Certificate Renewal for Security Keys

HYPR Passwordless: Advanced Configuration: Windows

For security key authentication, the HYPR Passwordless client application for Windows uses certificates issued by the Active Directory (AD) Certificate Authority (CA). To help ensure the certificate remains valid, WFA will display a warning over the pairing icon, and the application will also display a tray notification prompting the user to renew when the expiration date is within 30 days.

In both cases, clicking Renew Key will trigger a manual renewal of the expired certificate.

As the expiration date approaches the Snooze button will not appear, and the notification will not automatically dismiss itself if the user waits, forcing them to acknowledge it and go through the renewal process.

When the user clicks Renew Key, the HYPR Passwordless client checks to make sure the security key is plugged onto the workstation then prompts the user to enter their PIN.

2000 1252

If the PIN is valid, the HYPR Passwordless client automatically communicates with the CA to obtain a new certificate and place it on the device.

1252

How It Works

For HYPR Mobile App authentication, the HYPR Passwordless for Windows client uses certificates issued by the Active Directory (AD) Certificate Authority (CA).

To help ensure security key certificates remain valid, WFA will start notifying the user to plug in their key and renew the key's certificate when the expiration date is approaching. If this action remains incomplete, WFA will actively remind the user until renewal is accomplished. This is governed by manually updating the following registry parameters found under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access:

  • Reenroll Certificate Before Expiration Days:
    • The number of days before expiration to alert the user
    • Snooze option available
    • Defaults to 30
  • Reenroll Certificate Notify Before Expiration Days:
    • The number of days before expiration to actively request the user to complete their renewal
    • Snooze option available
    • A red warning label of Renew Key will appear in WFA over the key's icon in the pairing roster
    • Defaults to 7
  • At 1 day prior to expiration, the Snooze button will no longer be an option; this is not configurable

πŸ‘

Privacy, Please

Certificate renewal requires participating users to be connected to a secure network (VPN, domain-joined, etc.) to function. Don't worry, though - HYPR will remind them if they are not securely connected.