Skip to main content

Enterprise Passkey Transport: FIDO2 Gateway

This document describes how to register and authenticate using HYPR FIDO2 Gateway as a transport for the HYPR Passwordless client.

HYPR FIDO2 Gateway as a transport method works with the HYPR Passwordless client for Windows using the HYPR Enterprise Passkey.

For more information on Entra ID Enterprise Passkey, see Integrations.

To enable HYPR FIDO2 Gateway for HYPR Passwordless, see Generic Enterprise Passkey Settings.

Registration

Registration with Entra Provisioning Disabled

With the addition of HYPR FIDO2 Gateway pairing, a different order of HYPR Passwordless dialogs comes into play if you use HYPR FIDO2 Gateway to connect to your network; we have included this flow here for reference.

Devices paired using the FIDO2 Gateway are able to use this connection to authenticate in Offline Mode.

Following are the steps for using the FIDO2 Gateway to register a security key for the first time.

  1. Login to Windows with your integration login (i.e.,carol.shaw@highlands_azure.com).

  2. Launch the HYPR Passwordless client.

  3. Click Start Pairing.

  4. The HYPR Passwordless client reminds you to open Microsoft Entra AD and pair your phone as a security key after pairing with HYPR. Click Continue.

  5. Scan the QR code on the screen. You will be prompted to authenticate on your device.

  6. Be patient as the HYPR Passwordless client pairs your devices.

  7. Once you are paired successfully, click Continue.

  8. HYPR Passwordless client returns to the main screen, now displaying your paired device. The device's HYPR Mobile App menu now includes a section for My Security Keys. Open it. Here you will see the same Entra cloud-only account with which you logged into Windows.

  9. A warning icon next to the HYPR Mobile App entry indicates the user has not yet completed the pairing or, after a pairing has already been successful, this might indicate a problem in Entra. Until pairing is completed, a Pairing incomplete warning will display in the HYPR Passwordless client for the mobile device, and the account shown in the HYPR Mobile App will bear a Pairing incomplete icon. The indicates the user is Paired with HYPR but not Paired with Entra. Clicking the warning will re-open the Phone pairing almost complete! dialog.



    Cache Returns

    HYPR Passwordless client may not display a completed pairing right away. It may be necessary to close and restart the HYPR Passwordless client for the warnings to disappear. In a hybrid pairing, HYPR Mobile App's My Security Keys page does not show a security key for this pairing.



The user will now appear in the integration under User Management's Paired with HYPR tab. Continue to Pairing with Entra to complete your passkey registration.

See Integration User Management in the main Integrations article for how to navigate User Management.

Back to Whence You Came

In the middle of pairing? Jump back to continue.

Registration with Entra Provisioning Enabled

Following are the steps for using the FIDO2 Gateway to register a security key for the first time when Entra Provisioning is Enabled. With Entra Provisioning enabled, the user no longer needs to browse to the Entra server to pair with Entra after pairing with HYPR; HYPR handles this for them.

  1. Login to Windows with your integration login (i.e.,carol.shaw@highlands_azure.com).

  2. Launch the HYPR Passwordless client.

  3. Click Start Pairing.

  4. Scan the QR code on the screen. You will be prompted to authenticate on your device.

  5. Be patient as the HYPR Passwordless client pairs your devices.

  6. If you want to give the pairing a name, type one here. Then click Continue.

  7. Be patient while the pairing is established.

  8. Once you are paired successfully, click Continue.

  9. HYPR Passwordless client returns to the main screen, now displaying your paired device. The device's HYPR Mobile App menu now includes a section for My Security Keys. Open it. Here you will see the same Entra cloud-only account with which you logged into Windows.

No Longer Needed

Though a trip to the Entra server is no longer necessary, conditions may still cause the following warnings to appear.

A warning icon next to the HYPR Mobile App entry indicates the user has not yet completed the pairing or, after a pairing has already been successful, this might indicate a problem in Entra. Until pairing is completed, a Pairing incomplete warning will display in the HYPR Passwordless client for the mobile device, and the account shown in the HYPR Mobile App will bear a Pairing incomplete icon. The indicates the user is Paired with HYPR but not Paired with Entra. Clicking the warning will re-open the Phone pairing almost complete! dialog.

HYPR Passwordless client may not display a completed pairing right away. It may be necessary to close and restart the HYPR Passwordless client for the warnings to disappear. In a hybrid pairing, HYPR Mobile App's My Security Keys page does not show a security key for this pairing.



The user will now appear in the integration under User Management's Paired with HYPR tab. Continue to Pairing with Entra to complete your passkey registration.

See Integration User Management in the main Integrations article for how to navigate User Management.

Back to Whence You Came

In the middle of pairing? Jump back to continue.