Skip to main content

Passwordless Client Security Best Practices

This page describes the best security practices to follow in the HYPR Passwordless client when configuring it for your organization.

The Big Picture

For additional security suggestions, see Control Center Security Best Practices and HYPR Mobile App Security Best Practices.

Additionally, if you have implemented the HYPR RADIUS Server, see the HYPR RADIUS Server Security Best Practices article.

Lockout Settings

To provide additional security for Offline and Recovery PINs and prevent potential Brute Force Attacks, HYPR recommends enforcing the Lockout Settings in Active Directory for all user accounts. This policy locks a user account if the PIN is entered X number of times incorrectly.

You can learn more about configuring Lockout Settings in the Microsoft documentation.

You can also adjust the amount of allowed retry attempts for certain security keys or smart-cards. See HYPR Passwordless Manual Installation instructions for full details on how to configure these options.

Log Security

By default, the HYPR Passwordless client allows user accounts without admin privileges to access the application log files. This is recommended practice during the initial deployment phase to ensure users can send log files to Admins or HYPR support for troubleshooting. However, after the initial deployment phase is over you should restrict log access to only accounts with local admin privileges.

Setting Log Levels

The HYPR Passwordless cient Log Level can be adjusted to limit the amount of data that is being logged. The following values can be used to adjust the logging:

  • 0 = No logging

  • 1 = Adds Fatal errors

  • 2 = Adds Errors

  • 3 = Adds Warnings

  • 4 = Adds more Information events

  • 5 = Default setting; debug logging

  • 6 = Increase to more verbose logging

On the Level

Level 5 is enabled by default as this provides the needed amount of information for troubleshooting and technical support. Please be aware that reducing the logging level will significantly hinder HYPR's ability to provide technical support.

This log level can be adjusted as follows:

Windows

  • Edit the Windows registry's Log level entry located in HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

Mac

  • Edit the LogLevel property in the file, /Library/HYPR/HyprOneService.plist

Setting Log Access on Windows

For controlling access to the C:\Program Files\HYPR\Log folder, you can set parameters when installing the HYPR Passwordless client or edit the Windows Registry after install. See HYPR Registry Keys for more information regarding Windows installation parameters and changing HYPR values in the Registry.

During Installation

For setting access to the logs folder on Windows during a fresh install, include the configuration parameter HYPRPROTECTLOGS (in MSI) or protectLogs (in hypr.json).

  • Set to "1" to make the folder readable only by users who belong to the built-in Administrators group

  • Set to "0" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on Windows after installation, use RegEdit to change the HYPR Protect Logs key in the Registry. The values are the same as those used during installation. Note that Protect Logs is only created when you set the appropriate parameter during install so you may have to add it.

Setting Log Access on macOS

For controlling access to the /Library/Logs/HYPR folder, you can set parameters when installing the HYPR Passwordless client or edit the HyprOneService.plist file after install. See HYPR Application .plist Keys for more information about macOS installation parameters and editing the .plist file.

During Installation

For setting access to the logs folder on macOS during a fresh install, include the configuration parameter protectLogs in hypr.json.

  • Set to "true" to make the folder readable only by Administrator users

  • Set to "false" (or omit the parameter) to make the folder readable and writable by all users

After Installation

To set access to the logs folder on macOS after installation, change the ProtectLogs value in the HyprOneService.plist file:

sudo /usr/libexec/PlistBuddy -c "Set ProtectLogs true|false" /Library/HYPR/HyprOneService.plist

The values are the same as those used during installation. Note that it can take up to 30 seconds for the change to propagate.

Security Key PIN Complexity

To enforce PIN complexity for user security keys or smart-cards, workstations can be configured at installation for the type of PIN (Alphanumeric/Numeric/Any) and how long the PIN must be. PIN Complexity rules such as rejecting repeating and sequential numbers has been incorporated by default as of HYPR 9.3.0. See HYPR Passwordless Manual Installation instructions for full details on how to administer these options; for the user experience, see Using a Security Key.

Windows

Require User Presence for Registration

Additional measures can be implemented on HYPR Passwordless for Windows deployments to remove the risk of an attacker adding their mobile device while the user's workstation is unattended – for example, the user walks away but leaves the screen or device unlocked.

For additional user verification during workstation device registration, administrators can require users to re-authenticate during pairing to prove their identity. This is configurable in CC in Workstation Settings.

Additional Certificate Revocation Checks

In addition to native Windows' certificate revocation checks, HYPR Passwordless for Windows can be configured to attempt to perform a revocation check before the user gets logged into the workstation. This is configurable on HYPR Passwordless through the User Account Check setting.

Non-exportable Private Keys

For sites wishing to protect security key or smart-card users' private keys, HYPR Passwordless for Windows client allows an additional installation parameter (via both.json and .msi configuration) to cause private keys to be generated on the security key or smart-card, and to never leave that device. This option works alongside the existing mobile certificate template; however, it is mutually exclusive with Security Key Recovery Mode functionality, which depends on exportable private keys.