Security Best Practices

This page describes the best security practices to follow in the Workforce Access Client when configuring HYPR Workforce Access for your organization.

📘

For additional security suggestions, see Control Center Security Best Practices.

Lockout Settings

To provide additional security for Offline and Recovery PINs and prevent potential Brute Force Attacks, HYPR recommends enforcing the Lockout Settings in Active Directory for all user accounts. This policy locks a user account if the PIN is entered X number of times incorrectly.

You can learn more about configuring Lockout Settings in the Microsoft documentation.

Log Security

By default, the HYPR Workforce Access Client allows user accounts without admin privileges to access the application log files. This is recommended practice during the initial deployment phase to ensure users can send log files to Admins or HYPR support for troubleshooting. However, after the initial deployment phase is over you should restrict log access to only accounts with local admin privileges

Setting Log Access on Windows

You can control access to the C:\Program Files\HYPR\Log folder by setting parameters when installing the HYPR Workforce Access Client or by editing the Windows Registry after install. See HYPR Registry Keys for more information about Windows installation parameters and changing HYPR values in the Registry.

During Installation

To set access to the logs folder on Windows during a fresh install, include the configuration parameter HYPRPROTECTLOGS (in MSI) or protectLogs (in hypr.json).

• Set to "1" to make the folder readable only by users who belong to the built-in Administrators group
• Set to "0" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on Windows after installation, use RegEdit to change the HYPR Protect Logs key in the Registry. The values are the same as those used during installation (see above). Note that Protect Logs is only created when you set the appropriate parameter during install so you may need to add it.

Setting Log Access on macOS

You can control access to the /Library/Logs/HYPR folder by setting parameters when installing the HYPR Workforce Access Client or by editing the HyprOneService.plist file after install. See HYPR Application .plist Keys for more information about macOS installation parameters and editing the .plist file.

During Installation

To set access to the logs folder on macOS during a fresh install, include the configuration parameter protectLogs in hypr.json.

• Set to "true" to make the folder readable only by Administrator users
• Set to "false" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on macOS after installation, change the ProtectLogs value in the HyprOneService.plist file:

sudo /usr/libexec/PlistBuddy -c "Set ProtectLogs true|false" /Library/HYPR/HyprOneService.plist

The values are the same as those used during installation (see above). Note that it can take up to 30 seconds for the change to propagate.

Windows: Require User Presence

Additional measures can be implemented on WFA for Windows deployments to remove the risk of an attacker adding their mobile device while the user’s workstation is unattended – for example, the user walks away but leaves the screen or device unlocked.

For additional user verification during workstation device registration, administrators can require users to re-enter their domain password during pairing to prove their identity. This is configurable in CC in Workstation Settings.

Android: Disable Legacy Authenticators

The ANDROID_BIOMETRIC_PROMPT_SECURITY Feature Flag will increase the security of biometric authentication for Android devices. To ensure support of as many devices and models as possible, this feature is not enabled by default. Once enabled it will only accept what each manufacturer considers as strong authenticators.

📘

Show of Strength

Not all Android devices support this feature due to some lower-end devices not supporting the cryptography needed. Also, some authentication methods which are designated as WEAK authenticators, such as Native FaceID authentication, are not supported by this feature. Fingerprint authentication should always be supported by this feature, since it is designated as a STRONG authenticator.

If the feature flag is OFF:

• All devices work properly with both Native Fingerprint and Native FaceID authentication

If the feature flag is ON:

• Native Fingerprint authentication will work on most devices; the only exception is if the device itself does not contain the needed cryptographic functionality
• Native Face will not work on any device
• If a device supports both Native Face and Fingerprint, then the biometric prompt only allows Fingerprint to be chosen and used

Enabling Mobile PIN Complexity

The ENABLE_MOBILE_PIN_COMPLEXITY feature flag guarantees mobile device PIN strength and complexity when enabled. When a user creates or changes a PIN, if ENABLE_MOBILE_PIN_COMPLEXITY is enabled, the following rules will apply to PIN entry:

• No more than two consecutive numbers; 124578 will not work, but 128640 will
• No more than two repeating digits; 112277 will not work, but 281174 will

The user will receive warning if they break one or more of these rules, and will not be allowed to continue until the PIN entries are corrected.

Limit Magic Links to a Single Use

By default Magic Links are reusable for up to 24 hours, potentially allowing multiple attempts to gain access to an Application. When the MAGIC_LINKS_SINGLE_WEB_USE feature flag is enabled, the first successful device registration via a Magic Link nullifies further attempts using that link.