Pairing with a Security Key
Using the HYPR Workforce Access Client
Do This First
Security key support for HYPR passwordless Applications must first be enabled in the Control Center under Workstation Settings.
This document describes how to manage security keys (a.k.a. smart keys) for the HYPR Workforce Access Client.
|PIN||A personal identification number (PIN) is a set of characters used to unlock the smart card for use. For example, the Windows operating system allows numbers or letters for a PIN. macOS only supports numbers for PINs. The PIN is a decentralized secret the user should not share. The PIN is bound and used to unlock an authenticator. In the case of a hardware security key, such as a Yubico YubiKey, the PIN resides on the key and unlocks the authenticator that uses public/private key encryption to perform authentication.|
|PUK||A PIN unblocking key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the key follows.|
|PIV||Personal Identity Verification - or frequently associated together as a PIV Card - is commonly the reference to United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal uses. It is also a general means of reference for smart cards and associated protocols and standards used for authenticating users securely.|
Registering Your Key
- Open the HYPR Workforce Access Client.
- Click Start Pairing. You will be given a choice of pairing a Smartphone or pairing with a Security Key.
- Select Security Key to continue.
Make sure you are connected to your secure network, or the following message will appear upon clicking Start Pairing. If this occurs, just connect to your secure network and click Try again.
- A browser dialog will prompt you to enter the PIN provided by your administrator or through the instruction guide which accompanied your device.
- Enter the new PIN, then confirm it in the following field.
The PIN must be between 6 and 8 characters.
PIN Complexity Enforcement
Users are not allowed to choose weak PINs such as 123456 or 111111.
- Click Finish.
- Wait for enrollment to complete. You may be asked to authenticate to the workstation.
- Click Finish to view the paired device.
HYPR Workforce Access Client returns to the main screen. The paired security key now appears here with Edit (pencil icon) and Delete (trash can icon) options.
- Insert your paired Security Key into the USB port of the computer. Windows will offer the smartcard icon as an additional login option.
- Click the smartcard icon and type your PIN.
- Press Enter on your keyboard or click the submit arrow to login.
Security Key PIV Reset
Deregistration resets the entire PIV area on a security key, which may include the PIN, PUK, management key, and certificates.
- Open HYPR Workforce Access Client.
- Click the trash can icon under the key you wish to remove..
- Confirm the deregistration request.
Updating the Key's PIN
- Open HYPR Workforce Access Client.
- Click the pencil icon under the key you wish to update.
- Enter your current PIN; then enter your new PIN twice.
- Click Finish to save.
- The user's computer is not connected to a VPN during the pairing process.
When I register by clicking the security key button I receive an error message about the company network.
- Ensure that the user is connected to VP
- Close the application
- Open the application and try to pair again
- Security key isn't inserted.
When I register by clicking the security key button I see an error message that my security key isn't plugged in.
- Insert or remove/reinsert the security key into the USB port
- Try to pair again
- Entered PIN doesn't meet complexity requirements.
A warning appears beside the PIN fields when clicking Finish.
- Type a stronger PIN combination. (e.g., 190753 instead of 123456)
- The New PIN entered doesn't match the Confirm New PIN entry.
User sees PINs do not match when clicking Finish.
- Ensure that New PIN and Confirm New PIN fields match (e.g., you need to enter 123098 in both fields)
- User entered an incorrect PIN too many times.
Too many failed attempts when trying to enroll.
- An admin needs to reset the security key PIV and ensure that users know the default PIN value.
- The new PIN is identical to the current one.
Users see "Please use a different PIN" message when trying to enroll a new key or edit the key's PIN.
- User should use a PIN which is different from the current PIN
- If this happens during enrollment, select Try Default PIN and try again
- The Temporary PIN is incorrect.
The Temporary PIN is not the right one.
- Use the correct PIN
- Check Try Default PIN to use the factory default
- The user typed an invalid PIN three times.
The smart card is blocked.
- An admin needs to reset the PIN on the security key
- Re-enroll using the new PIN
- Certificate not found on the security key.
No valid certificates were found on this smart card.
- Reboot the computer and try again
- Attempt to login with other authentication methods and try again
- Unplug the security key and reinsert it; then try again
- User is not connected to the secure network
The revocation status for the domain controller certificate card authentication could not be determined...
- Connect to your company VPN and try again
- Ensure that the computer can reach the domain controller and try again
Updated 26 days ago