HYPR Passwordless Security Best Practices

HYPR Passwordless

This page describes the best security practices to follow in the HYPR Passwordless client when configuring it for your organization.

πŸ“˜

The Big Picture

For additional security suggestions, see Control Center Security Best Practices and HYPR Mobile App Security Best Practices.

Lockout Settings

To provide additional security for Offline and Recovery PINs and prevent potential Brute Force Attacks, HYPR recommends enforcing the Lockout Settings in Active Directory for all user accounts. This policy locks a user account if the PIN is entered X number of times incorrectly.

You can learn more about configuring Lockout Settings in the Microsoft documentation.

Log Security

By default, the HYPR Passwordless client allows user accounts without admin privileges to access the application log files. This is recommended practice during the initial deployment phase to ensure users can send log files to Admins or HYPR support for troubleshooting. However, after the initial deployment phase is over you should restrict log access to only accounts with local admin privileges.

Setting Log Levels

The HYPR Passwordless cient Log Level can be adjusted to limit the amount of data that is being logged. The following values can be used to adjust the logging:
0 = No logging
1 = Adds Fatal errors
2 = Adds Errors
3 = Adds Warnings
4 = Adds more Information events
5 = Default setting; debug logging
6 = Increase to more verbose logging

Level 5 is enabled by default as this provides the needed amount of information for troubleshooting and technical support. Please be aware that reducing the logging level will significantly hinder HYPR’s ability to provide technical support.

This log level can be adjusted as follows:

Windows
Edit the Windows registry’s Log level entry located in HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access.

Mac
Edit the LogLevel property in the file, /Library/HYPR/HyprOneService.plist.

Setting Log Access on Windows

You can control access to the C:\Program Files\HYPR\Log folder by setting parameters when installing the HYPR Passwordless client or by editing the Windows Registry after install. See HYPR Registry Keys for more information about Windows installation parameters and changing HYPR values in the Registry.

During Installation

To set access to the logs folder on Windows during a fresh install, include the configuration parameter HYPRPROTECTLOGS (in MSI) or protectLogs (in hypr.json).

  • Set to "1" to make the folder readable only by users who belong to the built-in Administrators group
  • Set to "0" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on Windows after installation, use RegEdit to change the HYPR Protect Logs key in the Registry. The values are the same as those used during installation (see above). Note that Protect Logs is only created when you set the appropriate parameter during install so you may need to add it.

Setting Log Access on macOS

You can control access to the /Library/Logs/HYPR folder by setting parameters when installing the HYPR Passwordless client or by editing the HyprOneService.plist file after install. See HYPR Application .plist Keys for more information about macOS installation parameters and editing the .plist file.

During Installation

To set access to the logs folder on macOS during a fresh install, include the configuration parameter protectLogs in hypr.json.

  • Set to "true" to make the folder readable only by Administrator users
  • Set to "false" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on macOS after installation, change the ProtectLogs value in the HyprOneService.plist file:

sudo /usr/libexec/PlistBuddy -c "Set ProtectLogs true|false" /Library/HYPR/HyprOneService.plist

The values are the same as those used during installation (see above). Note that it can take up to 30 seconds for the change to propagate.

Windows

Require User Presence

Additional measures can be implemented on HYPR Passwordless for Windows deployments to remove the risk of an attacker adding their mobile device while the user’s workstation is unattended – for example, the user walks away but leaves the screen or device unlocked.

For additional user verification during workstation device registration, administrators can require users to re-authenticate during pairing to prove their identity. This is configurable in CC in Workstation Settings.

Non-exportable Private Keys

For sites wishing to protect security key users' private keys, HYPR Passwordless for Windows client allows an additional installation parameter (via both.JSON and .MSI installations) to cause private keys to be generated on the security key, and to never leave that key. This option works alongside the existing mobile certificate template; however, it is mutually exclusive with Security Key Recovery Mode functionality, which depends on exportable private keys.