8.4.0 Release Notes
8.4.0 is a Standard Release.
The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements.
The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.
All Standard Release features are available in the next scheduled Enterprise Release.
Minimum Supported Versions
| Release Date | Product/Version | Platform | Notes |
|---|---|---|---|
| August 9, 2023 | HYPR Workforce Access Client for Windows 8.4.0 | Windows (10, 11) | Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots |
| August 9, 2023 | HYPR Workforce Access Client for Mac 8.4.0 | macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura) | Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots |
| August 9, 2023 | HYPR Mobile App for Android 8.4.0 | Android 8.0+ | |
| August 9, 2023 | HYPR Mobile App for iOS 8.4.0 | iOS 12.4+ | |
| August 9, 2023 | HYPR Server 8.4.0 | Server | Upgrade to 7.10 required before upgrading to 8.0.0 or higher |
| August 9, 2023 | HYPR Android SDK 8.4.0 | Android 8.0+ | |
| August 9, 2023 | HYPR iOS SDK 8.4.0 | iOS 12.4+ |
All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.
New Features
(All HYPR) Support for Windows 32-bit is no longer available in 8.4+
HYPR is discontinuing support for 32-bit Windows, including HYPR Workforce Access Client for Windows.
(All HYPR) Single Registration
HYPR can be configured to only require pairing in one component of the HYPR system, instead of pairing separately with the Web Account or the Workforce Access Client. When paired in one, users will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication rosters for that RP Application user. See how this works for Web-to-Workstation or Workstation-to-Web.
(All HYPR) Updates for Passkey Support
During HYPR login and authentication, the Computer and Security Key (sometimes Smartdevice) icons are now combined into one icon labeled Passkey. Likewise, the label Smartphone now appears as HYPR Mobile App or just HYPR App. This affects Device Manager 2.0, including the HYPR Mobile App (not 1.0); Control Center's login; Keycloak login options; and the HYPR Workforce Access Client.
(API) Bulk Export API
HYPR includes a bulk export API for when customers want to extract large amounts of information from the data (e.g., all users; all devices; all auth attempts). It supports filtering and pagination, including conjunctions AND, OR, and NOT, and including operators such as GT, LT, EQ, and LIKE. See the API documentation in Postman.
(Control Center - Integrations - HYPR Native Azure Login) HYPR Enterprise Passkey support for multiple mobile devices
HYPR Native Azure Login now accommodates multiple workstations and multiple FIDO2 registrations. Some highlights include:
- User Management displays FIDO2 registered domains
- Paired status is assessed on a per-device level, not just a per-user level
- HYPR now accounts for removal of paired devices in multi-device scenarios
- If the end user performs an unpairing and they were previously Paired with Azure or Paired with HYPR, now they will appear under Pending in User Management
Enhancements
- (All HYPR) Various QR Fallback namespace and UI improvements
- (Control Center) Fallback authenticator feature flag is now enabled by default
- (Control Center - Integrations - Azure AD) HYPR Enterprise Passkey Audit Trail Events now accounts for partial pairings that may result, and reflects this recognition in the Workforce Access Client pairing dialog
- (Control Center; HYPR Mobile App) Control Center SSL PINs propagate more promptly to the HYPR Mobile App and Workforce Access Client when SSL pinning certificates are exchanged or added
- (HYPR Mobile App; HYPR SDK for Android; HYPR SDK for IOS) Authentication for Transaction requests confirms the completion of the transaction and the amount paid; previously HYPR Mobile App only displayed a transaction ID
- (HYPR Mobile App for iOS; HYPR SDK for iOS) The feature flag IOS_ALLOW_NO_PASSCODE_FIDO_REGISTRATION is used to dissociate the device password from the HYPR Mobile App registration, so that if the user changes their password, the HYPR Mobile App does not need to be re-paired with the account
- (HYPR SDK for Android) SDK consumers can add their own PIN complexity rules to the UI
- (Platform - Keycloak) Administrators can now set a custom theme in Keycloak
- (Platform - Keycloak) Keycloak now communicates brute force detection logs/events to Control Center, visible in the logs, the Audit Trails, and any hooked SIEM applications
- (Platform - Keycloak) Keycloak user is deleted when the Control Center user is deleted
- (Workforce Access Client for Windows) At login, the Passwordless User tile can be made the default, and it is no longer dependent upon Roaming Users being toggled On
- (Workforce Access Client for Windows) Passwordless authentication can be enforced on WFA for macOS
Events
FIDO2/WebAuthn Event Updates
Parameters integrationType and integrationProvider are now included where they were not previously included in the following Events:
- FIDO2_DEVICE_REG
- FIDO2_DEVICE_REG_COMPLETE
- EXTERNAL_AUTH_COMPLETE
- FIDO2_WEBAUTHN
- FIDO2_WEBAUTHN_COMPLETE
Keycloak brute force detection now logs the following events in the HYPR logs:
- KC_POSSIBLE_BRUTE_FORCE_AUTH_ATTEMPT
- KC_USER_TEMPORARILY_DISABLED
See Event Descriptions for a list of all HYPR Events and parameters.
Error Messages
- 1201084: Authentication attempt has been blocked by brute force detection in Keycloak.
- 1201085: Possible brute force attempt detected for user latest failed authentication attempt.
To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.
APIs
SSL Pinning API Updates
Responses to both of the following endpoints still mimic /rp/versioned/features/rpapps/ but now include the sslPins array under serverConfig.
/rp/wsapi/settings- Added
"machineID": "string" - Replaces
/rp/versioned/features/rpappsstarting with 8.4
- Added
/rp/deviceapi/settings- Added
"deviceId": "string" - Replaces
/rp/versioned/features/rpappsstarting with 8.4
- Added
Bulk Export API
- Introspection
GET /cc/api/bulk/introspect/{entity}(global)GET /cc/api/bulk/{rpAppId}/introspect/{entity}(rpApp)
- Fetch
POST /cc/api/bulk/fetch(global)POST /cc/api/bulk/{rpAppId}/fetch(rpApp)
- Supports filtering and pagination
AND,OR, andNOTcombinersGT,LT,EQ,LIKEoperators
You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.
Upcoming Changes
(Control Center) Device Manager UI Changes
HYPR Device Manager brings you a new look to match our branding changes (see below). Paired devices appearing here will also be reflected in the HYPR Mobile App and Workforce Access Client flows where applicable.
HYPR Branding Changes
You may have noticed HYPR content shifting to include a fingerprint theme; likewise, we are changing some of our product names to standardize their labeling. Some are still the old familiar titles you know and love.
We've included the full list of products and features that will be included under the grouping, HYPR Authenticate. HYPR Authenticate includes the suite of components that make up the HYPR system: Control Center (including Integrations and Plugins), Workforce Access Client, the HYPR Mobile Apps, and the SDKs.
| New HYPR Name | Legacy HYPR Server Name |
|---|---|
| HYPR Cloud | HYPR Cloud |
| HYPR ON Prem | HYPR On Prem |
| RADIUS | HYPR RADIUS Server |
| New HYPR Name | Legacy HYPR Mobile App Name |
|---|---|
| HYPR for iOS | HYPR Mobile App for Android |
| HYPR for Android | HYPR Mobile App for iOS |
| HYPR Enterprise Passkey | HYPR FIDO2 Mobile Authenticator |
| New HYPR Name | Legacy HYPR Workforce Access Client Name |
|---|---|
| HYPR Passwordless for Windows | HYPR Workforce Access Client for Windows |
| HYPR Passwordless for Mac | HYPR Workforce Access Client for Mac |
| New HYPR Name | Legacy HYPR SDK and API Names |
|---|---|
| HYPR SDK for iOS | HYPR SDK for iOS |
| HYPR SDK for Android | HYPR SDK for Android |
| HYPR SDK for Golang | HYPR SDK for Golang |
| HYPR SDK for Java | HYPR SDK for Java |
| HYPR SDK for JavaScript | HYPR SDK for JavaScript |
| HYPR SDK for Python | HYPR SDK for Python |
| HYPR Server APIs | Server API |
| New HYPR Name | Legacy HYPR Integration Name |
|---|---|
| HYPR for Okta | Okta |
| HYPR for Workspace | Google Workspace |
| HYPR for OneLogin | OneLogin |
| HYPR for Azure | Azure |
| HYPR for Ping DaVinci | Ping DaVinci |
| New HYPR Name | Legacy HYPR Feature Name |
|---|---|
| HYPRspeed | Desktop SSO |
| New HYPR Name | Legacy HYPR Plugin Name |
|---|---|
| HYPR for AD FS | AD FS |
| HYPR for Ping Federate | Ping Federate |
| HYPR for SiteMinder | SiteMinder |
| HYPR for ForgeRock | ForgeRock |
Bug Fixes
- (Control Center - Audit Trail) HYPR Mobile App for Android Audit Trail failure Events
sessionIdhas been corrected - (Control Center - Audit Trail) The Audit Trail correctly displays the Admin username when toggles were updated by a Control Center Admin user; previously it was not showing the correct username
- (Control Center - Device Manager) Magic links were not expiring appropriately after being accessed; now they expire correctly
- (Control Center - Integrations) After updating an integration, a QR authentication flag in KeyCloak made it necessary to update the integration in Control Center; this now happens automatically when the integration is updated
- (Control Center - Integrations) Parameters
integrationTypeandintegrationProviderare now included where they were not previously included in the following Events:- FIDO2_DEVICE_REG
- FIDO2_DEVICE_REG_COMPLETE
- EXTERNAL_AUTH_COMPLETE
- FIDO2_WEBAUTHN
- FIDO2_WEBAUTHN_COMPLETE
- (Control Center - Integrations - Okta) Okta usernames are automatically added as an alias in HYPR; previously this was not automatic and potentially could result in users unable to login
- (HYPR Mobile App) QR authentication code is no longer cut off in Keycloak running in an embedded browser; previously not all of it was displayed, preventing login
- (HYPR Mobile App for iOS) Failing Touch ID during pairing correctly cancels the registration on the server
- (HYPR Mobile App for iOS) Using QR authentication, if a user doesn't login during the API token validity period (30 days), scenarios can result where the API token won't refresh, generating error code 101074; the user must re-register with HYPR
- (HYPR Mobile App; Workforce Access Client) The user's email address is now displaying where previously the user's UPN was being incorrectly shown
- (Workforce Access Client for macOS) WFA now shows login completed when interrupted (disconnect; reboot); previously the HYPR Mobile App would login, but WFA would remain on the Login screen
- (Workforce Access Client for Windows) The auto-upgrade from version 8.1.0 to 8.2.2 was not rebooting after installation, but does now
Known Issues
- (Control Center) Amazon Web Services (AWS) Web Application Firewall (WAF) rule rejects images containing Extensible Metadata Platform (XMP) tags; see the Workaround in our Support documentation
- (Control Center - Advanced Mode) Push notification authentication fails due to an invalid Firebase key