Using Standard Security Keys

Do This First

Security key support for HYPR RP Applications must first be enabled in the Control Center under Workstation Settings.

API Calls

Calls for pairing (registering) a security key/passkey with an RP Application, including updating Recovery PINs, are described under RP Applications > Workstation > Security Keys in the HYPR Passwordless API.

This document describes how to manage security keys for the HYPR Passwordless client.

Definitions

Acronym	Definition
PIN	A personal identification number (PIN) is a set of characters used to unlock the security key for use. The PIN is a decentralized secret the user should not share. The PIN is bound and used to unlock an authenticator. In the case of a hardware security key, such as a Yubico YubiKey, the PIN resides on the key and unlocks the authenticator that uses public/private key encryption to perform authentication. See the securityKeyPinCharacters configuration parameter description in Installing Manually.
PUK	A PIN unblocking key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the key follows.
PIV	Personal Identity Verification - or frequently associated together as a PIV Card - is commonly the reference to United States Federal smart card or security key that contains the necessary data for the holder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal uses. It is also a general means of reference for such devices and associated protocols and standards used for authenticating users securely.

Passwordless for Windows

Registration - Windows

Browser Registration - Windows

This flow is triggered when pairing with a security key on a Windows workstation, whether pairing with the HYPR Passwordless client or pairing with a web channel RP application.

1. Once the dialog appears, make sure to insert the security key.

   

2. Click OK on the Security key setup dialog.

   

3. Click OK on the Continue setup dialog to grant permission to see the make and model of the key.

   

4. Type the key's PIN and click OK.

   
   

   If you mistype the PIN, try again.

   
   

5. Touch the contact(s) on the security key.

   

6. Your security key is now registered with the app in question.

Workstation Registration - Windows

1. Open the HYPR Passwordless client.

2. Click Start Pairing. You will be given a choice of pairing a Smartphone or pairing with a Security Key.

   

3. Select Security Key to continue.

   
   
   
   Connect First

   Make sure you are connected to your secure network, or a warning will appear upon clicking Start Pairing. If this occurs, just connect to your secure network and click Try again.

4. A browser dialog will prompt you to enter the PIN provided by your administrator or through the instruction guide which accompanied your device.

   

5. Enter the new PIN, then confirm it in the following field.

   PIN Requirements

   • The PIN must be between 6 and 8 characters.

   • Users are not allowed to choose repeating digits in PINs, such as 111111

   • PINs may have no more than two consecutive numbers, such as 123987

   • Users are not allowed to choose repeating sequences in PINs, such as 121212 or 345345; 123849 is allowed

   • The PIN may not be left as the default value of 123456

   • The PIN may not be on any blocklist; for example, YubiKeys prohibit 159753

6. Click Finish. Wait for enrollment to complete. You may be asked to authenticate to the workstation.

7. Click Finish to view the paired device.

   

8. The HYPR Passwordless client returns to the main screen. The paired security key now appears here with Edit (pencil icon) and Delete (trash can icon) options.

   

Authentication - Windows

Browser Authentication - Windows

This flow is triggered when logging in with a security key on a Windows workstation to a web channel RP application with a login dialog.

1. Windows asks you to choose a method. Click Security Key. Insert the key if it is not already.

   

2. A placeholder screen appears while Windows begins the security key sign-in dialog.

   

3. Enter your security key PIN.

   

4. Touch the contact point(s) on your security key.

   

Workstation Authentication - Windows

1. Insert your paired Security Key into the USB port of the computer. Windows will offer the smart card icon as an additional login option. Click the smart card icon.

   

2. Type your PIN.

   

3. Press Enter on your keyboard or click the submit arrow to login.

Deregistration - Windows

When unpairing a method from HYPR Passwordless, make sure you have another means of logging in. If you do not, we recommend pairing another method, such as the HYPR Mobile App, before unpairing your last method.

Browser Deregistration - Windows

HYPR handles unpairing the security key from the RP application; no browser dialogs appear when this action is taken.

Workstation Deregistration - Windows

Security Key PIV Reset

Deregistration resets the entire PIV area on a security key, which may include the PIN, PUK, management key, and certificates.

1. Open the HYPR Passwordless client.

2. Click the trash can icon under the key you wish to remove.

   

3. Confirm the deregistration request.

   

4. HYPR informs you when unpairing is complete, then returns to the Device Manager.

   

Changing the PIN - Windows

1. Open the HYPR Passwordless client.

2. Click the pencil icon under the key you wish to update.

   

3. Enter your current PIN; then enter your new PIN twice.

4. Click Finish to save.

   

Unlocking the PIN on a Standard Security Key - Windows

When a Windows user logs in with a standard security key and forgets their PIN or exceeds the maximum allowed attempts, resulting in a locked PIN, HYPR Passwordless allows them to reset their PIN using an Unlock Code (PIN Unblocking Key, or PUK).

Contact your administrator to obtain the Unlock Code if you do not already have it.

1. If a user has attempted to log in to Windows and locked the security key by entering an incorrect PIN too many times, HYPR Passwordless will inform them and provide an option to reset the PIN. Click Unlock to enter a new PIN.

   If you instead want to reset the PIN and PUK to the original values, see Resetting a Standard Security Key at Login - Windows in this article.

   

2. Enter the Unlock Code, then enter the new PIN. Confirm the new PIN.

   

3. If an incorrect Unlock Code is entered, the following warning appears, stating the remaining number of tries. The typical number of tries for this attempt is 3; this resets after a successful entry.

   

4. When you have the correct Unlock Code and desired PIN values, click Update to save the PIN.

5. HYPR Passwordless confirms the successful reset of the PIN. Click Finish to continue.

   

Resetting a Standard Security Key at Login - Windows

If a user cannot recall both the PIN and PUK, they will have the option to reset the security key; this will cause the PIN and PUK to return to factory defaults.

1. If the PIN is entered incorrectly and the Unlock Code-based reset triggers, and then the Unlock Code is entered incorrectly too many times, the following message displays. Click Reset Device to initiate a factory reset.

   

2. A confirmation dialog displays. Click Reset to continue.

   

3. Once the key has been reset, a confirmation dialog appears. Since the PUK and PIN have been reset, the key must be paired again with HYPR. Click Pair Again to open the HYPR Passwordless Start Pairing dialog; see the Workstation Registration section in this article.

   

Certificate Renewal - Windows

In an effort to avoid certificate expiration, HYPR has streamlined the Certificate renewal process for security keys. See Certificate Renewal for Security Keys for a full description of the experience.

Passwordless for macOS

Registration - macOS

This flow is triggered when pairing with a security key on a macOS workstation, whether pairing with the HYPR Passwordless client or pairing with a web channel RP application.

1. You are given a choice to create a passkey on the workstation or in a different location. Click Save another way.

   

2. Click Use a different phone, tablet, or security key.

   

3. The following modal displays. Touch your security key.

   

4. Enter the desired PIN to use for authentication with the security key. If you mistype the PIN, try again.

   

5. Touch the security key a second time.

   

6. Click Allow to grant permissions for the site to see your key make and model.

   

7. Your security key now appears in HYPR Passwordless.

   

Authentication - macOS

Dialog for both use cases (browser and workstation) is the same on macOS.

1. Upon starting web authentication, you are given a choice of passkeys. Choose the passkey and click Continue.

   

2. You are presented with a choice of saved passkeys. Select Use a different phone, tablet, or security key.

   

3. Insert and touch the contacts on the security key.

   

4. You are logged in.

Deregistration - macOS

When unpairing a method from HYPR Passwordless, make sure you have another means of logging in. If you do not, we recommend pairing another method, such as the HYPR Mobile App, before unpairing your last method.

HYPR handles unpairing the security key from the RP application; no browser or OS dialogs appear when this action is taken.