8.7.0 Release Notes
HYPR 8.7.0 is an Enterprise Channel Release.
The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.
The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements. All Standard Release features are available in the next scheduled Enterprise Release.
Minimum Supported Versions
| Release Date | Product/Version | Platform | Notes |
|---|---|---|---|
| December 13, 2023 | HYPR Passwordless for Windows 8.7.0 | Windows (10, 11) | Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots |
| December 13, 2023 | HYPR Passwordless for Mac 8.7.0 | macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0]) | Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots |
| December 13, 2023 | HYPR Mobile App for Android 8.7.0 | Android 8.0+ | |
| December 13, 2023 | HYPR Mobile App for iOS 8.7.0 | iOS 12.4+ | |
| December 13, 2023 | HYPR Server 8.7.0 | Server | Upgrade to 7.10 required before upgrading to 8.0.0 or higher |
| December 13, 2023 | HYPR Android SDK 8.7.0 | Android 8.0+ | |
| December 13, 2023 | HYPR iOS SDK 8.7.0 | iOS 12.4+ |
Backward Compatibility
All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.
New Features
[Control Center] Device Manager Onboarding
For users who might be unfamiliar with HYPR, a handy link now appears on the Device Manager pairing dialog to open a guided walkthrough of how to pair a device.
[Control Center - HYPR Adapt] HYPR Adapt Is Now Administered in Control Center
HYPR's risk engine, HYPR Adapt, is now available in the Control Center Standard left navigation menu, and can be enabled or disabled using a toggle on the linked page. Features include the following:
- Policy Definition
- As many policies as you want for limiting login attempts and controlling failure behaviors
- The option to exempt HYPR Mobile App or FIDO2 Passkey authentication from being blocked
- Fallback allowances for alternative login methods if blocked by HYPR Adapt
- Workstation Settings
- Configurable signals polling intervals
- Login Settings
- Assign Risk Policies to RP applications
- API calls, Audit Trail Events, and matching error messages to help create, manage, and test policies
[Control Center - Integrations; All HYPR] HYPR Enterprise Passkey Enhancements
- [Early Release] Both Android and iOS devices can now pair and authenticate via a Windows 10 workstation using Bluetooth/BLE radio or using the same WiFi network as the workstationβeven when offline; if enabled, HYPR will offer users the choice between Bluetooth and WiFi connections to complete an Enterprise Passkey pairing or authentication
- Roaming is now supported for HYPR Passwordless using Azure
- Support of multiple passkey management for users and administrators, including differentiation of FIDO2 authenticators in User Management
- Support for different usernames and multiple credentials
- Device Manager in both HYPR Mobile App and HYPR Passwordless clients enables more seamless user controls over authenticators
- Improved iconography indicating unpaired/partially paired/fully paired Enterprise Passkeys
- Improved debug and history information
Enhancements
- [Control Center] Alias lookup now considers the RP application when generating results
- [Control Center] The Health & Logs page in Control Center has been removed in favor of Event Hooks and Analytics
- [Control Center] Signals now are recorded in Audit Trail Events
- [Control Center - FIDO2] Metadata files are now generated for passkeys providers
- [Control Center - Integrations] General improvements to SAML messages security
- [Control Center; HYPR Mobile App - Both; HYPR SDKs for Android and iOS] Existing users can be added to Single Registration without having to de-register and re-register
- [Platform - Keycloak] Improvements to Keycloak integration: select login authenticator; remember me
- [HYPR Mobile App for Android; HYPR SDKs for Android; HYPR Mobile App for iOS; HYPR SDK for iOS]
Send location signals from the HYPR Mobile App during HYPR Passwordless Unlock - [HYPR Passwordless for Windows] Default security key PINs are now blocked
- [HYPR SDK for iOS] Device registration now collects the specific device model
- [HYPRspeed] Desktop SSO support for web username aliases
- [HYPRspeed] Desktop SSO status endpoint now returns the username requested by the web
Events
MACHINE_SIGNAL_RECEIVEDhas been added to the list of Events to handle machine signals from the API endpoint/rp/wsapi/signal; it is comparable toDEVICE_SIGNAL_RECEIVED, which handles similar data for devices- The following Risk Engine (HYPR Adapt) Events have been added:
ADAPT_POLICY_EVALUATIONADAPT_CREATE_POLICYADAPT_UPDATE_POLICYADAPT_DELETE_POLICY
See Event Descriptions for a list of all HYPR Events and parameters.
Error Messages
- 1201086-1201089: Errors related to the HYPR Adapt risk engine.
- 1207xxx: Identity Verification Services Errors
- 1208xxx: HYPR Certificate Authority Services Errors
- 130014-130018: Enterprise Passkey Error Codes
To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.
APIs
- The originating HYPR version has been added to each API call
- HYPR Adapt API is now available, including options for risk policy management and testing
- [Signals API]
/rp/wsapi/signalhas been added to handle workstation signal data/rp/deviceapi/signaland/rp/api/signal/device:machineUserNames, a list of multiple values (versusmachineUserName; singular), has been added; andidhas been removed/rp/deviceapi/signaland/rp/wsapi/signal:400 Bad Requestexamples have been accounted for and added to the API/rp/api/signal/devicePath Parametersignalnow accepts the following values: MOTION,
TELEPHONY, WIFI, and MACHINE
- [FIDO2 RP API] The default value for the
transportsattribute in the/fido2/assertion/optionsResponse Body has been changed to an empty set; and thetransportsattribute is now astringdata type /rp/deviceapi/settingsobjectserverConfignow includes awhiteLabelUrlsarray containing string values of other acceptable URLs for the Control Center server, and asignalsFrequencySecsvalue for signals polling frequency- Control Center Users calls controlling individual RP Application user authenticator locked state (
/cc/api/user/lockand/cc/api/user/unlock) have been moved under RP Applications > User Management > Authenticator /rp/api/certificate/and dependent calls have been relocated under RP Applications > Workstation > Certificates
You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.
Upcoming Changes
HYPR Adapt (Beta)
Create risk-based authentication adaptation for your HYPR users. In addition to limiting login frequency and controlling how long users are resultingly blocked, future versions of HYPR Adapt will adapt to behavioral changes such as:
- Sudden change of location
- Shifts in the time of authentication compared to established patterns
- Country deny lists
Watch this space for updates as HYPR Adapt evolves.
Microsoft Entra Nomenclature Updates
HYPR 9.0+ will be updated where Microsoft Azure is mentioned to accommodate the name change to Microsoft Entra. Anywhere in the documentation or UI that uses Azure in HYPR 8.x and prior versions will now use Entra.
Product Documentation Changes
HYPR is consolidating its documentation in an effort to more readily provide the information you are seeking. The overall look and feel will initially remain similar to what you see now. In the second phase, HYPR functions will be defined with a user story in mind, role-dependent, for users, admins, and developers.
HYPR Branding Changes
You may have noticed HYPR content shifting to include a fingerprint theme; likewise, we are changing some of our product names to standardize their labeling. Some are still the old familiar titles you know and love.
We've included the full list of products and features that will be included under the grouping, HYPR Authenticate. HYPR Authenticate includes the suite of components that make up the HYPR system: Control Center (including Integrations and Plugins), HYPR Passwordless, the HYPR Mobile Apps, and the SDKs.
| HYPR Authenticate Name | Legacy HYPR Server Name |
|---|---|
| HYPR Cloud | HYPR Cloud |
| HYPR On Prem | HYPR On Prem |
| RADIUS | HYPR RADIUS Server |
| HYPR Authenticate Name | Legacy HYPR Mobile App Name |
|---|---|
| HYPR for iOS | HYPR Mobile App for Android |
| HYPR for Android | HYPR Mobile App for iOS |
| HYPR Enterprise Passkey | HYPR FIDO2 Mobile Authenticator |
| HYPR Authenticate Name | Legacy HYPR Workforce Access Client Name |
|---|---|
| HYPR Passwordless for Windows | HYPR Workforce Access Client for Windows |
| HYPR Passwordless for Mac | HYPR Workforce Access Client for Mac |
| HYPR Authenticate Name | Legacy HYPR SDK and API Names |
|---|---|
| HYPR SDK for iOS | HYPR SDK for iOS |
| HYPR SDK for Android | HYPR SDK for Android |
| HYPR SDK for Golang | HYPR SDK for Golang |
| HYPR SDK for Java | HYPR SDK for Java |
| HYPR SDK for JavaScript | HYPR SDK for JavaScript |
| HYPR SDK for Python | HYPR SDK for Python |
| HYPR Server APIs | Server API |
| HYPR Authenticate Name | Legacy HYPR Integration Name |
|---|---|
| HYPR for Okta | Okta |
| HYPR for Workspace | Google Workspace |
| HYPR for OneLogin | OneLogin |
| HYPR for Azure | Azure |
| HYPR for Ping DaVinci | Ping DaVinci |
| HYPR Authenticate Name | Legacy HYPR Feature Name |
|---|---|
| HYPRspeed | Desktop SSO |
| HYPR Authenticate Name | Legacy HYPR Plugin Name |
|---|---|
| HYPR for AD FS | AD FS |
| HYPR for Ping Federate | Ping Federate |
| HYPR for SiteMinder | SiteMinder |
| HYPR for ForgeRock | ForgeRock |
Bug Fixes
- [Control Center] In the API logging response extra double quotes are no longer added; previously this adversely affected intake of the data
- [Control Center] RP application deletion cascading for
UAFTransactionhas been corrected - [Control Center] Server returns correct error codes (400/500) in response when the properties are tampered with in the install token exchange request
- [Control Center - FIDO] FIDO-only authentication honors Authentication Fallback toggle where previously it did not
- [Control Center - FIDO2] Authentication for unknown AAGUIDs is successful
- [Control Center - HYPR Adapt] Updating an existing policy no longer generates a 500 error on the server
- [Control Center - Integrations] Alias support is no longer case-sensitive
- [Control Center - Integrations] Extension attributes have been corrected to load properly on startup
- [Control Center - Integrations] Service account passwords can now include quotation marks
- [HYPR Mobile App for Android] Corrected a 404 error with dynamic links when Android OS 13 / OS 11 Pixel devices attempted authentication with QR using the camera
- [HYPR Mobile App for iOS] FIDO registration events not previously being recorded are now logged in the Audit Trail
- [HYPR Passwordless - Both] Empty/fatal 401 response to expired endpoint API tokens has been fixed
- [HYPR Passwordless - Both] The Java random number generator causing timeouts during QR code scanning has been fixed
- [HYPR Passwordless - Both] When pairing with HYPR, the "Security Key" option no longer displays if it is not meant to
- [HYPR Passwordless for Mac] Audit Trail Event names have been consolidated into a single source file for better accounting
- [HYPR Passwordless for Mac] Machine name and username display correctly in the password dialog on macOS Ventura
- [HYPR Passwordless for Mac] With passwordless enforcement enabled, password labeling has been corrected to reflect the available options
- [HYPR Passwordless for Windows] HYBRID Entra/Azure machines now hide the Security Key option when the certificate template is not defined
- [HYPR Passwordless for Windows] Quotation marks have been added to the Bonjour service path
- [HYPR SDK for Android] After deregistration, the
authenticationCounterresets properly for the next authentication attempt - [Platform] Desktop SSO alias gets removed from KC upon user deletion; previously in some cases it did not
- [Platform - Keycloak] QR code authenticator fixed
- [Platform - Keycloak] Keycloak now creates cookies for usernames
- [Platform - Keycloak] Fixed page blinking on cancel for QR / Push
- [Platform - Okta] Fixed issues around deleting users in Okta
Known Issues
- [HYPR Passwordless for Windows] An incompatibility between iOS BLE broadcasting and Windows 11 signal interpretation prevents completion of Entra FIDO2 pairing, thereafter preventing the user from logging in with that paired device
- [HYPR Control Center - Adapt] FIDO2 authentication attempts are not blocked when FIDO2 is not exempted and the Authentication Failure Threshold is exceeded
Updated 5 months ago