Best Security Practices

This page describes the best security practices to follow when configuring HYPR Workforce Access for your organization.

Offline PINs
Recovery PINs
Lockout Settings
Log Security

Offline PINs

πŸ“˜

Configuration

This feature is enabled by default but can be disabled through the HYPR Control Center.

PIN Length

The PIN Length setting controls how many alphanumeric characters users will need to enter on the workstation login screen when their mobile device or the workstation itself is offline.

To balance security concerns with user convenience, the Offline PIN length is set to eight characters by default. However, longer PINs are recommended for additional security. You can set the length to between six and thirteen characters as your organization requires.

To change the default length, enter a new value under Workstation Settings > PIN Length in the HYPR Control Center.

Number of Offline PINs

The Number of Offline PINs setting limits the number of times a user can access their machine while offline before they need to do an online login to refresh their PIN count.

The default is 25 but you can set the number anywhere from ten to 100.

To change the default number, enter a new value under Workstation Settings > Number of Offline PINs.

Offline Access Days

The Offline Access Days setting establishes the validity period for Offline PINs. Users have to perform at least one Online Authentication within the configured time period to refresh their already received PINs.

The default is thirty days but you can set it anywhere between seven and 90 days.

To change the default access days, enter a new value under Workstation Settings > Offline Access Days.

🚧

Security Considerations

By setting Offline Access Days and the Number of Offline PINs higher, you risk partially compromising security because an Online Authentication won't be required for a longer period of time. Online Authentication is inherently more secure since it always uses the latest authentication policy and ensures the user is still authorized to access the workstation based on your Active Directory and HYPR Control Center settings.

Recovery PINs

πŸ“˜

Configuration

This feature is enabled by default but can be disabled through the HYPR Control Center.

PIN Length

The Recovery PIN Length setting controls how many alphanumeric characters users will need to enter on the workstation login screen when they request a Recovery PIN. To balance security concerns with user convenience, the Recovery PIN length is set to eight characters by default. However, longer PINs are recommended for additional security. You can set the length to between six and thirteen characters as your organization requires.

To change the default length, enter a new value under Workstation Settings > Recovery PIN Length in the HYPR Control Center.

Recovery PIN Counter

The Recovery PIN Counter setting limits the number of Recovery PINs generated during the pairing process and subsequently available in the Control Center for an Admin to provide to the user. The default is five but you can set the count anywhere between one and ten.

Setting the count higher potentially allows users to access the computer without the Mobile App or a security key for a longer period.

To change the default count, enter a new value under Workstation Settings > Recovery PIN Counter in the HYPR Control Center.

Recovery PIN Lifespan

The Recovery PIN Lifespan setting establishes the validity period for the PIN. The timer starts when the user logs in with the PIN for the first time and when it expires the user will either need to contact an Admin to receive a new PIN or use the Mobile App to log in. The default is 72 hours but you can set the lifespan anywhere between 24 and 72 hours.

Setting the lifespan higher potentially allows users to access the computer without the Mobile App or a security key for a longer period.

To change the default lifespan, enter a new value under Workstation Settings > Recovery PIN Lifespan in the HYPR Control Center.

Lockout Settings

To provide additional security for Offline and Recovery PINs and prevent potential Brute Force Attacks, HYPR recommends enforcing the Lockout Settings in Active Directory for all user accounts. This policy locks a user account if the PIN is entered X number of times incorrectly.

You can learn more about configuring Lockout Settings in the Microsoft documentation.

Log Security

By default, the HYPR Workforce Access client allows user accounts without admin privileges to access the application log files. This is recommended practice during the initial deployment phase to ensure users can send log files to Admins or HYPR support for troubleshooting. However, after the initial deployment phase is over you should restrict log access to only accounts with local admin privileges

Setting Log Access on Windows

You can control access to the C:\Program Files\HYPR\Log folder by setting parameters when installing the HYPR Workforce Access client or by editing the Windows Registry after install. See Installation and Configuration for more information about Windows installation parameters and changing HYPR values in the Registry.

During Installation

To set access to the logs folder on Windows during a fresh install, include the configuration parameter HYPRPROTECTLOGS (in MSI) or protectLogs (in hypr.json).

  • Set to "1" to make the folder readable only by users who belong to the built-in Administrators group
  • Set to "0" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on Windows after installation, use RegEdit to change the HYPR Protect Logs key in the Registry. The values are the same as those used during installation (see above). Note that Protect Logs is only created when you set the appropriate parameter during install so you may need to add it.

Setting Log Access on macOS

You can control access to the /Library/Logs/HYPR folder by setting parameters when installing the HYPR Workforce Access client or by editing the HyprOneService.plist file after install. See Installation and Configuration for more information about macOS installation parameters and editing the .plist file.

During Installation

To set access to the logs folder on macOS during a fresh install, include the configuration parameter protectLogs in hypr.json.

  • Set to "true" to make the folder readable only by Administrator users
  • Set to "false" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on macOS after installation, change the ProtectLogs value in the HyprOneService.plist file:

sudo /usr/libexec/PlistBuddy -c "Set ProtectLogs true|false" /Library/HYPR/HyprOneService.plist

The values are the same as those used during installation (see above). Note that it can take up to 30 seconds for the change to propagate.

Updated 12 days ago

Best Security Practices


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.