Security Best Practices

This page describes the best security practices to follow when configuring HYPR Workforce Access for your organization.

Offline PINs
Recovery PINs
Lockout Settings
Log Security

Offline PINs

πŸ“˜

Configuration

This feature is enabled by default but can be disabled through the HYPR Control Center (CC).

PIN Length

The PIN Length setting controls how many alphanumeric characters users must enter on the workstation login screen when their mobile device or the workstation itself is offline.

To balance security concerns with user convenience, the offline PIN Length is set to 8 characters by default. However, longer PINs are recommended for additional security. You can set the length to between 6 and 13 characters as your organization requires.

To change the default length, enter a new value under Workstation Settings > PIN Length in the HYPR CC.

12421242

Number of Offline PINs

The Number of Offline PINs setting limits the number of times a user can access their machine while offline before they need login online and refresh their PIN count.

The default is 25 but can be set to anywhere from 10 to 100.

To change the default number, enter a new value under Workstation Settings > Number of Offline PINs in the HYPR CC.

11661166

Offline Access Days

Offline Access Days establishes the validity period for Offline PINs. Users must perform at least one online authentication within the configured time period to refresh their already received PINs.

The default is 30 days but you can set it anywhere between seven and 90 days.

To change the default access days, enter a new value under Workstation Settings > Offline Access Days.

13161316

🚧

Security Considerations

By setting Offline Access Days and the Number of Offline PINs higher, you risk partially compromising security because an online authentication won't be required for a longer period of time. Online authentication is inherently more secure since it always uses the latest authentication policy and ensures the user is still authorized to access the workstation based on your Active Directory and HYPR CC settings.

Recovery PINs

πŸ“˜

Configuration

This feature is enabled by default but can be disabled through the HYPR CC.

Recovery PIN Length

The Recovery PIN Length setting controls how many alphanumeric characters users must enter on the workstation login screen when they request a recovery PIN. To balance security concerns with user convenience, the Recovery PIN Length is set to 8 characters by default. However, longer PINs are recommended for additional security. You can set the length to between 6 and 13 characters as your organization requires.

To change the default length, enter a new value under Workstation Settings > Recovery PIN Length in the HYPR CC.

11701170

Recovery PIN Counter

Recovery PIN Counter limits the number of recovery PINs generated during the pairing process and subsequently available in the CC for an administrator to provide to the user. The default is 5 but you can set the count anywhere between 1 and 10.

Setting the count higher potentially allows users to access the computer without the Mobile App or a security key for a longer period.

11701170

To change the default count, enter a new value under Workstation Settings > Recovery PIN Counter in the HYPR CC.

Recovery PIN Lifespan

The Recovery PIN Lifespan setting establishes the validity period for the PIN. The timer starts when the user logs in with the PIN for the first time and when it expires the user will either need to contact an administrator to receive a new PIN or use the Mobile App to log in. The default is 72 hours but you can set the lifespan anywhere between 24 and 72 hours.

Setting the lifespan higher potentially allows users to access the computer without the Mobile App or a security key for a longer period.

To change the default lifespan, enter a new value under Workstation Settings > Recovery PIN Lifespan in the HYPR CC.

11601160

Lockout Settings

To provide additional security for Offline and Recovery PINs and prevent potential brute force attacks, HYPR recommends enforcing the Lockout Settings in Active Directory for all user accounts. This policy locks a user account if the PIN is entered X number of times incorrectly.

You can learn more about configuring Lockout Settings in the Microsoft documentation.

Log Security

By default, the HYPR Workforce Access client allows user accounts without administrator privileges to access the application log files. This is recommended practice during the initial deployment phase to ensure users can send log files to administrators or HYPR Support for troubleshooting. However, after the initial deployment phase is over, you should restrict log access to only accounts with local administrator privileges

Setting Log Access on Windows

You can control access to the C:\Program Files\HYPR\Log folder by setting parameters when installing the HYPR Workforce Access client or by editing the Windows registry after install. See Installation and Configuration for more information about Windows installation parameters and changing HYPR values in the registry.

During Installation

To set access to the logs folder on Windows during a fresh install, include the configuration parameter HYPRPROTECTLOGS (in MSI) or protectLogs (in hypr.json).

  • Set to 1 to make the folder readable only by users who belong to the built-in Administrators group
  • Set to 0 (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on Windows after installation, use RegEdit to change the HYPR Protect Logs key in the registry. The values are the same as those used during installation (see above). Note that Protect Logs is only created when you set the appropriate parameter during install so you may need to add it.

Setting Log Access on macOS

You can control access to the /Library/Logs/HYPR folder by setting parameters when installing the HYPR Workforce Access client or by editing the HyprOneService.plist file after install. See Installation and Configuration for more information about macOS installation parameters and editing the .plist file.

During Installation

To set access to the logs folder on macOS during a fresh install, include the configuration parameter protectLogs in hypr.json.

  • Set to true to make the folder readable only by administrator users
  • Set to false (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on macOS after installation, change the ProtectLogs value in the HyprOneService.plist file:

sudo /usr/libexec/PlistBuddy -c "Set ProtectLogs true|false" /Library/HYPR/HyprOneService.plist

The values are the same as those used during installation (see above). Note that it can take up to 30 seconds for the change to propagate.