals, Control Center Integration, Login Limits and Initial Keycloak Integration
- [Adapt; Mobile App - Both] Send latest signal with the authentication request
- [Control Center] Event logging performance in v2
[All HYPR] Single Registration: Web-to-workstation: Deregistration/Re-enroll
- [All HYPR] Single Registration: Web-to-workstation: removing devices
- [All HYPR] Single Registration: Web-to-workstation: trigger push notification on migrated registrations
- [Mobile App for Android] Implement single registration on the Android app side
[Control Center] Deprecate and remove Control Center licensing
- [Control Center] Drop licensing in 9.0
- [Control Center] Drop licensing in HYPR-as-a-Service (HaaS)
[Control Center - Integrations] Okta: Universal Principal Name (UPN) in Integrations
- [Control Center - Integrations] Add email column to pending users tab UI
- [Control Center - Integrations] Add username column to Enroll User Directory List UI
[Control Center - Integrations] UX Updates to accommodate Azure -> Entra Branding Changes
- [Control Center - Integrations] Azure integration branding
- [Mobile App for Android] Wording changes to accommodate Azure -> Entra
- [Passwordless for Windows] Wording changes to accommodate Azure -> Entra
[Documentation] New Documentation Portal
- [Documentation] Content readiness - 9.0
- [Documentation] Style guide - 9.0
[Mobile App for Android] Q1 2024 Tech Debt
- [Mobile App for Android] Enhance PIN protection
- [SDK for Android] Update to latest Dexguard version
- [SDK for Android] Update to latest iXGuard
[Passwordless - Both] Security Keys Default/Insecure PIN Check
- [Passwordless for macOS] Block Default/Insecure Security Key PIN
- [Passwordless for Windows] Block Default Security Key PIN
[Passwordless for Windows] Support for YubiKey Bio Security Keys
- [Passwordless for Windows] Finish UI; Revamp Security Key and Smart Card support (Part 6)
- [Passwordless for Windows] Update bundled YubiKey mini-driver to version 4.5.2.243
[Platform - Keycloak; Control Center] Keycloak Authenticator Refactoring Phase 2
- [Control Center] Create feature for 'remember me' in Control Center
- [Platform - Keycloak] Custom migration for existing tenant to move OneLogin integration to use the new Keycloak OIDC flow/authenticators
- [Platform - Keycloak] Desktop SSO support
- [Platform - Keycloak] Fix new Okta integration to use the new Keycloak OIDC flow/authenticators
- [Platform - Keycloak] Fix new Ping DV and BT integrations to use the new Keycloak OIDC flow/authenticators
- [Platform - Keycloak] Use 'remember me' and bypass username feature from Control Center in Keycloak

Enhancements

[Adapt] Create Empty Risk Reports page
[Adapt] Policy Evaluation request log - Need evaluationPoint, username, lambdaRequestID details
[Adapt] Remove 'Disable Adapt' feature from Keycloak
[Adapt] Risk Engine: Log the Events used for policy evaluation in CloudWatch
[Adapt] Unable to assign policy to evaluation point in Control Center UI
[Affirm] Minimum Viable Product (MVP)
[All HYPR] Americans with Disabilities Act (ADA) Fixes
[All HYPR] CVE Fixes
[All HYPR] Single Registration: Web-to-workstation: authenticators validation on setting rpAppIdWs on web rpAppId
[All HYPR] Update product to remove reference to "HYPR Zero" and "Free"
[Control Center] FIDO: FIDO Alliance Missed Step Error
[Control Center] Global jQuery upgrade and consolidation
[Control Center] Health check should confirm DB and cache are writable in addition to readable
[Control Center] Refactor IDP User Management component for reuse in other places
[Control Center - Integrations] Fix all integration beta banners to include the new HYPR look and feel
[Errors] ErrorCode file contains two 1206045 errors; one should be 1206035
[Mobile App - Both] Fixed Events during pairing via Device Manager
[Mobile App for Android; SDK for Android] Dependency Bump
[Mobile App for Android] Remove support for Android 6 and 7
[Mobile App for Android] Upgrade target version to 34
[Passwordless - Both] Security Key pre-registration hook - [Part I]
[Passwordless - Both] Security Keys "Management Key" Handling
[Passwordless - Both] Security Keys Default/Insecure PIN Check
[Passwordless for macOS] Align "Contact Support" messages between macOS/Windows
[Passwordless for macOS] Desktop SSO "success" HYPR Passwordless message should close itself after timeout
[Passwordless for macOS] Remove workaround for Fast User Switch
[Passwordless for macOS] Update list of macOS models
[Passwordless for macOS] Upgrade notarization to use notarytool instead of altool
[Passwordless for Windows] Reduce idle CPU usage by HyprOneService
[Passwordless for Windows] Upgrade NuGet dependencies
[Platform - Keycloak] Adjust 'Use a dynamic link for web login on mobile devices' toggle logic to account for Adapt flow

Bug Fixes

[Adapt] Fixed: Events search API throws 500 status code when startDate is greater than endDate
[Adapt] Fixed: For FIDO2 authentication, POST_FIDO2_AUTH and POST_WEB_AUTH is not getting evaluated
[Adapt] Fixed: Integration Test - AdaptEvHandlerTest.saveEventHandler() fails with cronSchedule
[Adapt] Fixed: iOS Signal - Wifi bssid and rssi are null and batteryPercentage is wrong. Only the device connected Wifi is displayed
[Adapt] Fixed: iOS Signal testing - During registration, 'Motion and Fitness Activity' permission is displayed twice
[Adapt] Fixed: Policy assignment - 'Adapt Unavailable Fallback' value is not getting saved
[Adapt] Fixed: Risk engine - evalEventCount is not matching with the actual Event count
[Adapt] Fixed: Sending continuous signals for each profile
[Adapt] Fixed: Unable to assign policy to an rpApp using its own Access token
[Adapt] Fixed: WEBSITE_AUTH doesn't have 'eventTags' column populated due to which it doesn't get propagated to Dynamo DB
[Control Center] Fixed: Error message is not clear when setting invalid value to “rpAppId of the workstation application"
[Control Center] Fixed: QR Fallback is disabled when 'QR Auth' feature is enabled
[Control Center] Fixed: QR Fallback is not enabled for controlCenterAdmin rpApp by default
[Control Center - Integrations] Fixed: Keycloak checks for non-existent feature for QR login
[Control Center - Integrations] Fixed: multipleAuthn SAML attribute is not present when user authenticates with passkey
[Mobile App for iOS] Fixed: User fails to complete Authentication process
[Passwordless - Both] Fixed: Error -1 when we use the wrong PIN with YubiKey Bio MPE
[Passwordless - Both] Fixed: Error during removing machine certificates
[Passwordless for macOS] Fixed: PKG Scripts Lead to Root Privilege Escalation
[Passwordless for macOS] Fixed: Doesn't throw error in rp/wsapi/settings with invalid SSL PIN
[Passwordless for Windows] Fixed: Can't retrieve management key with older YubiKey firmware
[Passwordless for Windows] Fixed: Error string is cut off or shortened
[Passwordless for Windows] Fixed: Extra whitespace in UI when unpairing YubiKey Bio MPE
[Passwordless for Windows] Fixed: File versioning and signature problems
[Passwordless for Windows] Fixed: File Write by Diagnostics Console Leads to Boot Loop
[Passwordless for Windows] Fixed: Generic error message with error code is displayed on entering the current PIN with 5 digits and less in update security key PIN flow
[Passwordless for Windows] Fixed: QR code screen in HYPR Passwordless spells HYPR incorrectly
[Passwordless for Windows] Fixed: Shortcuts not removed during uninstall with custom app name
[Passwordless for Windows] Fixed: Some options in "protected" registry key may be lost during upgrade
[Passwordless for Windows] Fixed: Two extra lines displayed next to the error message for Confirm PIN field in the biometric key/smart card unpair flow
[SDK for Java] Fixed: Registration fails with 'Exception in thread "main" java.lang.UnsupportedClassVersionError' error in latest 'java-client-9.1.0-SNAPSHOT.jar'

8.7.0 - GA 2023-12-13

New Features and Feature Changes

[Adapt] Apply policies during WS login
- [Control Center] Feature enablement for sending continuous device signals
- [Mobile App for Android] Send device signals upon the app entering the foreground
- [Mobile App for iOS] Send device signals upon the app entering the foreground
- [Mobile App for iOS] User-friendly error dialog for Passwordless Unlock blocked
[Adapt] Configure Login Limits
- [Adapt] Create Policy Configuration UI in Control Center
- [Adapt] Create Policy Configuration UI for Login Limits
- [Adapt] Add feature for HYPR Login Limits
- [Adapt] Updated verbiage for HYPR Adapt Phase 1
[Adapt] Consuming Device Signals, Control Center Integration, Login Limits and Initial Keycloak Integration
- [Adapt] Create policy UI
- [Adapt] Send latest browser signal with the authentication request
- [Adapt] Upgrade cloud watch lambda function to handle JSON logs
- [Adapt; API] Expose policy API for the UI
- [Adapt; API] Separate policy test endpoint
- [Adapt; Events] Read/Write Events by deviceId handle
- [Adapt; Events] Route Events to the dataLake
- [Adapt; Mobile App for Android] Send location signals from the Mobile App during the Workstation Unlock
- [Adapt; Mobile App for iOS] Send location signals from the Mobile App during the Workstation Unlock
- [API] Enhance APIs to take in new WEB signals
- [API] Enhance Control Center APIs to take in new mobile signals
- [Control Center] Add both JSON and KV logging
- [Control Center; API] Remove TenantUUID references in all Control Center API calls
- [Mobile App for Android] User-friendly error dialog for Passwordless Unlock blocked
[Adapt] Create and Manage Risk Policies
- [Adapt] Add Risk Policy Assignment UI to Login Settings in V1
- [Adapt] Add Risk Policy Assignment UI to Login Settings in V2
- [Adapt] Build out new Control Center controller for Policy CRUD API calls
- [Adapt] Create a New Policy popup
- [Adapt] Create an empty policies screen
- [Adapt] Create policy content structure for create/update calls
- [Adapt] Create UI elements for main authentication Policy page
- [Adapt] Update Risk Policies Empty State UI
[Adapt] Login Limits - Block User
- [Adapt] Create new UI screen for Authentication Blocked error
- [Adapt; API] Build out Policy Control Center controller to include evaluation API call to AWS
- [Adapt; Errors] Create error message, error codes and audits for Authentication Blocked via Risk Service
- [Platform - Keycloak] Add error messages and code for Control Center 'Authentication Blocked' responses
[Adapt] Passwordless client updates
- [Passwordless for macOS] Send data via WSAPI Signals endpoint during Unlock
- [Control Center] Add Signals frequency to ServerConfig object in Settings
- [Control Center] Store Signals data in the database
[All HYPR] HYPR Enterprise Passkey - BLE and WiFi (Roaming)
- [Mobile App for iOS] Bluetooth Screen Changes
- [Mobile App for Android] Add Roaming Capabilities
- [Mobile App for Android] Bluetooth Screen Changes
- [Mobile App for Android] (Enterprise Passkey BLE) Support Offline mode
- [Mobile App for iOS] Implement BLE Offline Banner
- [Mobile App for iOS] Add Roaming Capabilities
- [Passwordless for Windows] Display QR Code on credential provider on Azure Joined
- [SDK for FIDO2] Add Roaming Capabilities
- Bug Fixes:
  - [Passwordless for Windows] Windows not receiving UDP broadcast when mobile application closed
[All HYPR] SSL/TLS Pinning enhancements for Mobile/Desktop
- [API] rp/wsapi/settings and rp/deviceapi/settings return 400 when invalid parameters are sent
- Bug Fixes:
  - [Passwordless - Both] Empty/fatal 401 response to expired endpoint API tokens has been fixed
[Control Center - Integrations] Beyond Trust Integration
- [Control Center - Integrations] Beyond Trust: New tile in Integrations
- [Control Center - Integrations] Beyond Trust: Beta UI banner
- [Control Center - Integrations] Beyond Trust: Generalized the OIDC integration
- [Control Center - Integrations] Beyond Trust: Feature enablement
- [Control Center - Integrations] Beyond Trust: Administration console
[Control Center - Integrations] HYPR Enterprise Passkey Enhancements Part II
- [Control Center - Integrations] Azure Enterprise Passkey: Changes to support 3rd-party FIDO2 registration
- [Control Center - Integrations] Azure Enterprise Passkey: Delete the correct group data when we delete a user and a device for local user
- [Control Center - Integrations] Azure Enterprise Passkey: Skip group population when username is not an email for support of local user
- [Control Center - Integrations] New user management columns
- Bug Fixes:
  - [Control Center] The machineUserPrincipalName property is now displayed on the device details screen
[Control Center - Integrations; Mobile App - Both; SDKs for Android and iOS] HYPR Enterprise Passkey for Entra/Azure: Support for different usernames and multiple credentials
- [Mobile App for Android] Update mobile device to accommodate "Different FIDO2 Username" solution
- [Mobile App for Android] Accessibility Sweep for Enterprise Passkeys
- [Mobile App for Android] Add credential information to Debug Information Screen
- [Mobile App for Android] Display banner on MY COMPUTERS if no FIDO2 keys are paired
- [Mobile App for Android] History tracked on credential Basis
- [Mobile App for Android] Update FIDO2 prompts to be more generic
- [Mobile App for Android] UX: Azure domain-joined: Create new bubble type on "MY COMPUTERS" when QR Code is scanned
- [Mobile App for Android] UX: Update "MY SECURITY KEY" behavior
- [Mobile App for iOS] Multi-user UI
- [Mobile App for iOS] Add credential information to Debug Information Screen
- [Mobile App for iOS] Audit Trail Sweep for Enterprise Passkeys
- [Mobile App for iOS] Display banner on MY COMPUTERS if no FIDO2 keys are paired
- [Mobile App for iOS] History tracked on credential basis
- [Mobile App for iOS] UX: Azure domain-joined: Create new bubble type on "MY COMPUTERS" when QR Code is scanned
[Control Center; Mobile App - Both; SDKs for Android and iOS] Single Registration: Existing users can be added to Single Registration without having to de-register and re-register
- [Control Center] Single Registration with associated workstation RPApp - Part 1
- [Control Center - Integrations] Migration implementation and integration + Control Center UI changes
- [Mobile App for Android] Migration implementation and integration
- [Mobile App for Android] Single Registration with associated workstation RPApp - Part 1
- [Mobile App for iOS] Migration implementation and integration
- [Passwordless for macOS] Add fields to QR code
- [Passwordless for Windows] Add fields to QR code
[Passwordless for Windows] Security Key and Smart Card support
- [Passwordless for Windows] Revamp Security Key and Smart Card support (Part 4)
- [Passwordless for Windows] Revamp Security Key and Smart Card support (Part 5)
[Platform - Keycloak] Improvements to Keycloak integration: select login authenticator; remember me
- [Platform - Keycloak] Handle remember me functionality
- Bug Fixes:
  - [Platform - Keycloak] Fix page blinking on cancel for QR / Push
[SDKs for Android, Flutter, iOS] Mobile cross-platform SDK wrapper
- [SDK for iOS] Create the HYPRWrapper for iOS native
- [SDK for Android] Create the HYPRWrapper with common interface for Android sdk
- [SDK for Flutter] Add the possibility for registration with QR code

Enhancements

[Adapt] Update Risk Policies table to handle custom policies
[Adapt; API] Add API for manually unblocking a user by admins
[API] Add machineUserNames field to iOS signals call
[API] Add machineUserNames field to the Android signals call
[Control Center] Alias lookup now considers the RP application when generating results
[Control Center] Device signals include browser info (CIAM device recognition)
[Control Center] FIDO2 Metadata files are now generated for passkeys providers
[Control Center] Health and Logs page in Control Center has been removed in favor of Event Hooks and Analytics
[Events] Missing fields in asynchronously saved Events
[Passwordless for Windows] Default security key PINs are now blocked
[Passwordless for Windows] Revamp Security Key and Smart Card support (Part 3)
[SDK for Android] add logs for zendesk 7752
[SDK for Android] Prompt messages for new permissions
[SDK for iOS] Device registration now collects the specific device model

Bug Fixes

[Control Center] Fixed: FIDO-only flow Fallback Authentication does not apply when the feature is enabled
[Control Center - Integrations] Fixed: Azure: Error when service account password have quotes in it
[Control Center - Integrations] Fixed: Extension attributes have been corrected to load properly on startup
[Control Center - Integrations] Fixed: Okta: Can't delete username with + signs from Keycloak
[Control Center - Integrations] Fixed: Okta: Fixed issues with deleting users from Okta
[Mobile App for Android] Fixed: Corrected a 404 error with dyamic links when Android OS 13 / OS 11 Pixel devices attempted authentication with QR using the camera
[Mobile App for iOS] Fixed: FIDO registration Events not previously being recorded are now logged in the Audit Trail
[Passwordless - Both] Fixed: The Java random number generator causing timeouts during QR code scanning has been fixed
[Passwordless - Both] Fixed: When pairing with HYPR, the "Security Key" option no longer displays if it is not meant to
[Passwordless for macOS] Fixed: Machine name and username display correctly in the password dialog on macOS Ventura
[Passwordless for macOS] Fixed: With passwordless enforcement enabled, password labeling has been corrected to reflect the available options
[Passwordless for Windows] Fixed: HYBRID Entra/Azure machines now hide the Security Key option when the certificate template is not defined
[Platform - Keycloak] Fixed: Desktop SSO alias gets removed from Keycloak upon user deletion; previously in some cases it did not
[SDK for Android] Fixed: After deregistration, the authenticationCounter resets properly for the next authentication attempt

8.5.2 - Patch 2023-11-09

Enhancements

[All HYPR] CVE Fixes
[All HYPR] Fix CVE-2023-22102
[All HYPR] Single Registration: Workstation-to-web: Issues with multiple certificates in loginCert chain
[Control Center] Relax user validation slightly for FIDO2
[Passwordless for Windows] UI customization for customer

Bug Fixes

[Control Center] Fixed: Device Manager error listing devices for user
[Events] Fixed: Missing fields in asynchronously saved Events

8.6.0 - GA 2023-10-25

New Features and Feature Changes

[Adapt] Create and Manage Risk Policies
- [Adapt; API] (Frontend) Build out create policy POST API calls for front-end, tie to UI
- [Adapt; API] (Frontend) Build out authentication Policy GET/DELETE calls; tied to UI elements
[Adapt; Workforce Access Client - Both] Q4 Updates
- [API] Create /wsapi Signals Endpoint
- [Control Center] Signals now are recorded in Audit Trail Events
[All HYPR] Consuming Device Signals, Control Center Integration, Login Limits and Initial Keycloak Integration
- [Adapt; API ] Add Timeout to Adapt Evaluation API
- [Mobile App for Android; SDK for Android] Send location signals from the Mobile App during Workstation Unlock
- [Mobile App for iOS; SDK for iOS] Send location signals from the Mobile App during Workstation Unlock
[Control Center; API] FIDO2 Transports in HYPR API Responses
- [API] FIDO2: The default value for the transports attribute in the /fido2/assertion/options Response Body has been changed to an empty set; and the transports attribute is now a string data type
- [Control Center - FIDO2] The transports attribute in /fido2/assertion/options is now a string data type
[Control Center - Integrations] Azure: HYPR Enterprise Passkey: Support for Different Usernames and Multiple Credentials
- [Mobile App - Both; Passwordless - Both] HYPR now accounts for multiple devices or workstations for a single user
- [Mobile App - Both; Passwordless - Both] Part2 - FIDO2 Username different than the HYPR QR Code pairing Username
[Control Center - Integrations; Platform - Keycloak] Authenticator Refactoring; OneLogin new Integration
- [Platform - Keycloak] Back End: Desktop SSO module
- [Platform - Keycloak] Adjust QR code authenticator for OneLogin
[Passwordless - Both] Desktop SSO Enhancements
- [Passwordless - Both] Desktop SSO status endpoint should return username that was requested by the web
- [Passwordless - Both] Desktop SSO support for Web username aliases

Enhancements

[Adapt] Update policy UI to new branding
[Adapt; API] Confirm the PUT calls in Adapt policy UI are functional
[All HYPR] CVE Fixes for 8.6.0
[API] Separate /login and /recover endpoints
[Control Center - Integrations; Platform - Keycloak] ADFS Plugin V2: Add final Keycloak pieces to support dynamic links
[Control Center; Adapt] Add Adapt Policies enablement to UI
[Mobile App - Both] Add additional device information to the logs
[Mobile App for Android; SDK for Android] Update androidx security library to alpha-06
[Mobile App for iOS] Fixed: Certificate Renewal Failures in Prod
[Passwordless for Windows] Support for YubiKey Bio Security Keys

Bug Fixes

[Adapt] Fixed: 500 error when trying to update existing policy
[API] Fixed: Logging response is adding double-double quotes that is throwing off CSV positioning upon log ingestion
[Control Center - Integrations] Fixed: Improve SAML Messages security
[Control Center - Integrations] Fixed: Okta: Alias support should not be case-sensitive
[Control Center] Fixed: FIDO2: Authentication fails for unknown AAGUID
[Control Center] Fixed: Deleting an rpapp does not cascade correctly for UAFTransaction
[Control Center] Fixed: Server returns incorrect error codes (400/500) in response when the properties are tampered in the install token exchange request
[Passwordless for macOS] Fixed: Consolidate Audit Trail Event names into a single source file for better accounting
[Passwordless for macOS] Fixed: Devices disappear from paired devices
[Passwordless for macOS] Fixed: MacOS Sonoma cannot register new devices
[Passwordless for macOS] Fixed: Sonoma: Text missing on the client when trying to unpair a device
[Passwordless for macOS] Fixed: Unable to unlock using HYPR after upgrade from 8.4 to 8.5
[Passwordless for macOS] Fixed: Workforce Access UI on macOS 14 Sonoma renders UI in a different way
[Passwordless for Windows] Fixed: Add quotes to the Bonjour service path
[Platform - Keycloak] Fixed: Keycloak not creating cookies for username
[Platform] Fixed: Liquibase changelog database is not cluster-friendly
[SDK for FIDO2] Fixed: iOS does not resume FIDO2 BLE advertising when the Mobile App is closed and reopened

8.5.1 - Patch 2023-10-18

New Features and Feature Changes

[Control Center - Integrations] Azure HYPR Enterprise Passkey Enhancements Part II
- [Control Center - Integrations] Enterprise Passkey: Delete one and only one device from Control Center
- [Control Center - Integrations] Enterprise Passkey: Delete one and only one device from Mobile
- [Control Center - Integrations] Enterprise Passkey: Delete device from Control Center when we have 2 device paired with the same Passwordless Client
- [Control Center - Integrations] Enterprise Passkey User Management: Display user in Pending table if they remove their device, regardless of if we send email
- [Control Center - Integrations] Enterprise Passkey: Delete "Pair with HYPR" workstation from mobile device does not delete from server
- Bug Fixes:
  - [Control Center] User Management: Single user with multiple devices appears as separate entries
[Control Center - Integrations] HYPR Enterprise Passkey - BLE and WiFi Enhancements (Roaming) Bug Fixes
- [Passwordless for Windows] Fixed: Bonjour service does not start automatically after upgrading Passwordless Client
- [Passwordless for Windows] Fixed: Windows not receiving UDP broadcast when HYPR Mobile App is closed

Enhancements

[Adapt] Office code changes needed
[Control Center] Alias lookup needs an option to include rpappid
[Mobile App for iOS; Events] Valid Audit Events for FIDO2 registration: add message to Events
[Passwordless for macOS] Remove password unlock on macOS
[Platform] Add support for "hypr.fido2.mds.enable" vault parameter in v2

Bug Fixes

[Control Center] Fixed: FIDO2: Authentication fails for unknown AAGUID
[Control Center - Integrations] Fixed: Azure: No icon displayed after deleting user from "Paired with HYPR" or "Paired with Azure"
[Control Center - Integrations] Fixed: Okta: Always create short name alias when an email is registered
[Control Center - Integrations] Fixed: Okta: No icon next to username after deleting device from Magic Link
[Mobile App for iOS] Fixed: Fix certificate renewal failures in Prod
[Passwordless for macOS] Fixed: Devices disappear from paired devices
[Passwordless for macOS] Fixed: macOS Sonoma cannot register new devices
[Passwordless for macOS] Fixed: Passwordless Client UI on macOS 14 Sonoma renders UI in a different way
[Passwordless for macOS] Fixed: Sonoma: Text missing on Passwordless Client when trying to unpair a device
[Passwordless for macOS] Fixed: Unable to unlock using HYPR after upgrade from 8.4 to 8.5
[Platform] Fixed: Gray screen issues in embedded browsers
[Platform - Keycloak] Fixed: Network cache TTL is not working
[Platform - Keycloak] Fixed: Setting a custom theme does not work in 21.1.2
[SDK for FIDO2] Fixed: iOS does not resume FIDO2 BLE advertising when HYPR Mobile App is closed and reopened

8.5.0 - GA 2023-09-27

New Features and Feature Changes

[Control Center] Device Manager 2.0
- [Control Center] Device Manager 2.0 Alerts UI Improvements
- [Control Center] Device Manager 2.0 Buttons UI Improvements - [2d part]
- [Control Center] Device Manager 2.0 Devices List Improvements
- [Control Center] Device Manager 2.0 Devices UI Improvements - [2d part]
- [Control Center] Device Manager 2.0 Errors UI Improvements
- [Control Center] Device Manager 2.0 Header UI Improvements - [2d part]
- [Control Center] Device Manager 2.0 Hypr-ui-component-library improvements
- [Control Center] Device Manager 2.0 Modals UI Improvements - [2d part]
- [Control Center] Device Manager 2.0 Punch list - [2nd part]
- [Control Center] Device Manager 2.0 Registration UI Improvements - [2d part]
- [Control Center] Device Manager 2.0 Alerts UI Improvements - [2d part]
[Control Center; Passwordless - Both] Improve Workstation Installation token security controls
- [Control Center] Improve Workstation Installation token security controls
- [Passwordless for macOS] Improve workstation token security controls
- [Passwordless for Windows] Improve workstation token security controls
[All HYPR] Desktop SSO Enhancements
- [API] Desktop SSO status endpoint should return username that was requested by the web
- [Control Center] Send whitelabel URL In Settings
- [Mobile App for Android] Process whitelabel URL In Settings and add to Desktop SSO
- [Mobile App for iOS] Process whitelabel URL In Settings and add to Desktop SSO
- [Passwordless for macOS] Match whitelabel URL or RpServerURL in SSO
- [Passwordless for Windows] Use new settings API to get list of alternate RP server URLs
[Control Center - Integrations] HYPR Enterprise Passkey for Azure - Hybrid Domain-joined Support
- [Control Center] Accommodate both X.509 certificate and FIDO2 binding
- [Control Center] Receive machineUserPrincipalName, machineUserEmail and machineUserDisplayName on QR Code Scan
- [Control Center - Integrations; API] /rp/deviceapi/device/authorize/ws/unlock - remove query did not return a unique result: 2 when paired with Azure
- [Mobile App for Android] Accommodate both machineUsername and machineUserPrincipalName
- [Mobile App for Android] Update app to support both X.509 certificate and FIDO2 binding on a single QR Code scan
- [Mobile App for iOS] Accommodate both machineUsername and machineUserPrincipalName
- [Mobile App for iOS] Update app to support both X.509 certificate and FIDO2 binding on a single QR Code scan
- [Passwordless for Windows] Accommodate both X.509 and FIDO2 binding
- [Passwordless for Windows] Send additional user identity properties during registration
- [Passwordless for Windows] Update UX to accommodate device pairing when both FIDO2 and X.509 are available
- Bug Fixes:
  - [Control Center - Integrations] Azure Native - User not deleted from 'Paired with Azure' when delete initiated from Android device
  - [Control Center - Integrations] HYPR Enterprise Passkey: Hybrid - On the Workstation Lock Screen, there is no field to enter Offline PIN/Recovery PIN
  - [Control Center - Integrations; HYPR Mobile App for iOS] CredentialID in Enterprise Passkey Audit Trail Events does not match with one returned by graph API
  - [Control Center - Integrations; HYPR Mobile App for iOS] FIDO2: Multiple errors and exceptions are observed in Datadog on pairing with Azure
  - [Control Center - Integrations; HYPR Mobile App for iOS] Valid Audit Trail Events for FIDO2 registration are not being tracked
  - [Mobile App for iOS] FIDO2 prompt to log back in doesn't go away even after accepting
  - [Mobile App for iOS] UI: 'machineUserName' is displayed under "My Security Keys' instead of 'machineUserPrincipalName'
  - [Mobile App for iOS] Valid Audit Trail Events for FIDO2 registration are not being tracked
  - [SDK for FIDO2] iOS advertising wrong IP address through DNS Service Discovery
[Control Center - Integrations] HYPR Enterprise Passkey - Bluetooth \ BLE Support (Windows)
- [Mobile App for Android] Work required on HYPR mobile application to accommodate BLE/Bluetooth pairing
- [Passwordless for Windows] Client updates to show BLE as an option
- [Passwordless for Windows] Implement Bluetooth/BLE Support for Enterprise Passkey for Azure
- Bug Fixes:
  - [SDK for FIDO2] After Pairing with Azure, unable to log into Windows OS via BLE
[Platform - Keycloak] Upgrade - Quarkus
- [Platform - Keycloak] Keycloak 21.1.2 is out we should use it as our image
[Passwordless - Both; Mobile App - Both; API] SSL/TLS Pinning enhancements for Mobile/Desktop
- [Passwordless for Windows] Use new settings API to get updated SSL pinning hash from Control Center
- Bug Fixes:
  - [API] 'rp/deviceapi/settings' returns 403 when request contains more than 1 rpApp

[Control Center - Integrations] Azure HYPR Enterprise Passkey Enhancements

[Control Center] Add and persist FIDO2 username from the Event to rp_enrolled_credentials_data
[Control Center] Add FIDO2 username to the UI
[Control Center] Delete enrolledCredentialId from rp_user_device_machine_map
[Control Center] Remove rp_registered_user.status column
[Control Center - Integrations] Display icon if FIDO2 pairing no longer exists on Azure
[Control Center - Integrations] Integrations error can introduce infinite loop of audit calls
[Control Center - Integrations] User Management - Display icon if FIDO2 pairing no longer exists on Azure
Bug Fixes:
- [Control Center - Integrations] Azure "Go To Setup" Guide links are not accurate
- [Control Center - Integrations] Delete user that is "Paired with Azure" does not delete the FIDO2 credential from Azure
- [Control Center; Platform - Keycloak] User Management - Keycloak needs to leverage machineUserPrincipalName not machineUserName in order to support removal of WHfB
[Control Center - Integrations; Platform - Keycloak]Keycloak Authenticator Refactoring - One Login new integration
- [Control Center] Update all authenticators to allow ALTERNATIVE flow with graceful termination/retry ability
- [Platform - Keycloak] Manual flow to prove that the new Azure and Push authenticators work
- [Platform - Keycloak] Manual flow to prove that the new Azure, Push and FIDO2 authenticators work
- [Platform - Keycloak] FIDO2 login module
- [Platform - Keycloak] Push login module
- [Platform - Keycloak] QR fallback module
- [Platform - Keycloak] QR login module

Enhancements

[All HYPR] Remove Sensory Face and Voice frameworks from the project
[API] Cleanup APIs for multi-iDP support
[Control Center] Add authenticatorDisplayName field to FIDO2RegisteredUser
[Control Center] Add Policy ID to Event structure
[Control Center] Adding Policy Evaluation logging and Audit Trail Event
[Control Center] FIDO2: Origin verification
[Control Center] FIDO2: Update core model to reflect required fields
[Control Center] Update processing of FIDO2 data to be in addtionalDetails
[Control Center - Integrations; Mobile App for iOS] FIDO2 Mobile Authenticator - Audit Events : 'credentialID', 'FIDO2Username', 'rpID' are missing in the 'additionalDetails' section in Datadog logs
[Control Center - Integrations] ADFS Plugin v2: Integrate HTML authentication pieces with ADFS backend
[Control Center - Integrations] Client-side Okta credential validation
[Control Center - Integrations] Event Hooks: OAuth authentication parameters have invalid schemas
[Control Center - Integrations] OneLogin: Allow to read users without email but don't allow to register them
[Mobile App for Android] Abilityt to parse a QR code with deeplink embedded directly from Mobile App scan
[Mobile App for Android] Enhance PIN protection
[Mobile App for Android] Update FIDO2 Data to be in addtionalDetails
[Mobile App for iOS] Allow the SDK consumers to add their own rules to the new PIN UI
[Mobile App for iOS] Being able to parse a QR code with deeplink embedded directly from HYPR Mobile App scan
[Partner Development] FIDO Alliance special login UI
[Passwordless for Windows] Allow in-place upgrades to new builds of the same HYPR Passwordless product version
[Passwordless for Windows] Move websocket ping/pong logging to TRACE level
[Platform] Update ui-component-library with deploy/publish instructions in README
[Platform] Wire up AWS cluster config endpoint awareness to lettuce
[SDK - Extensions] Add proxy support to the HYPR PAM module

Bug Fixes

[API] Fixed: Perform session validation on devices list
[Control Center] Fixed: Authentication and text do not show correct values in the UI
[Control Center] Fixed: Can't trashcan last device on user management table
[Control Center] Fixed: Device Manager v2 breaks rendering on the legacy Device Manager page
[Control Center - Integrations] Fixed: Azure: User is not removed from Keycloak when deleted from Control Center
[Control Center - Integrations] Fixed: Azure Native: User is added to 'Paired with HYPR' AND 'Paired with Azure' after pairing device with HYPR Passwordless
[Control Center - Integrations] Fixed: Cannot add a second device to an integration
[Control Center - Integrations] Fixed: Okta username with plus sign cannot register
[Control Center - Integrations] Fixed: RADIUS: Update lack of valid local configuration to FATAL start and log accordingly
[Control Center - Integrations] Fixed: Users cannot access devices in DM when accessed via Okta portal
[Control Center - Integrations] Fixed: Users do not appear in 'Paired with HYPR' table if a user already exists in the 'Paired with Azure' group
[Control Center - Integrations] Fixed: Web domain is not displayed on Paired with Azure list in Control Center
[Mobile App - Both] Fixed: Authentication cancels when Policy set to PIN + Native authenticator and PIN complexity FF is set to true
[Mobile App for Android] Fixed: Issue refreshing token QR authentication coming from the camera app
[Mobile App for iOS] Fixed: Unable to parse a QR code with deeplink embedded directly from HYPR Mobile App scan with fresh install app unless subsequent registration flow
[Passwordless for Windows] Fixed: AccessViolationException in Native.YubiGetModel()
[Passwordless for Windows] Fixed: HYPR Passwordless may not be able to enroll YubiKey if Windows Hello for Business is enabled
[Platform] Fixed: DurableSchemaRegistry size breaks the build
[Platform - Keycloak] Fixed: Keycloak not creating cookies for username
[Platform - Keycloak] Fixed: Keycloak sends wrong (unused options) request

8.4.1 - Patch 2023-09-27

Bug Fixes

[Mobile App for Android] Fixed: QR authentication: Issue refreshing the token coming from the Camera app

8.5.2 - Patch 2023-09-21

Enhancements

[Partner Development] FIDO Alliance special login UI

8.4.17 - Patch 2023-09-13

Enhancements

[Platform] Liquibase changelog database is not cluster-friendly

8.4.0 - GA 2023-08-09

New Features and Feature Changes

[API] Bulk Export API
- [API] Bulk export API/throttling implementation
[Workforce Access Client - Both] Backoff and Install Token Issues
- [Control Center] Check workstation rpAppId when exchanging the installation token
- [Workforce Access Client - Both] Loosen secure API tokens for Workforce Access Client tokens
- [Workforce Access Client for Windows] Improve network error handling
- [Workforce Access Client for macOS] Implement backoff algorithm for network connection retries
[Control Center; Platform - Keycloak] Passkey UI Updates
- [Control Center] Device Manager UI Updates for Passkey Support
- [Control Center] Login UI Updates for Passkey Support
- [Platform - Keycloak] Onboarding Experience for New Passkey UI
- [Platform - Keycloak] UI Updates for Passkey Support
- [Platform - Keycloak] Update UI for Passkey Experience
HYPR Enterprise Passkey for Azure - Hybrid Domain-joined Support
- [Control Center - Integrations] Update API that the Workforce Access client calls to account for mobile device level full/partial flags
- [Control Center - Integrations] Update code to receive FIDO2 username in Enterprise Passkey Audit Trail Events
- [Control Center - Integrations] Update code to receive RPId in Enterprise Passkey Audit Trail Events
- [Mobile App for Android] Send FIDO2 username in Enterprise Passkey Audit Trail Events
- [Mobile App for Android] Send RPId in Enterprise Passkey Audit Trail Events
- [Mobile App for iOS] Send FIDO2 username in Enterprise Passkey Audit Trail Events
- [Mobile App for iOS] Send RPId in Enterprise Passkey Audit Trail Events
- [Workforce Access Client for Windows] Update Workforce Access Client UX after QRcCode scan to accommodate Enterprise Passkey pairing
- Bug Fixes:
  - [Mobile App for Android] Fixed: Send [Base64URL + MSFT encoding] CredentialId in Enterprise Passkey Audit Trail Events
  - [Mobile App for iOS] Fixed: Send [Base64URL + MSFT encoding] CredentialId in Enterprise Passkey Audit Trail Events
SSL/TLS Pinning enhancements for Mobile/Desktop
- [Control Center] SSL Pinning Updates Implementation
- [Mobile App for Android] SSL Integration Testing
- [Mobile App for Android] SSL Pinning Updates Implementation
- [Mobile App for iOS] SSL Integration Testing
- [Mobile App for iOS] SSL Pinning Updates Implementation
[Control Center - Integrations] Azure: HYPR Enterprise Passkey Enhancements
- [Control Center - Integrations] Azure User Management: Display icon in Pending if devices no longer exist
- [Control Center - Integrations] Azure User Management: Show RP ID when Azure FIDO2 registration takes place
- [Control Center - Integrations] Azure User Management: Update DB with RP ID when Azure FIDO2 registration takes place
- [Control Center - Integrations] Azure User Management: Update the database with FIDO2 username when Azure FIDO2 registration takes place
- [Control Center - Integrations] Azure: "Paired with HYPR" should display the same table info as "Paired with Azure"
- [Control Center - Integrations] Azure: Change domains to web domains
- [Control Center - Integrations] Azure: Create new table for Azure FIDO2 extra details
- [Control Center - Integrations] Azure: Fix queries to use enrolledCredentialId from rp_enrolled_credentials_data
- [Control Center - Integrations] Azure: Include enrolledCredentialId and domainName in User Management queries
- [Control Center - Integrations] Azure: Last active time should be available for mobile devices
- [Control Center - Integrations] Azure: Move enrolledCredentialId from rp_user_device_machine_map to rp_enrolled_credentials_data
- [Control Center - Integrations] Azure: Remove dependency on rp_registered_user.status in the different queries
[Control Center; Mobile App for iOS] Option to Disassociate Passcode from Registration
- [Control Center; Mobile App for iOS] Enablement for Non-passcode Registration
- [Control Center] Enablement for Non-passcode Registration
[Mobile App - Both] Confirm Close on Authentication Request
- [Mobile App - Both] Updated UI on Transaction Summary Screen

Enhancements

[All HYPR] 05-02-2023 CVE Fixes
[All HYPR] CVE-2023-20883
[All HYPR] QR Fallback: Improved browser UX
[API] Endpoint Throttling
[Control Center] Create migration script to enable fallback authenticator by default
[Control Center] Enforce attestation policy
[Control Center] FIDO2 Deterministic user.id
[Control Center] FIDO2: Origin verification
[Control Center] Split FIDO2 configuration into Settings and Policies
[Control Center - Integrations] Add more debug logging to RADIUS server to debug proxy issue
[Control Center - Integrations] ADFS Plugin v2: Integrate HTML registration pieces with ADFS backend
[Control Center - Integrations] Okta: Add username as an alias in HYPR
[Control Center - Integrations] Single Registration integration test
[Control Center; API] Control Center policy API bugfix and PATCH API extension
[Control Center; Errors] Add the kLAErrorAuthenticationFailed error to the list of the errors resulting in the cancelation of the registration on server
[Mobile App for Android] Allow the SDK consumers to add their own rules to the new PIN UI
[Mobile App for Android] Enhance PIN protection
[Mobile App for iOS] Sign the TrustKit library after it gets decoupled for the XCFramework creation
[Mobile App for iOS] Switch active profile based on the machine, when trying to deregister a machine, which doesn't belong to the current active profile
[Mobile App for iOS] Update API token retry logic on QR authentication
[Mobile App for iOS] Upgrade iXGuard on the build machine to the latest to support iOS 17
[Platform - Keycloak] Azure login module
[Platform - Keycloak] Basic Keycloak Upgrade
[Platform - Keycloak; Control Center; Events] Send Brute Force Detection Keycloak Logs / Events to Control Center
[Platform - Keycloak] Fix/Allow setting a custom theme
[Platform - Keycloak] Keycloak not creating cookies for username
[Platform - Keycloak; Control Center - Integrations] Okta Extension: Delete the Keycloak user when we delete the Control Center user
[SDK for Java] Fix Java SDK test suite failures
[Workforce Access Client for macOS] Passwordless Enforcement
[Workforce Access Client for Windows] Azure wording update (Feedback from MSFT)
[Workforce Access Client for Windows] Enrollment Service can't use /rp/wsapi endpoints
[Workforce Access Client for Windows] Move websocket ping/pong logging to TRACE level
[Workforce Access Client for Windows] Remove roaming dependency for making Passwordless User the default tile
[Workforce Access Client for Windows] Stop building Workforce Access client for 32-bit X86

Bug Fixes

[All HYPR] Fixed: Single Registration: Workstation-to-web: Domain user universal principal name (UPN) is used instead of email
[Control Center] Fixed: Magic link is not expired when using firebaseDynamicLinkForHyprApp link
[Control Center - Integrations] Fixed: 500 on integrations; no element of the collection was transformed to a non-null value
[Control Center - Integrations] Fixed: Azure login can fail due to race condition
[Control Center - Integrations] Fixed: Deleting a pairing from HYPR Mobile App doesn't delete from "Paired with Azure" in Control Center
[Control Center - Integrations] Fixed: Multiple IdP Support: Invalid state of RADIUS integration when multiple RADIUS integrations are present
[Control Center - Integrations; Events] Fixed: Some Events are still missing integrationType and integrationProvider
[Events] Fixed: Audit Trail Events are not generated when enabling/disabling FIDO2 Settings
[Events] Fixed: The Audit Trail Event message does not specify the Admin when toggle status updated by a Control Center user
[Mobile App - Both] Fixed: Subsequent Authentication/request is called but not displayed on the authentication screen for the user after first attempt (Tap to Login fails)
[Mobile App for Android] Fixed: Wrong sessionId in Audit Events during failure scenarios
[Platform - Keycloak] Fixed: Keycloak running in an embedded browser gets the QR code cut off
[Platform - Keycloak] Fixed: Keycloak sends wrong (unused options) request
[Platform - Keycloak] Fixed: One time Onboarding Keycloak message is scrollable and not seen unless user explicitly knows
[Platform - Keycloak; Control Center - Integrations] Fixed: After updating integration, QR authentication settings in tenants and Keycloak are no longer aligned
[Workforce Access Client for macOS] Fixed: Login succeeds on paired device but fails on workstation
[Workforce Access Client for Windows] Fixed: Auto upgrade from Workforce Access 8.1.0 to 8.2.2 did not reboot, but it needs to
[Workforce Access Client for Windows] Fixed: Uninstalling Workforce Access 8.2.0 pops up warning about Bonjour service

8.3.0 / 8.2.0 - Patch 2023-08-02

Enhancements

[Control Center - Integrations] Okta: Add username as an alias in HYPR

8.3.1 - Patch 2023-07-28

Enhancements

[All HYPR] Accessibility UI Fixes for Customer
[Control Center] FIDO2: Origin verification
[Control Center] V2 tenant authentication fails due to Invalid Firebase key
[Platform - Keycloak; Events] Send brute force detection Keycloak logs / Events to Control Center

8.4.0 / 7.10.4 - Patch 2023-07-26

Bug Fixes

[Mobile App for Android] User not receiving push notifications and checkForPendingOOB failing to work

8.3.0 - GA 2023-07-12

New Features and Feature Changes

[All HYPR] Fallback Authentication
- [Control Center] Audit Trail Updates for Fallback Authentication
- [Control Center] Enable Fallback Authentication in rpApp
- [Mobile App for Android] Audit Trail Updates for Fallback Authentication
- [Mobile App for Android] Fallback Authentication Flow
- [Mobile App for iOS] Add failed authenticators info to the fallback authentication Audit Trail Event
- [Mobile App for iOS] Audit Trail Updates for Fallback Authentication
- [Mobile App for iOS] Fallback Authentication Flow
[All HYPR] FIDO2 Mobile Authenticator - GA
- [Control Center] Update code to receive CredentialId in Enterprise Passkey Audit Trail Events
- [Mobile App for Android] On FIDO2 Registration, verify RP ID permitted
- [Mobile App for Android] Send CredentialId in Enterprise Passkey Audit Trail Events
- [Mobile App for iOS] On FIDO2 Registration, verify RP ID permitted
- [Mobile App for iOS] Send CredentialId in Enterprise Passkey Audit Trail Events
- [Mobile App for iOS] Send to Support: Logs to include information which can help troubleshoot WIFI issues
- [SDK for FIDO2] Send to Support: Logs to include information which can help troubleshoot WIFI issues
- Bug Fixes:
  - [Mobile App for Android] Fixed: Send [Base64URL] CredentialId in Enterprise Passkey Audit Trail Events
  - [Mobile App for iOS] Fixed: FIDO2: "Username" is missing in the login confirmation screen
  - [SDK for FIDO2; SDK for iOS] Fixed: Credential is missing id and username in UP and UV
[All HYPR] Multiple IdP Environments
- [API] Back End: Fix API calls IdpConfigController
- [API] Back End: Fix API calls IdpUsersController
- [API] Use the fixed API calls and pass rpAppId
- [Control Center - Integrations] Add tests to avoid creating duplicate integration
- [Control Center - Integrations] Allow multiple applications of the same SSO provider to be created
- [Platform] Back End: Add rpAppId to haas-modules GsuiteRedirectRequestDTO
- Bug Fixes:
  - [Control Center - Integrations] Fixed: Delete integration deletes all of the same type
[All HYPR] Passkey Enforcement
- [Control Center] Device Manager: Enforce passkey settings at registration
- [Control Center] Update the Device Name on Device Manager when a multi-device passkey is registered
- [Control Center] Updated FIDO2 configuration
- [Control Center; Platform - Keycloak] Update passkey verbiage
- [Control Center; API] Enable/disable passkeys
- [Platform - Keycloak] UI: Enforce passkey settings at authenticator selection
- [Platform - Keycloak; API; Errors] Enforce passkey settings at authenticator selection
[All HYPR] Single Registration: Workstation-to-web Flow/Migration
- [All HYPR] Single Registration: Internal Pentest
- [All HYPR] Single Registration: Workstation-to-web: Handling multiple workstations for one device or multuiple evices for one workstation
- [Control Center] Single Registration: Implementation of Workstation-to-web Part 2
- [Control Center] Single Registration: Security Review web username validation
- [Mobile App for Android] Single Registration: Implementation Workstation-to-web
- [Mobile App for iOS] Single Registration: Implementation Workstation-to-web
- [Workforce Access Client for macOS] Send email along with domain username during registration flow
- [Workforce Access Client for Windows] Send email along with domain username during registration flow
[API] Add API token to QR login endpoint
- [Mobile App for iOS; API] Include rpAppId in QR code / dynamic link to use API token
[Control Center] FIDO2 Policies
- [Control Center] FIDO2 policies core logic
- [API] FIDO2 policies API
[Control Center; Events; Errors] QR Login Productization
- [Control Center] Set QR login as the default for the ControlCenterAdmin rpApp
- [Control Center] Set QR Login Feature On by default
- [Control Center] Support transaction confirmation for QR code
- [Control Center; Platform - Keycloak] Set Keycloak configuration for QR Login in Control Center UI
[Control Center - Integrations] Azure: FIDO2 Mobile Authenticator GA
- [API] Update mobile endpoint with integration details
- [Control Center] IDP config changes are not being sent right away after being made
- [Control Center] UX: Login Settings update restricted domains behavior
- [Control Center - Integrations] Add Integration: Update Azure icon to reflect latest branding
- [Control Center - Integrations] Back End: User Management for "Pending" Users; enhancements to enrollment
- [Control Center - Integrations] Front End: Delete User Device
- [Control Center - Integrations] Finish the Azure groups and device delete stories
- [Control Center - Integrations] User Enrollment: Paired with Azure Update Azure when Control Center Admin deletes user or device
- [Control Center - Integrations] User Enrollment: Paired with Azure Update Azure when user "trashcans" via mobile device
- [Control Center - Integrations] User Enrollment: Paired with Azure Update Azure when user "trashcans" via workstation client
- [Control Center - Integrations] User Enrollment: Paired with HYPR Update Azure when Control Center Admin deletes user or device
- [Control Center - Integrations] User Enrollment: Paired with HYPR Update Azure when user "Pairs With HYPR" (Pending)
- [Control Center - Integrations] User Enrollment: Paired with HYPR Update Azure when user "Pairs With HYPR" via mobile device
- [Control Center - Integrations] User Enrollment: Paired with HYPR Update Azure when user "trashcans" via mobile device
- [Control Center - Integrations] User Enrollment: Paired with HYPR Update Azure when user "trashcans" via workstation client
- [Control Center - Integrations] User Management for "Paired with HYPR" users
- [Control Center - Integrations] User Management: Update DB with credential id when Azure FIDO2 Registration takes place
- [Control Center - Integrations] UX: Add new FIDO2 enrollment email template
- [Control Center - Integrations] UX: Adding "Pending" Tab and Enroll Users
- [Control Center - Integrations] UX: User Management for "Paired with Azure" users (new table)
- [Control Center - Integrations] UX: User Management for "Pending" Users
- Bug Fixes:
  - [Control Center] Fixed: IDP config changes are not being sent right away after being made
  - [Control Center - Integrations] Fixed: Azure: Trash can delete on mobile device does not remove user from correct Azure group
  - [Control Center - Integrations] Fixed: Azure: User deleted from Pending table in Azure integration is not removed from eligible for pairing group on Azure
  - [Control Center - Integrations] Fixed: Azure: User not added to "HYPR Group (Client Paired With Azure)" when successfully paired with Azure
  - [Control Center - Integrations] Fixed: Azure: User not added to "HYPR Group (Eligible for Pairing)" when sent Enrollment email
  - [Control Center - Integrations] Fixed: Azure: When a Control Center admin deletes a users device they are removed from the Eligible for pairing user group on Azure
  - [Control Center - Integrations] Fixed: Back End: Delete the last User's Device doesn't delete a User and doesn't return it into "Pending" state
  - [Control Center - Integrations; Mobile App - Both] Fixed: Cannot "Pair with HYPR"; QR Code scan fails with 1202600
[Control Center - Integrations] Event Hooks Refactor Into Unique SIEMs
- [Control Center - Integrations] Event Hook: Add enablement for Custom
- [Control Center - Integrations] Event Hook: Add Splunk Cloud Provider field
- [Control Center - Integrations] Event Hook: Clean up Event Hooks from the UI
- [Control Center - Integrations] Event Hook: Create Beta UI for Custom
- [Control Center - Integrations] Event Hook: Create Custom integration tile
- [Control Center - Integrations] Event Hook: Custom Event Hook UI
- [Control Center - Integrations] Event Hook: Prevent 500 errors
- [Control Center - Integrations] Event Hook: Refactor the backend
[Mobile App for iOS] Firebase Token Force Refresh
- [Mobile App for iOS] Request and send new token when value is nil
[Platform] Server/Ops Updates
- [Platform] Slimmed down Control Center container for on-premises customers
- [Platform - Firebase] Firebase SDK upgrade: Convert push functionality to SDK calls
- [Platform - Firebase] Firebase SDK upgrade: Write integration tests covering SDK flow
[Platform] Support for multi-region installations - Phase I
- [Platform] Add conflict avoidance/resolution columns; update existing usage; add Event origin
- [Platform] Dataprop change capture and propagation for update statements
- [Platform] Dataprop changelog and group membership
- [Platform] Handle muti-region out-of-band (OOB) authentication
- [Platform] Handle muti-region workstation authentication
- [Platform] Implement network policies for cell clusters
- [Platform] Review dataprop changelog and group membership
[SDKs for Android and iOS] Mobile Reference App Expansion
- [SDK for Android] AAID Chooser Screen
- [SDK for Android] Progress Spinner Overrides
- [SDK for iOS] AAID Chooser Screen
- [SDK for iOS] Authentication/Transaction Accept screens
- [SDK for iOS] Push Overrides
[Workforce Access Client - Both] Backoff and Installation Token Issues
- [Control Center] Check workstation rpAppId when exchanging install token
- [Workforce Access Client - Both; API] Loosen secure API tokens for Workstation Installation tokens
- [Workforce Access Client for macOS] Send rpAppId when exchanging install token
- [Workforce Access Client for Windows] Send rpAppId when exchanging install token
[Workforce Access Client for Windows] FIDO2 Mobile Authenticator GA
- [Control Center - Integrations] Azure: Provide updates required for client UX for HYPR pairing (Azure domain-joined) - I
- [Control Center - Integrations; API] Update device query endpoint
- [Workforce Access Client for Windows] Complete Merge: Update client UX for HYPR pairing (Azure domain-joined)
- [Workforce Access Client for Windows] Update client UX for HYPR pairing (Azure domain-joined) - II
- Bug Fixes
  - [Workforce Access Client for Windows] Fixed: FIDO2: Spelling errors observed on the pairing screens

Enhancements

[Control Center] Create migration script to enable fallback authenticator feature by default
[Control Center] FIDO2 Settings: Origin verification
[Control Center] QR Fallback issues encountered during internal testing
[Control Center] Update FIDO2 metadata periodically
[Control Center] Update verbiage for the Require User Presence description
[Control Center; API] Update existing API with rpAppId for QR authentication
[Control Center - Integrations] Create a facade service with caching to handle integrations
[Mobile App for Android] If the HYPR Mobile App is backgrounded during registration, it cancels and throws an error
[Mobile App for Android] Issue with Chrome 112 using deeplinks
[Mobile App for Android] No paired devices showing after long phone idle state
[Mobile App for Android] Single Registration: Remove checks for domain-joined machine
[Mobile App for Android] Use the rpAppId for QR authentication when it is available
[Mobile App for iOS] Allow HYPR Mobile App to bypass the Firebase dynamic link validity check
[Platform - Keycloak] Keycloak is not creating cookies for the username
[Platform - Keycloak] Merge customer inline changes into master
[Platform] Spring CVE Fixes
[SDK for Android] Add text to identify "Limited APK" along with the version text
[Workforce Access Client for macOS] Extend logging for the keychain failure to help diagnose intermittent authentication failures
[Workforce Access Client for macOS] Passwordless Enforcement
[Workforce Access Client for macOS] Send Audit messages for security key registration and authentication
[Workforce Access Client for Windows] Accept any type of Windows credential for user presence validation
[Workforce Access Client for Windows] Investigate multi-user SSO fail
[Workforce Access Client for Windows] Remove Microsoft C/C++ Runtime from the client installer

Bug Fixes

[All HYPR] Fixed: Asynchronous registration fails when default QR login settings is enabled and Push configuration disabled vs registration succeeds
[Control Center] Fixed: Implement ownership validation for Lock requests
[Control Center] Fixed: User can type in a username into HYPR Control Center login, and then login with a passkey that has a different username
[Control Center - Integrations; Events] Fixed: Events missing IntegrationType and IntegrationProvider
[Control Center - Integrations] Fixed: Azure Native Login: Exception while trying to pair a device with Azure
[Control Center - Integrations] Fixed: Azure: Adding a space at the end of a username prompt us to enter password for already registered users
[Control Center - Integrations] Fixed: Azure: Can't update integration
[Control Center - Integrations] Fixed: Azure: Cannot save restricted domains when we have two Azure integrations in place
[Control Center - Integrations] Fixed: Azure: Groups don't get deleted when add integration fails due to insufficient privileges around creating a conditional access policy
[Control Center - Integrations] Fixed: Azure: Incorrect handling of missing field in Azure custom JSON data in 8.3 and above
[Control Center - Integrations] Fixed: Google Workspace: Cannot not add integration on 8.3
[Control Center - Integrations] Fixed: Integration Config cache populates duplicate integrations
[Control Center - Integrations] Fixed: Okta: It is possible to Add integration as Control Center admin user
[Control Center - Integrations] Fixed: Okta: Server error after adding integration
[Control Center - Integrations] Fixed: User Enrollment: User remains in enrolled list, if last deleted device is a security key or computer
[Mobile App - Both] Fixed: Mobile device not sending deviceId during 2nd registration
[Mobile App for Android] Fixed: App crashes on tapping "Login" button during Device Manager authentication
[Mobile App for iOS] Fixed: App crashes during FIDO2 authentication
[Mobile App for iOS] Fixed: App crashes when cancel Chooser/ registration that is timed out
[Platform - Keycloak] Fixed: "Insert your security key..." message displays when user selects 'smartphone' for Keycloak+Okta login
[Platform] Fixed: NullPointerException when FIDO2 Event fails
[Platform] Fixed: Multi-pod deployment issues for the IDP cache
[SDK for iOS] Fixed: Investigate and fix a crash when more than one cancelation is called for the same registration operation by the SDK consumer
[Workforce Access Client for macOS; Mobile App - Both] Fixed: HYPR App Tap to Login fails if an enrolled security key is plugged in
[Workforce Access Client for Windows] Fixed: "Contact Support" doesn't report latest error code and/or message in email
[Workforce Access Client for Windows] Fixed: "Contact Support" generates empty error fields in the email when there's no error; also "occurred" is misspelled
[Workforce Access Client for Windows] Fixed: Client may not be able to enroll YubiKey if Windows Hello for Business is enabled
[Workforce Access Client for Windows] Fixed: HyprCredProvider needs MSVC runtime DLL's that aren't included with Windows
[Workforce Access Client for Windows] Fixed: Incorrect log message
[Workforce Access Client for Windows] Fixed: Only send AzureAD user name to RP for FIDO2 pairing
[Workforce Access Client for Windows] Fixed: Registration with user presence enabled, fails on first incorrect password entry
[Workforce Access Client for Windows] Fixed: Single Registration: Workstation-to-web: Re-pairing with the Workforce Access Client after deleting users from Control Center doesn't work
[Workforce Access Client for Windows] Fixed: Single Registration: Workstation-to-web: UPN of domain user gets used instead of email
[Workforce Access Client for Windows] Fixed: UX for HYPR Pairing (Azure Domain Joined) is still not updated UI reflecting pairing completed

8.2.8 - Patch 2023-07-03

Enhancements

[Control Center] Check the workstation rpAppId when exchanging the installation token
[Workforce Access Client - Both; API] Loosen secure API tokens for Workstation Installation tokens

8.2.2 - Patch 2023-06-02

Enhancements

[Control Center - Integrations] Only send Azure AD username to the RP Application for FIDO2 pairing

8.1.25 - Patch 2023-06-02

Enhancements

[Workforce Access Client - Both; API] Loosen secure API tokens for Workforce Access Installation tokens

8.2.1 - Patch 2023-05-15

Enhancements

[Workforce Access Client for macOS] Passwordless Enforcement

Bug Fixes

[Events] Fixed: Issue with HYPR Event noise

8.2.0 - GA 2023-05-10

New Features and Feature Changes

[All HYPR] Server/Ops Updates
- [Platform - Firebase] Firebase SDK Upgrade: New UI for adding SDK configuration
- [Platform - Firebase] Firebase SDK Upgrade: Lift v2 code; extend functionality; enable v1 path
[Control Center; Workforce Access Client for Windows] Automatic updates to v2 migrated customers
- [Workforce Access Client for Windows] Remove HYPR-as-a-service check in clients for Auto-upgrade feature
[Control Center - Integrations] Azure: FIDO2 Mobile Authenticator - Early Access - Bug Fixes
- [Control Center - Integrations] Fixed: 'Add Integration' HYPR authentication policy requests a PIN when pairing a QR code
- [Control Center - Integrations] Fixed: Azure: User added to wrong Azure group when "Paired with HYPR"
- [Control Center - Integrations; API] Fixed: Azure API response for enable/disable doesn't populate the capability field
[Control Center - Integrations] Azure: FIDO2 Mobile Authenticator GA
- [Control Center - Integrations] Azure User Enrollment: Update Azure when user "Paired with Azure" via mobile device
- [Control Center - Integrations] Update 'Add Integration' description to reflect Enterprise Passkey naming convention
- [Control Center - Integrations] User Management: HYPR DB needs to store FIDO2 credential ID on registration
[Control Center - Integrations] Event Hooks Refactor Into Unique SIEMs
- Control Center - Integrations] Event Hooks: Change integration UI SIEMs to Event Hooks
- Control Center - Integrations] Event Hooks: Add Feature enablement for Splunk and DataDog Event Management integration
- Control Center - Integrations] Event Hooks: Create integration UI for Splunk and Datadog
- Control Center - Integrations] Event Hooks: Create Beta UI for Splunk and DataDog
- Control Center - Integrations] Event Hooks: Event Mgmt Event Hook Table and tab
- Control Center - Integrations] Event Hooks: Event Mgmt: Delete Event Hook
- Control Center - Integrations] Event Hooks: Event Mgmt: Update integrations for Splunk, DataDog
- Control Center - Integrations; API] API to list Event Hooks by integration type
[Mobile App - Both] Invalidate registration following new device biometric
- [Mobile App for iOS] Implement invalidation of biometrics
[Workforce Access Client for Windows] Security Keys certificate renewal manual trigger
- [Workforce Access Client for Windows] Allow user to manually force certificate renewal
[Workforce Access Client for Windows] WebAuthn: Passkey Detection
- [Control Center] FIDO2: Make AssertionResultService work with discoverable credentials
- [Control Center] FIDO2: Attestation Level 3 validation

Enhancements

[API; Errors] Separate the user cancel errors from the failures leading to the call of the sever cancel APIs
[Control Center] Passkey Enforcement: Update empty AAGUID device name
[Control Center - Integrations] Removing validation for keyAgreementPublicKey and keyAgreementPublicKeyAUTH when FIDO2 Mobile Authenticatoris enabled
[Control Center - Integrations] ADFS Plugin V2: HTML Templates
[Control Center - Integrations] Removing validation for signingCert when FIDO2 Mobile Authenticator is enabled
[Mobile App for Android] Issue with message showing up when not needed on Android
[Mobile App for Android] Request and Send New Token when Value is NIL
[Mobile App for iOS] Adding feature enablement for iOS invalidation upon a new biometric registration
[Mobile App for iOS] Allow user to pick destination for log submission
[Mobile App for iOS] Implement potential application slowness fix reported in Zendesk
[Mobile App for iOS] Updated authentication flow for in-app QR scan
[Platform - AWS] AWS WAF rule breaks img upload test
[Platform - Firebase] Firebase SDK Upgrade: Liquibase Java migration script
[Platform - Keycloak] Keycloak not creating cookies for username
[Platform - Keycloak] POC for one simple use case
[Workforce Access Client for Windows] Customization of "Contact Support" behavior - Customer request
[Workforce Access Client for Windows] Desktop SSO "success" notification popup should close itself after a timeout
[Workforce Access Client for Windows] Enable Workforce Access Client for RDP remote sessions
[Workforce Access Client for Windows] Log information from user login certificate

Bug Fixes

[Control Center - Integration] Fixed: Ping DaVinci: Redirect URL list accepts periods instead of commas to separate URLs
[Control Center - Integration] Fixed: User enrollment drawer: Can't send invite to personal email
[Control Center - Integrations' Mobile App for iOS] Fixed: Unable to complete Azure pairing with iOS
[Control Center] Fixed: Wrong push notifcation copy when certificate has been processed
[Mobile App for Android] Fixed: ArrayIndexOutOfBoundsException on permission check; notification permission checker fixed
[Mobile App for Android] Fixed: Crash on A53 during enrolment
[Mobile App for Android] Fixed: Deletion process is corrupted and causes unwanted unpairing of Workstation and Web accounts when the server has a pending authentication request
[Mobile App for Android] Fixed: QR Fallback activation code entry 'Submit' button is inactive
[Mobile App for iOS] Fixed: Email picker destination not available when log submission is disabled and multiple accounts paired
[Platform - Keycloak] Fixed: Keycloak authentication with 'UV=required' succeeds in Safari when the security key is not protected with a PIN
[Workforce Access Client - Both] Fixed: Incorrect WORKSTATION_CERTIFICATE_REQUESTED Event in the flow
[Workforce Access Client for macOS] Fixed: Client crashes when requesting certificate from AD
[Workforce Access Client for macOS] Fixed: Registration fails when Cert based authentication and User presence is disabled
[Workforce Access Client for Windows] Fixed: FIDO2 pairing disappears
[Workforce Accesss Client for macOS] Fixed: QR Fallback: macOS doesn't show proper error screen when the feature is disabled

8.1.0 - GA 2023-03-29

New Features and Feature Changes

[All HYPR] Custom FIDO2 WebAuthn Parameters
- [API] Enforce WebAuthn parameters in end-user flows
- [Control Center] Updated Device Manager flow based on custom WebAuthn parameters
- [Control Center] New FIDO2 WebAuthn settings
- [Platform - Keycloak] Updated flow based on custom WebAuthn parameters
[All HYPR] Fallback for QR Scan (Web)
- [API] Adjust QR Fallback payload to specify 'qrFallbackMobileURL'
- [Control Center; API] New endpoint to retrieve QR code payload
- [Control Center; Events] Add Audit Events for QR Fallback
- [Control Center] Configure QR Fallback options
- [Control Center] Remove "Begin Pairing" and auto-refresh QR code in Device Manager
- [Control Center] Update QR fallback server setting to True by default
- [Control Center] Update QR Payload Response to Include Short URL
- [Device Manager] Display QR Fallback Information for Web Registration
- [Mobile App for Android] Add Manual Camera Access Text to Fallback Screen
- [Mobile App for Android] Adjust QR Fallback Payload to Specify 'qrFallbackMobileURL'
- [Mobile App for Android] Authenticate using device with QR Fallback
- [Mobile App for Android] No Camera Access Fallback QR Flow
- [Mobile App for iOS] Adjust QR Fallback Payload to Specify 'qrFallbackMobileURL'
- [Mobile App for iOS] Register Device with QR Fallback
- [Mobile App for iOS] Authenticate using Device with QR Fallback
- [Mobile App for iOS] No Camera Access Fallback QR Flow
- [Platform - Keycloak] Desktop: display QR Fallback information for web authentication
- [Platform - Keycloak] Extend QR Fallback to Keycloak HYPR registrator
- [Platform - Keycloak] Mobile: Display Dynamic Link fallback information for authentication
- [SDK for Java] Adjust current QR functions to incorporate fallback functionality
- [SDK for Java] Adjust Java SDK for respective QR Fallback response and request
[All HYPR] Security Improvements
- [API] Safeguard against missed input validation
- [Errors] Reduce details in error msgs
- [Errors] Reduce details in error msgs
- [Sample Web App] Fixed: Unauthenticated access to various APIs
[Control Center] FIDO2/WebAuthn: Passkey Detection
- [Control Center] FIDO2: Extend model with Credential Backup State
- [Control Center] FIDO2: Implement Credential Properties extension
- [Control Center] FIDO2: Persist transport value on registration
[Control Center - Integrations] Azure: FIDO2 Mobile Authenticator - Early Access
- [Control Center] Back End: Delete User Device
- [Control Center] Back End: Native Azure Login Experience Go Live should not federate a domain
- [Control Center] Back End: Move user from one status to another
- [Control Center] UX: Hide "Enroll Users" and "Pending"
- [Control Center; API] Back End: Azure backend API changes to user Enrollment
- [Control Center; API] Back End: User Management API changes
- [Control Center - Integrations] Back End: Add support in the Workforce Access Client Download (via Onboarding) to support new hypr.json config values
- [Control Center - Integrations] Back End: Feature should be enabled
- [Control Center - Integrations] Back End: Create new Status column in rp_registered_user
- [Control Center - Integrations] Back End: Azure changes to Add Integration
- [Control Center - Integrations] UX: Integration changes to status Enable/Disable
- [Control Center - Integrations] Back End: Native Azure Login Experience Login Settings tab: restrict domains
- [Control Center - Integrations; API] Back End: Create get integration configuration API
- [Control Center - Integrations; Events] Back End: Enable FIDO2 Mobile Authenticator Events
- [Control Center - Integrations; Events] Back End: FIDO2 Mobile Events for Deregistration and Reset
- [Control Center - Integrations; Events] Back End: Fix Event integration type
- Bug Fixes:
  - [Control Center - Integrations] Fixed: Azure: rp_registered_user status not updated after pairing device to the Workforce Access client
  - [Control Center - Integrations] Fixed: Azure: rp_registered_user status column gets updated from PARTIAL to FULL based on incorrect Event
  - [Control Center - Integrations] Fixed: Azure: user status not in the response when calling getUser on the registered user
  - [Workforce Access Client] Fixed: Downloaded client hypr.json contains install token scoped to default workstation rpApp
  - [Workforce Access Client] Fixed: User unable to successfully Pair with HYPR when QR Code scan; Keycloak data missing
[Control Center - Integrations] FIDO2 Mobile Authenticator Bug Fixes
- [Mobile App for Android] Fixed: My Security Key not displaying login history
- [Mobile App for Android] Fixed: FIDO2 authentication User Presence denial shows a registration failure message
[Control Center - Integrations] User Enrollment Drawer Enhancements
- [Control Center - Integrations] User Management: When Pending/Enrolled, show an option for 'personal email' or 'sync email'
- [Control Center - Integrations] UX Updates To "Pending Go-Live" Page
- [Control Center - Integrations] Add "Send Manually" Tab
- [Control Center - Integrations] Add personal email capabilities
[Control Center - Integrations] Web Hooks Refactor Into Unique SIEMs
- [Control Center - Integrations] Event Hooks: Fix Splunk .SVG file in the integration tile
- [Control Center - Integrations] Event Hooks: Create DataDog integration tile
[Control Center - Integrations; Mobile App for iOS] Include RADIUS Client Name in authentication confirmation
- [Control Center] Add Note in Control Center about Friendly Name in authentication confirmation
- [Control Center - Integrations; Mobile App for iOS] Display RADIUS Client Name in authentication request
- [Control Center - Integrations; SDKs for Android, FIDO2, iOS; Workforce Access Client for Windows] FIDO2 Mobile Authenticator - Early Access
- [Control Center] Implement FIDO2 Workforce Access Client pairing changes
- [Mobile App for Android] Send FIDO2 Mobile Authenticator Events
- [Mobile App for Android] QR Code Scan for HYPR Pairing (Device Binding)
- [Mobile App for Android] Display User ID (email) after successfully pairing with HYPR
- [Mobile App for Android] Check server configuration prior to Azure pairing/authentication
- [Mobile App for Android] Update User ID (email) after successfully pairing with Azure
- [Mobile App for Android] New registration type option "My Security Keys"
- [Mobile App for Android] FIDO2 Integration updates
- [Mobile App for iOS] Send FIDO2 Mobile Authenticator Events
- [Mobile App for iOS] QR Code Scan for HYPR Pairing (Device Binding)
- [Mobile App for iOS] Display User ID (email) after successfully pairing with HYPR
- [Mobile App for iOS] Check server configuration prior to Azure pairing/authentication
- [Mobile App for iOS] New registration type option "My Security Keys"
- [Mobile App for iOS] FIDO2 Integration updates
- [SDK for FIDO2] FIDO2 IntegrationuUpdates
- [Workforce Access Client for Windows] Complete merge of Windows FIDO2 integration into the Workforce Access Client repo
- [Workforce Access Client for Windows; Mobile App for Android]
- Bug Fixes:
  - [Workforce Access Client for Windows] Fixed: FIDO2 - Unlock Azure account fails
  - [Mobile App for iOS] Fixed: FIDO2: Unable to complete Azure pairing
[Workforce Access Client for macOS] Security Keys Support for macOS
- [Workforce Access Client for macOS] Fixed: Error messages are not displayed for security key PIN field validations
- [Workforce Access Client for macOS] Unpair Security Key shows "This will unpair your smartphone" message
- [Workforce Access Client for macOS] Integrate Yubico libraries
- [Workforce Access Client for macOS] Update UI for security keys
[Workforce Access Client for Windows] FIDO2 Mobile Authenticator Workstation Unlock - Early Access
- [Control Center; Events] Events for QR Code Pairing
[Workforce Access Client for Windows] Non-Exportable Private Keys / Certificate Template for Security Keys
- [Workforce Access Client for Windows] Generate a private key on YubiKey
- [Workforce Access Client for Windows] Option for a certificate template with a non-exportable private key
[Workforce Access Client for Windows] QR Fallback Bug Fixes
- [Workforce Access Client for Windows] Fixed: QR Fallback: Windows doesn't show proper error screen when the feature is disabled
- [Workforce Access Client for Windows] Fixed: QR Fallback: Server doesn't return a proper error code when when the feature is disabled
- [Workforce Access Client for Windows] Fixed: QR Fallback: Registration fails on the latest 8.1 build
- [Workforce Access Client for Windows] Fixed: QR Fallback: "Pair Manually" link does not work after clicking on Begin Pairing button
- [Workforce Access Client for Windows] Fixed: QR Fallback: Clicking on “Back to QR scan” has no response and doesn’t navigate back to QR scan screen
- [Workforce Access Client for Windows] Fixed: QR Fallback: If this feature is disabled, the standard QR registration flow fails until service is restarted
- [Workforce Access Client for Windows] Fixed: QR Fallback: Information for Roaming Authentication

Enhancements

[All HYPR] Global user: Java user model changes I; migrating to a new data structure
[Control Center] Add "Desktop SSO" capability to "Login Settings"
[Control Center] Error in client config causes a spike in hosted tenant error logs
[Control Center] FIDO2: Record transport on WebAuthn operations
[Control Center] Invalidate session when modifying user roles
[Control Center] Remove deprecated feature
[Control Center] Remove obsolete "Domain Joined Users" option in Control Center configuration
[Control Center; API] Add API token to QR login endpoint
[Control Center; Events] Audit Trail Fields with unknown values in Event logs should always be set to a blank/empty string
[Control Center - Integrations] FIDO2 Mobile Authenticator - Limit discovery to only registered devices
[Control Center - Integrations] Fix links to documentation in our integrations
[Control Center - Integrations] RADIUS Configuration
[Control Center - Integrations] RADIUS Server Management
[Control Center - Integrations] Removing validation for keyAgreementPublicKey and keyAgreementPublicKeyAUTH when FIDO2 Mobile Authenticator is enabled
[Control Center - Integrations] Removing validation for loginCert when FIDO2 Mobile Authenticator is enabled
[Control Center - Integrations] Removing validation for signingCert when FIDO2 Mobile Authenticator is enabled
[Control Center - Integrations] Update mouse-over on "Current Integrations" -> "Options" to say "Login Settings"
[Mobile App - Both] Support button label
[Mobile App for Android; SDK for Android] Notifications on Android 13 and target 33
[Platform - CVE Fixes] CVE-2022-3064, CVE-2022-45143
[Platform - CVE Fixes] CVE-2023-1370: Fix for json-smart lib and nimbus-jose-jwt lib
[Platform - Keycloak] Cookies are not being created for the username
[Platform - Keycloak] Create Enable Keycloak Modules feature
[Platform - Redis] Clear error handling for Enterprise Redis
[Platform] Support for multi-region installations
[Sample Web App] Allow options for initial registration
[Sample Web App] Update public docs
[SDK for Android] Allow background to cancel registration
[SDK for Android] Manual Registration (QR Fallback) button visibility config
[Workforce Access Client for macOS] Mitigate privilege escalation in HyprOneService
[Workforce Access Client for macOS] Support for macOS Ventura
[Workforce Access Client for Windows] Import latest ykpiv code from Yubico

Bug Fixes

[Control Center] Fixed: Audit messages from workstation are being mangled
[Control Center] Fixed: FIDO2 Settings UI updates
[Control Center] Fixed: Not possible to login to Control Center with a FIDO2 device
[Events] Fixed: Remove value from ExtensionConfigAttribute.toString() for sensitive or redacted attributes
[Control Center - Integrations] Fixed: Azure: Domain gets federated on error
[Control Center - Integrations] Fixed: Google Workspace: Can't create integration with name that includes spaces
[Control Center - Integrations] Fixed: Google Workspace: SSO info not cleared from Google Workspace upon deleting integration
[Control Center - Integrations] Fixed: OneLogin: User loses HYPR roll when integration gets disabled, if they were added when integration was live
[Control Center - Integrations] Fixed: Ping DaVinci: Fix link/text for Support documentation
[Control Center - Integrations] Fixed: Ping DaVinci: Protocol itself needs validation
[Control Center - Integrations] Fixed: QR authentication fails after updating integration
[Control Center - Integrations; Events] Fixed: Some Events are missing integrationType and integrationProvider information
[Mobile App - Both] Fixed: Browser log in into Device Manager succeeds on but the browser never accesses Device Manager
[Mobile App for Android] Fixed: Android app must set device ID for FIDO2 authenticator
[Mobile App for Android] Fixed: ArrayIndexOutOfBoundsException on permission check; notification permission checker fixed
[Mobile App for Android] Fixed: Offline PIN fails to display after successful authentication for the paired workstation
[Mobile App for iOS] Fixed: rpApp displays instead of RADIUS Client Name in Authentication Request
[Platform - Keycloak] Fixed: Bug in keycloak does not remember user from previous authentication
[Platform - Keycloak] Fixed: Realm name limitation is 36 characters; we need to verify that that we build it correctly
[Platform - Keycloak] Fixed: UI issue on the Web browser and Mobile browser login pages
[Sample Web App] Fixed: Implement CSRF protections
[Sample Web App] Fixed: Unable to login with appless QR code after logging out of the sample app
[Sample Web App] Fixed: Update jQuery version
[Workforce Access Client for macOS] Fixed: Login dialog doesn't disappear when using TouchID
[Workforce Access Client for Windows] Fixed: FIDO2 pairing disappears
[Workforce Access Client for Windows] Fixed: Import latest ykpiv code from Yubico
[Workforce Access Client for Windows] Fixed: Windows Update breaks the user presence check during registration

10.0.0 - GA 2025-02-12​

Enhancements​

Bug Fixes​

9.7.2 - GA 2025-02-07​

Enhancements​

Bug Fixes​

9.7.1 - GA 2025-01-07​

Enhancements​

Bug Fixes​

9.7.0 - GA 2024-12-11​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.5.3 - Patch 2024-11-18​

Enhancements​

Bug Fixes​

9.5.2 - Patch 2024-11-01​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.6.0 - GA 2024-10-01​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.5.0 - GA 2024-09-12​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.3.2 - Patch 2024-08-23​

Enhancements​

Bug Fixes​

9.3.1 - Patch 2024-08-07​

Enhancements​

Bug Fixes​

9.4.0 - GA 2024-07-24​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.3.0 - GA 2024-07-17​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

8.7.2 - Patch 2024-06-13​

Enhancements​

8.4.2 - Patch 2024-06-13​

Enhancements​

9.1.2 - Patch 2024-05-29​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.1.1 - Patch 2024-05-01​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.2.0 - GA 2024-04-11​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.1.0 - GA 2024-04-10​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

8.7.1 - Patch 2024-01-24​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

9.0.0 - GA 2024-01-17​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

8.7.0 - GA 2023-12-13​

New Features and Feature Changes​

Enhancements​

Bug Fixes​

8.5.2 - Patch 2023-11-09​

Enhancements​

Bug Fixes​

8.6.0 - GA 2023-10-25​

New Features and Feature Changes​

Enhancements​

10.0.0 - GA 2025-02-12

Enhancements

Bug Fixes

9.7.2 - GA 2025-02-07

Enhancements

Bug Fixes

9.7.1 - GA 2025-01-07

Enhancements

Bug Fixes

9.7.0 - GA 2024-12-11

New Features and Feature Changes

Enhancements

Bug Fixes

9.5.3 - Patch 2024-11-18

Enhancements

Bug Fixes

9.5.2 - Patch 2024-11-01

New Features and Feature Changes

Enhancements

Bug Fixes

9.6.0 - GA 2024-10-01

New Features and Feature Changes

Enhancements

Bug Fixes

9.5.0 - GA 2024-09-12

New Features and Feature Changes

Enhancements

Bug Fixes

9.3.2 - Patch 2024-08-23

Enhancements

Bug Fixes

9.3.1 - Patch 2024-08-07

Enhancements

Bug Fixes

9.4.0 - GA 2024-07-24

New Features and Feature Changes

Enhancements

Bug Fixes

9.3.0 - GA 2024-07-17

New Features and Feature Changes

Enhancements

Bug Fixes

8.7.2 - Patch 2024-06-13

Enhancements

8.4.2 - Patch 2024-06-13

Enhancements

9.1.2 - Patch 2024-05-29

New Features and Feature Changes

Enhancements

Bug Fixes

9.1.1 - Patch 2024-05-01

New Features and Feature Changes

Enhancements

Bug Fixes

9.2.0 - GA 2024-04-11

New Features and Feature Changes

Enhancements

Bug Fixes

9.1.0 - GA 2024-04-10

New Features and Feature Changes

Enhancements

Bug Fixes

8.7.1 - Patch 2024-01-24

New Features and Feature Changes

Enhancements

Bug Fixes

9.0.0 - GA 2024-01-17

New Features and Feature Changes

Enhancements

Bug Fixes

8.7.0 - GA 2023-12-13

New Features and Feature Changes

Enhancements

Bug Fixes

8.5.2 - Patch 2023-11-09

Enhancements

Bug Fixes

8.6.0 - GA 2023-10-25

New Features and Feature Changes

Enhancements