Skip to main content
Version: 10.3.0

HYPR Affirm: Overview

Introduction

HYPR Affirm is an automated identity verification (IdV) solution designed to ensure that employees and customers are who they claim to be at all times. It provides fast, secure, and passwordless verification for onboarding, account recovery, and other critical verification flows.

Key Features:

  • Prevents identity fraud using advanced verification technologies
  • Streamlines and automates identity verification, reducing administrative overhead
  • Enables continuous identity proofing and re-verification throughout the user lifecycle
  • Supports secure and accurate verification methods, including:
    • Document verification (e.g., passports, driver's licenses)
    • Facial recognition with spoof detection
    • Location detection and compliance
    • Chat and video verification (AI and human interaction)
    • Manager attestation for added assurance

Benefits:

  • Enhanced security by eliminating passwords and using biometric authentication
  • Improved user experience with fast, intuitive verification and reduced friction
  • Regulatory compliance support (NIST IAL2, PCI DSS, GDPR, CCPA)
  • Flexible integration with various credential systems and support for Zero Trust frameworks

How it Works

HYPR Affirm adopts a flow model for identity verification. Users are given a URL and are guided through a series of steps (screens), in which users are asked to present identifying information. Configuring Affirm as an administrator involves creating a verification flow by choosing which verification steps are to be included in the verification flow. Once the verification flow has been created, Affirm generates a URL to be given to the end user.

First, you assign Applications which will use HYPR Affirm. Then you choose the verification flow to check the identity of employees by one or more of the following methods:

  • Phone Number and/or SMS confirmation

  • Location data based upon IP address

  • Live chat and/or video with an assigned Approver

  • Document uploads (passport, etc.)

Then assign one or more Approvers to verify the Requester. If you are using an Identity Provider, HYPR can ascertain the individual's immediate report-to (Manager) from there. If not, Approvers can be individually assigned to the flow.

HYPR Affirm Events are logged in the Audit Trail tab; actual approvals and denials are logged in the Activity Log tab.

HYPR Affirm Settings are accessible via the Control Center left navigation menu.

Clicking the HYPR Affirm menu link will display the following tabs, defaulting to the first:

  • Verification Flow: Define the steps required by the requester to begin the Identity Verification process
  • Approver Assignment: Determine who will evaluate collected IdV information
  • Audit Trail: See HYPR-wide Events and related information
  • Activity Log: A record of who has made requests to which approvers, and the results

Verification Steps

Affirm offers the following verification steps:

NameDescription
Login IdentifierInitiates the HYPR Affirm IdV process. This option will always display Required.
Escalate to Live ChatIf toggled On and the requester fails the IdV flow checks, the requester is placed into a video and chat session with the approver.
Phone Number VerificationSMS Code requires the requester to enter an SMS code sent to a phone number or email address.
LocationA location based upon the requester's IP address will be displayed to the approver.
Identity VerificationThis step involves presenting a document (such as passport or driver's license) that gets compared against the identity data from HR. It may optionally include a liveness check.
Photo ID and Liveness CaptureRequires upload of a valid photo ID and a subsequent real-time selfie, both of which will be compared to each other to verify a match. This step does not inspect identity data and only concerns image comparison to mitigate risks of deepfakes.
Approver Chat and VideoOpens a chat window between the approver (often a manager) and the requester.
AttestationRequired in order for the verification flow to issue an Outcome. An approver must review the request before the Outcome is issued. The approver is either a person or HYPR automated approval. HYPR automated approval calculates approval based on the results of the previous steps.
Verified OutcomeWhat to do after the verification succeeds.
Unverified OutcomeWhat to do after the verification fails.

Details for each of these steps can be found on the HYPR documentation website. See Administering HYPR Affirm for more information.

Pre-configured Verification Flows

To accelerate verification flow creation, Affirm offers several canned verification flows based on business use case and desired friction level:

  • Onboarding: for new hire scenarios
  • Recovery Flow: for credential recovery
  • CC Admin: for onboarding HYPR Control Center admin accounts

For each scenario, you may choose a friction level, which refers to the number of verification steps needed to complete the verification flow. There are six levels of friction:

  • Highest
  • High
  • Medium
  • Low
  • Lowest
  • None (no verification steps are pre-selected)

See Reference: Friction Levels and Feature Flags for which verification steps are included in each friction level.

Application Assignment

Some verification scenarios require you to have configured an integration with an Identity Provider (IDP) elsewhere in the HYPR Control Center. IDP integrations allow HYPR to be used as a passwordless authentication mechanism to the IDP. Each IDP integration has an associated application name, often referred to as relying party application (or rpAppId). You will need to have an IDP integration for the following scenarios:

  • The selected Verified Outcome is Redirect to Device Manager to register a new login method
  • Identity Verification has been selected as a verification step AND you are not using an Advanced Customization to retrieve identity data from an external data source

If one of those two scenarios applies, then you will select the application during the configuration of the Affirm verification flow.

See Integrations for more information on creating an integration.

Advanced Settings

HYPR Affirm provides two types of advanced settings for flexible business scenarios:

  1. Customizations – Custom code that overrides default behavior in key parts of the verification flow. For example, you can pull identity data from an external system rather than an IDP integration by writing JavaScript code to retrieve that data as part of the IdV flow.

    Types of customizations include:

    • User Directory: Specify the user info source.
    • SMS Sending: Send SMS via a custom REST call instead of HYPR's SMS service.
    • SMS Verifying: Handle the result of a verified SMS code through a custom REST call instead of HYPR's SMS service.
    • Email: Send emails through a custom REST call instead of HYPR's SMTP servers.

    See Customizations for more details on customizations.

  2. OIDC Settings – Set up Affirm as an OIDC relying party. These settings can trigger OIDC authentication for the requester or approver at specific points in the flow. Currently, these are assignable via the HYPR Affirm API.

    • For the requester: Forces OIDC authentication at a specified part of the flow.
    • For the approver: Forces OIDC authentication before entering a verification flow to which they were invited via email or SMS.

Deployment and Configuration

A successful Affirm deployment requires careful preparation and configuration. Use the following checklist to ensure a smooth rollout:

  • Identify the Affirm verification flow steps that align with your business requirements
  • Determine the desired outcomes for successful and unsuccessful flows
  • Ensure you have access to the HYPR Control Center
  • Request the HYPR deployment team to enable the relevant functionality in your HYPR Control Center (see Feature Flags below)
  • Configure your IDP integration or external data source
  • Configure your verification flow

Configuration Tips:

  • Understand possible failure modes for document and data validation (e.g., data comparison, image integrity, visual authenticity, data consistency, age validation, etc.)
  • Add directory sources and ensure required user attributes (username, email, phone, etc.) are available for your flows
  • For Entra or Okta integrations, follow the HYPR documentation for setup steps

See Deployment Overview for more details.

Friction Levels and Feature Flags

Affirm offers several pre-configured friction levels, each determining the number and type of verification steps required in a verification flow. Choose a higher friction level for sensitive verification flows (e.g., onboarding, admin access) and a lower level for routine or low-risk scenarios.

Feature flags are set by the HYPR deployment team to enable or customize Affirm functionality. Some common flags include enabling core Affirm, CC Admin onboarding, Citrix optimization, international SMS support, helpdesk support, and watchlist checks for admins.

See Reference: Friction Levels and Feature Flags for the full friction level comparison table and a list of feature flags.

Audit Trail and Activity Log

HYPR Affirm provides an Audit Trail tab for a record of events and related information for identity verification flows. The Activity Log records who has made requests, to which approvers, and the results, including granular details such as SMS send time, phone check result, IP location, document type, verification result, and approver notes.

For screenshots and more details, see Audit Trail and Activity Log.

Example Test Cases

To validate your Affirm deployment, use example test cases that cover both functional and non-functional requirements. These include verifying document upload, system behavior on interruption, time to verify, login with new password, page response time, compliance after repeated failures, and more.

For a full list of test cases, see Reference: Friction Levels and Feature Flags.

Helpdesk Application

Affirm includes a web-based application for Helpdesk operators. Helpdesk operators are required to identify users who call in for support, which often involves shared secrets like PINs or security questions. The Affirm Helpdesk application increases security by reducing social engineering risk and relieving operators of the burden of managing shared secrets.

The application displays a list of recent Affirm verification flow attempts and their verification results, streamlining the support process and improving security.

Helpdesk Application:

HYPR Affirm API

HYPR Affirm provides an API for advanced integration and automation. The API allows you to:

  • Perform CRUD operations on verification flows and configurations
  • Test HYPR Affirm IdV flows programmatically
  • Assign advanced settings such as OIDC triggers and customizations

For detailed API documentation and usage examples, see the HYPR Passwordless API collection.