Pairing with a Security Key

Using HYPR Passwordless

πŸ‘

Do This First

Security key support for HYPR RP Applications must first be enabled in the Control Center under Workstation Settings.

This document describes how to manage security keys (a.k.a. smart keys) for the HYPR Passwordless client.

Definitions

AcronymDefinition
PINA personal identification number (PIN) is a set of characters used to unlock the smart card for use. For example, the Windows operating system allows numbers or letters for a PIN. macOS only supports numbers for PINs. The PIN is a decentralized secret the user should not share. The PIN is bound and used to unlock an authenticator. In the case of a hardware security key, such as a Yubico YubiKey, the PIN resides on the key and unlocks the authenticator that uses public/private key encryption to perform authentication.
PUKA PIN unblocking key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the key follows.
PIVPersonal Identity Verification - or frequently associated together as a PIV Card - is commonly the reference to United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal uses. It is also a general means of reference for smart cards and associated protocols and standards used for authenticating users securely.

Registering Your Key

Enrollment

  1. Open the HYPR Passwordless client.
  2. Click Start Pairing. You will be given a choice of pairing a Smartphone or pairing with a Security Key.
769
  1. Select Security Key to continue.
769

🚧

Connect First

Make sure you are connected to your secure network, or the following message will appear upon clicking Start Pairing. If this occurs, just connect to your secure network and click Try again.

  1. A browser dialog will prompt you to enter the PIN provided by your administrator or through the instruction guide which accompanied your device.
  1. Enter the new PIN, then confirm it in the following field.

πŸ“˜

PIN Length

The PIN must be between 6 and 8 characters.

πŸ“˜

PIN Complexity Enforcement

Users are not allowed to choose repeating digits in PINs, such as 111111.

  1. Click Finish.
  2. Wait for enrollment to complete. You may be asked to authenticate to the workstation.
  1. Click Finish to view the paired device.

The HYPR Passwordless client returns to the main screen. The paired security key now appears here with Edit (pencil icon) and Delete (trash can icon) options.

Authentication

  1. Insert your paired Security Key into the USB port of the computer. Windows will offer the smartcard icon as an additional login option.
  1. Click the smartcard icon and type your PIN.
  1. Press Enter on your keyboard or click the submit arrow to login.

Deregistration

πŸ“˜

Security Key PIV Reset

Deregistration resets the entire PIV area on a security key, which may include the PIN, PUK, management key, and certificates.

  1. Open the HYPR Passwordless client.
  2. Click the trash can icon under the key you wish to remove..
  1. Confirm the deregistration request.

Updating the Key's PIN

  1. Open the HYPR Passwordless cHYPR Passwordlesslient.
  2. Click the pencil icon under the key you wish to update.
  1. Enter your current PIN; then enter your new PIN twice.
  2. Click Finish to save.

Certificate Renewal for Security Keys

In an effort to avoid certificate expiration, HYPR has streamlined the Certificate renewal process for security keys. See Certificate Renewal for Security Keys for a full description of the experience.

Troubleshooting

Enrollment

The user's computer is not connected to a VPN during the pairing process.

Problem
When I register by clicking the security key button I receive an error message about the company network.

Solution

  • Ensure that the user is connected to VPN
  • Close the application
  • Open the application and try to pair again

The security key isn't inserted.

Problem
When I register by clicking the security key button I see an error message that my security key isn't plugged in.

Solution

  • Insert or remove/reinsert the security key into the USB port
  • Try to pair again

Entered PIN doesn't meet complexity requirements.

Problem
A warning appears beside the PIN fields when clicking Finish.

Solution

  • Type a stronger PIN combination (e.g., 190753 instead of 111111)

The New PIN entered doesn't match the Confirm New PIN entry.

Problem
User sees PINs do not match when clicking Finish.

Solution

  • Ensure that New PIN and Confirm New PIN fields match (e.g., you need to enter 123098 in both fields)

User entered an incorrect PIN too many times.

Problem
Too many failed attempts when trying to enroll.

Solution

  • An admin needs to reset the security key PIV and ensure that users know the default PIN value

The new PIN is identical to the current one.

Problem
Users see "Please use a different PIN" message when trying to enroll a new key or edit the key's PIN.

Solution

  • User should use a PIN which is different from the current PIN
  • If this happens during enrollment, select Try Default PIN and try again

The Temporary PIN is incorrect.

Problem

The Temporary PIN is not the right one.

Solution

  • Use the correct PIN
  • Check Try Default PIN to use the factory default

Authentication

The user typed an invalid PIN three times.

Problem
The smart card is blocked.

Solution

  • An admin needs to reset the PIN on the security key
  • Re-enroll using the new PIN

Certificate not found on the security key.

Problem
No valid certificates were found on this smart card.

Solution

  • Reboot the computer and try again
  • Attempt to login with other authentication methods and try again
  • Unplug the security key and reinsert it; then try again

User is not connected to the secure network

Problem
The revocation status for the domain controller certificate card authentication could not be determined...

Solution

  • Connect to your company VPN and try again
  • Ensure that the computer can reach the domain controller and try again