HYPR Mobile App Security Best Practices

HYPR Mobile App

📘

The Big Picture

For the best results, don't forget to review and implement the Control Center Security Best Practices and Workforce Access Client Security Best Practices.

Enabling Mobile PIN Complexity

The ENABLE_MOBILE_PIN_COMPLEXITY feature flag guarantees mobile device PIN strength and complexity when enabled. When a user creates or changes a PIN, if ENABLE_MOBILE_PIN_COMPLEXITY is enabled, the following rules will apply to PIN entry:

  • No more than two consecutive numbers; 124578 will not work, but 128640 will
  • No more than two repeating digits; 112277 will not work, but 281174 will

The user will receive warning if they break one or more of these rules, and will not be allowed to continue until the PIN entries are corrected.

Disable Legacy Authenticators (HYPR for Android)

The ANDROID_BIOMETRIC_PROMPT_SECURITY Feature Flag will increase the security of biometric authentication for Android devices. To ensure support of as many devices and models as possible, this feature is not enabled by default. Once enabled it will only accept what each manufacturer considers as strong authenticators.

📘

Show of Strength

Not all Android devices support this feature due to some lower-end devices not supporting the cryptography needed. Also, some authentication methods which are designated as WEAK authenticators, such as Native FaceID authentication, are not supported by this feature. Fingerprint authentication should always be supported by this feature, since it is designated as a STRONG authenticator.

If the feature flag is OFF:

  • All devices work properly with both Native Fingerprint and Native FaceID authentication

If the feature flag is ON:

  • Native Fingerprint authentication will work on most devices; the only exception is if the device itself does not contain the needed cryptographic functionality
  • Native Face will not work on any device
  • If a device supports both Native Face and Fingerprint, then the biometric prompt only allows Fingerprint to be chosen and used

Enhanced Biometric Security for New Registrations

The HYPR Mobile App can be configured for increased biometric security. The following feature adds checks to determine if additional biometrics were added to the device after initial registration and invalidates that registration if there were additional biometrics added.

🚧

Re-pair

Users will need to unpair their device and pair it again if new biometrics are added when this feature is ON.

Android

Turn on both ANDROID_INVALIDATION_FOR_NEW_BIOMETRIC and ANDROID_BIOMETRIC_PROMPT_SECURITY feature flags.

A new Error Code applies to this feature:

  • 1111070: Operation failed. A new biometric was added to the device. Please re-register.

iOS

Turn on the IOS_INVALIDATION_FOR_NEW_BIOMETRIC feature flag.

iOS still uses the same Error Code:

  • 10200: Secure Enclave failed. Check debugger logs for more details.