8.7.0 Release Notes

HYPR 8.7.0 is an Enterprise Channel Release.

The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.

The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements. All Standard Release features are available in the next scheduled Enterprise Release.

Minimum Supported Versions

Release DateProduct/VersionPlatformNotes
December 13, 2023HYPR Passwordless for Windows 8.7.0Windows (10, 11)Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots
December 13, 2023HYPR Passwordless for Mac 8.7.0macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma 14.1 [not 14.0])Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots
December 13, 2023HYPR Mobile App for Android 8.7.0Android 8.0+
December 13, 2023HYPR Mobile App for iOS 8.7.0iOS 12.4+
December 13, 2023HYPR Server 8.7.0ServerUpgrade to 7.10 required before upgrading to 8.0.0 or higher
December 13, 2023HYPR Android SDK 8.7.0Android 8.0+
December 13, 2023HYPR iOS SDK 8.7.0iOS 12.4+

📘

Backward Compatibility

All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.

New Features

[Control Center] Device Manager Onboarding
For users who might be unfamiliar with HYPR, a handy link now appears on the Device Manager pairing dialog to open a guided walkthrough of how to pair a device.

[Control Center - HYPR Adapt] HYPR Adapt Is Now Administered in Control Center
HYPR's risk engine, HYPR Adapt, is now available in the Control Center Standard left navigation menu, and can be enabled or disabled using a toggle on the linked page. Features include the following:

  • Policy Definition
    • As many policies as you want for limiting login attempts and controlling failure behaviors
    • The option to exempt HYPR Mobile App or FIDO2 Passkey authentication from being blocked
    • Fallback allowances for alternative login methods if blocked by HYPR Adapt
  • Workstation Settings
    • Configurable signals polling intervals
  • Login Settings
    • Assign Risk Policies to RP applications
  • API calls, Audit Trail Events, and matching error messages to help create, manage, and test policies

[Control Center - Integrations; All HYPR] HYPR Enterprise Passkey Enhancements

  • [Early Release] Both Android and iOS devices can now pair and authenticate via a Windows 10 workstation using Bluetooth/BLE radio or using the same WiFi network as the workstation—even when offline; if enabled, HYPR will offer users the choice between Bluetooth and WiFi connections to complete an Enterprise Passkey pairing or authentication
  • Roaming is now supported for HYPR Passwordless using Azure
  • Support of multiple passkey management for users and administrators, including differentiation of FIDO2 authenticators in User Management
  • Support for different usernames and multiple credentials
  • Device Manager in both HYPR Mobile App and HYPR Passwordless clients enables more seamless user controls over authenticators
  • Improved iconography indicating unpaired/partially paired/fully paired Enterprise Passkeys
  • Improved debug and history information

Enhancements

  • [Control Center] Alias lookup now considers the RP application when generating results
  • [Control Center] The Health & Logs page in Control Center has been removed in favor of Event Hooks and Analytics
  • [Control Center] Signals now are recorded in Audit Trail Events
  • [Control Center - FIDO2] Metadata files are now generated for passkeys providers
  • [Control Center - Integrations] General improvements to SAML messages security
  • [Control Center; HYPR Mobile App - Both; HYPR SDKs for Android and iOS] Existing users can be added to Single Registration without having to de-register and re-register
  • [Platform - Keycloak] Improvements to Keycloak integration: select login authenticator; remember me
  • [HYPR Mobile App for Android; HYPR SDKs for Android; HYPR Mobile App for iOS; HYPR SDK for iOS]
    Send location signals from the HYPR Mobile App during HYPR Passwordless Unlock
  • [HYPR Passwordless for Windows] Default security key PINs are now blocked
  • [HYPR SDK for iOS] Device registration now collects the specific device model
  • [HYPRspeed] Desktop SSO support for web username aliases
  • [HYPRspeed] Desktop SSO status endpoint now returns the username requested by the web

Events

  • MACHINE_SIGNAL_RECEIVED has been added to the list of Events to handle machine signals from the API endpoint /rp/wsapi/signal ; it is comparable to DEVICE_SIGNAL_RECEIVED, which handles similar data for devices
  • The following Risk Engine (HYPR Adapt) Events have been added:
    • ADAPT_POLICY_EVALUATION
    • ADAPT_CREATE_POLICY
    • ADAPT_UPDATE_POLICY
    • ADAPT_DELETE_POLICY

See Event Descriptions for a list of all HYPR Events and parameters.

Error Messages

To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.

APIs

  • The originating HYPR version has been added to each API call
  • HYPR Adapt API is now available, including options for risk policy management and testing
  • [Signals API]
  • [FIDO2 RP API] The default value for the transports attribute in the /fido2/assertion/options Response Body has been changed to an empty set; and the transports attribute is now a string data type
  • /rp/deviceapi/settings object serverConfig now includes a whiteLabelUrls array containing string values of other acceptable URLs for the Control Center server, and a signalsFrequencySecs value for signals polling frequency
  • Control Center Users calls controlling individual RP Application user authenticator locked state (/cc/api/user/lock and /cc/api/user/unlock) have been moved under RP Applications > User Management > Authenticator
  • /rp/api/certificate/ and dependent calls have been relocated under RP Applications > Workstation > Certificates

You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.

Upcoming Changes

HYPR Adapt (Beta)

Create risk-based authentication adaptation for your HYPR users. In addition to limiting login frequency and controlling how long users are resultingly blocked, future versions of HYPR Adapt will adapt to behavioral changes such as:

  • Sudden change of location
  • Shifts in the time of authentication compared to established patterns
  • Country deny lists

Watch this space for updates as HYPR Adapt evolves.

Microsoft Entra Nomenclature Updates
HYPR 9.0+ will be updated where Microsoft Azure is mentioned to accommodate the name change to Microsoft Entra. Anywhere in the documentation or UI that uses Azure in HYPR 8.x and prior versions will now use Entra.

Product Documentation Changes
HYPR is consolidating its documentation in an effort to more readily provide the information you are seeking. The overall look and feel will initially remain similar to what you see now. In the second phase, HYPR functions will be defined with a user story in mind, role-dependent, for users, admins, and developers.

HYPR Branding Changes
You may have noticed HYPR content shifting to include a fingerprint theme; likewise, we are changing some of our product names to standardize their labeling. Some are still the old familiar titles you know and love.

We've included the full list of products and features that will be included under the grouping, HYPR Authenticate. HYPR Authenticate includes the suite of components that make up the HYPR system: Control Center (including Integrations and Plugins), HYPR Passwordless, the HYPR Mobile Apps, and the SDKs.

HYPR Authenticate Name Legacy HYPR Server Name
HYPR Cloud HYPR Cloud
HYPR On Prem HYPR On Prem
RADIUS HYPR RADIUS Server

HYPR Authenticate Name Legacy HYPR Mobile App Name
HYPR for iOS HYPR Mobile App for Android
HYPR for Android HYPR Mobile App for iOS
HYPR Enterprise Passkey HYPR FIDO2 Mobile Authenticator

HYPR Authenticate Name Legacy HYPR Workforce Access Client Name
HYPR Passwordless for Windows HYPR Workforce Access Client for Windows
HYPR Passwordless for Mac HYPR Workforce Access Client for Mac

HYPR Authenticate Name Legacy HYPR SDK and API Names
HYPR SDK for iOS HYPR SDK for iOS
HYPR SDK for Android HYPR SDK for Android
HYPR SDK for Golang HYPR SDK for Golang
HYPR SDK for Java HYPR SDK for Java
HYPR SDK for JavaScript HYPR SDK for JavaScript
HYPR SDK for Python HYPR SDK for Python
HYPR Server APIs Server API

HYPR Authenticate Name Legacy HYPR Integration Name
HYPR for Okta Okta
HYPR for Workspace Google Workspace
HYPR for OneLogin OneLogin
HYPR for Azure Azure
HYPR for Ping DaVinci Ping DaVinci

HYPR Authenticate Name Legacy HYPR Feature Name
HYPRspeed Desktop SSO

HYPR Authenticate Name Legacy HYPR Plugin Name
HYPR for AD FS AD FS
HYPR for Ping Federate Ping Federate
HYPR for SiteMinder SiteMinder
HYPR for ForgeRock ForgeRock

Bug Fixes

  • [Control Center] In the API logging response extra double quotes are no longer added; previously this adversely affected intake of the data
  • [Control Center] RP application deletion cascading for UAFTransaction has been corrected
  • [Control Center] Server returns correct error codes (400/500) in response when the properties are tampered with in the install token exchange request
  • [Control Center - FIDO] FIDO-only authentication honors Authentication Fallback toggle where previously it did not
  • [Control Center - FIDO2] Authentication for unknown AAGUIDs is successful
  • [Control Center - HYPR Adapt] Updating an existing policy no longer generates a 500 error on the server
  • [Control Center - Integrations] Alias support is no longer case-sensitive
  • [Control Center - Integrations] Extension attributes have been corrected to load properly on startup
  • [Control Center - Integrations] Service account passwords can now include quotation marks
  • [HYPR Mobile App for Android] Corrected a 404 error with dynamic links when Android OS 13 / OS 11 Pixel devices attempted authentication with QR using the camera
  • [HYPR Mobile App for iOS] FIDO registration events not previously being recorded are now logged in the Audit Trail
  • [HYPR Passwordless - Both] Empty/fatal 401 response to expired endpoint API tokens has been fixed
  • [HYPR Passwordless - Both] The Java random number generator causing timeouts during QR code scanning has been fixed
  • [HYPR Passwordless - Both] When pairing with HYPR, the "Security Key" option no longer displays if it is not meant to
  • [HYPR Passwordless for Mac] Audit Trail Event names have been consolidated into a single source file for better accounting
  • [HYPR Passwordless for Mac] Machine name and username display correctly in the password dialog on macOS Ventura
  • [HYPR Passwordless for Mac] With passwordless enforcement enabled, password labeling has been corrected to reflect the available options
  • [HYPR Passwordless for Windows] HYBRID Entra/Azure machines now hide the Security Key option when the certificate template is not defined
  • [HYPR Passwordless for Windows] Quotation marks have been added to the Bonjour service path
  • [HYPR SDK for Android] After deregistration, the authenticationCounter resets properly for the next authentication attempt
  • [Platform] Desktop SSO alias gets removed from KC upon user deletion; previously in some cases it did not
  • [Platform - Keycloak] QR code authenticator fixed
  • [Platform - Keycloak] Keycloak now creates cookies for usernames
  • [Platform - Keycloak] Fixed page blinking on cancel for QR / Push
  • [Platform - Okta] Fixed issues around deleting users in Okta

Known Issues

  • [HYPR Passwordless for Windows] An incompatibility between iOS BLE broadcasting and Windows 11 signal interpretation prevents completion of Entra FIDO2 pairing, thereafter preventing the user from logging in with that paired device
  • [HYPR Control Center - Adapt] FIDO2 authentication attempts are not blocked when FIDO2 is not exempted and the Authentication Failure Threshold is exceeded