HYPR Mobile App Security Best Practices

HYPR Mobile App

πŸ“˜

The Big Picture

For the best results, don't forget to review and implement the Control Center Security Best Practices and Workforce Access Client Security Best Practices.

Mobile PIN Complexity guarantees mobile device PIN strength and complexity when enabled. When a user creates or changes a PIN, if this feature is enabled, the following rules will apply to PIN entry:

  • No more than two consecutive numbers; 124578 will not work, but 128640 will
  • No more than two repeating digits; 112277 will not work, but 281174 will

The user will receive warning if they break one or more of these rules, and will not be allowed to continue until the PIN entries are corrected.

Enhanced Mobile Authenticators Policy

To provide the most secure authentication experience, the use of a decentralized PIN as an authenticator is discouraged. Whenever possible, native authenticators should be used instead of decentralized PINs.

This can be accomplished by configuring the authenticator policy as described under Policy Management.

Enabling Mobile PIN Complexity

If it is not already enabled, contact HYPR Support to enable Mobile PIN Complexity in the RP application(s) for which you wish to enforce complex PIN entry.

Disable Legacy Authenticators (HYPR for Android)

To increase the security of biometric authentication for Android devices, HYPR recommends enabling this feature. To ensure support of as many devices and models as possible, this feature is not enabled by default. Once enabled it will only accept what each manufacturer considers as strong authenticators. Contact HYPR Support to disable legacy authenticators for your RP Application(s).

πŸ“˜

Show of Strength

Not all Android devices support this feature due to some lower-end devices not supporting the cryptography needed. Also, some authentication methods which are designated as WEAK authenticators, such as Native FaceID authentication, are not supported by this feature. Fingerprint authentication should always be supported by this feature, since it is designated as a STRONG authenticator.

If the feature is OFF:

  • All devices work properly with both Native Fingerprint and Native FaceID authentication

If the feature is ON:

  • Native Fingerprint authentication will work on most devices; the only exception is if the device itself does not contain the needed cryptographic functionality
  • Native Face will not work on any device
  • If a device supports both Native Face and Fingerprint, then the biometric prompt only allows Fingerprint to be chosen and used

Enhanced Biometric Security for New Registrations

The HYPR Mobile App can be configured for increased biometric security. The following feature adds checks to determine if additional biometrics were added to the device after initial registration and invalidates that registration if there were additional biometrics added. Contact HYPR Support to enable enhanced biometric security for your RP Application(s).

🚧

Re-pair

Users will need to unpair their device and pair it again if new biometrics are added when this feature is ON.

Android

A new Error Code applies to this feature:

  • 1111070: Operation failed. A new biometric was added to the device. Please re-register.

iOS

iOS still uses the same Error Code:

  • 10200: Secure Enclave failed. Check debugger logs for more details.