8.4.0 Release Notes

8.4.0 is a Standard Release.

The Standard Release Channel is designed for customers who are equipped to accommodate monthly updates, providing regular and more frequent access to new features and improvements.

The Enterprise Release Channel caters to customers requiring a less frequent cadence of upgrades, specifically on a quarterly basis, thereby allowing them more time to adapt and implement changes without disrupting their business operations.

All Standard Release features are available in the next scheduled Enterprise Release.

Minimum Supported Versions

Release DateProduct/VersionPlatformNotes
August 9, 2023HYPR Workforce Access Client for Windows 8.4.0Windows (10, 11)Reboot required if upgrading from 7.6 or below; Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their offshoots
August 9, 2023HYPR Workforce Access Client for Mac 8.4.0macOS (High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura)Security Key Support for Yubikey 5 Plus and Feitian ePass K9 Plus, K40 Plus and their respective offshoots
August 9, 2023HYPR Mobile App for Android 8.4.0Android 8.0+
August 9, 2023HYPR Mobile App for iOS 8.4.0iOS 12.4+
August 9, 2023HYPR Server 8.4.0ServerUpgrade to 7.10 required before upgrading to 8.0.0 or higher
August 9, 2023HYPR Android SDK 8.4.0Android 8.0+
August 9, 2023HYPR iOS SDK 8.4.0iOS 12.4+

📘

Backward Compatibility

All HYPR components are fully compatible across the three previous/subsequent minor (X.X) HYPR releases.

New Features

(All HYPR) Support for Windows 32-bit is no longer available in 8.4+
HYPR is discontinuing support for 32-bit Windows, including HYPR Workforce Access Client for Windows.

(All HYPR) Single Registration
HYPR can be configured to only require pairing in one component of the HYPR system, instead of pairing separately with the Web Account or the Workforce Access Client. When paired in one, users will be automatically prompted to complete the pairing on the other, and thereafter that pair will appear universally in all HYPR authentication rosters for that RP Application user. See how this works for Web-to-Workstation or Workstation-to-Web.

(All HYPR) Updates for Passkey Support
During HYPR login and authentication, the Computer and Security Key (sometimes Smartdevice) icons are now combined into one icon labeled Passkey. Likewise, the label Smartphone now appears as HYPR Mobile App or just HYPR App. This affects Device Manager 2.0, including the HYPR Mobile App (not 1.0); Control Center's login; Keycloak login options; and the HYPR Workforce Access Client.

(API) Bulk Export API
HYPR includes a bulk export API for when customers want to extract large amounts of information from the data (e.g., all users; all devices; all auth attempts). It supports filtering and pagination, including conjunctions AND, OR, and NOT, and including operators such as GT, LT, EQ, and LIKE. See the API documentation in Postman.

(Control Center - Integrations - HYPR Native Azure Login) HYPR Enterprise Passkey support for multiple mobile devices
HYPR Native Azure Login now accommodates multiple workstations and multiple FIDO2 registrations. Some highlights include:

  • User Management displays FIDO2 registered domains
  • Paired status is assessed on a per-device level, not just a per-user level
  • HYPR now accounts for removal of paired devices in multi-device scenarios
  • If the end user performs an unpairing and they were previously Paired with Azure or Paired with HYPR, now they will appear under Pending in User Management

Enhancements

  • (All HYPR) Various QR Fallback namespace and UI improvements
  • (Control Center) The Fallback Authenticator feature is now enabled by default
  • (Control Center - Integrations - Azure AD) HYPR Enterprise Passkey Audit Trail Events now accounts for partial pairings that may result, and reflects this recognition in the Workforce Access Client pairing dialog
  • (Control Center; HYPR Mobile App) Control Center SSL PINs propagate more promptly to the HYPR Mobile App and Workforce Access Client when SSL pinning certificates are exchanged or added
  • (HYPR Mobile App; HYPR SDK for Android; HYPR SDK for IOS) Authentication for Transaction requests confirms the completion of the transaction and the amount paid; previously HYPR Mobile App only displayed a transaction ID
  • (HYPR Mobile App for iOS; HYPR SDK for iOS) HYPR dissociates the device password from the HYPR Mobile App registration, so that if the user changes their password, the HYPR Mobile App does not need to be re-paired with the account
  • (HYPR SDK for Android) SDK consumers can add their own PIN complexity rules to the UI
  • (Platform - Keycloak) Administrators can now set a custom theme in Keycloak
  • (Platform - Keycloak) Keycloak now communicates brute force detection logs/events to Control Center, visible in the logs, the Audit Trails, and any hooked SIEM applications
  • (Platform - Keycloak) Keycloak user is deleted when the Control Center user is deleted
  • (Workforce Access Client for Windows) At login, the Passwordless User tile can be made the default, and it is no longer dependent upon Roaming Users being toggled On
  • (Workforce Access Client for Windows) Passwordless authentication can be enforced on WFA for macOS

Events

FIDO2/WebAuthn Event Updates

Parameters integrationType and integrationProvider are now included where they were not previously included in the following Events:

  • FIDO2_DEVICE_REG
  • FIDO2_DEVICE_REG_COMPLETE
  • EXTERNAL_AUTH_COMPLETE
  • FIDO2_WEBAUTHN
  • FIDO2_WEBAUTHN_COMPLETE

Keycloak brute force detection now logs the following events in the HYPR logs:

  • KC_POSSIBLE_BRUTE_FORCE_AUTH_ATTEMPT
  • KC_USER_TEMPORARILY_DISABLED

See Event Descriptions for a list of all HYPR Events and parameters.

Error Messages

  • 1201084: Authentication attempt has been blocked by brute force detection in Keycloak.
  • 1201085: Possible brute force attempt detected for user latest failed authentication attempt.

To see all HYPR errors by component, see HYPR Error Codes Troubleshooting Table.

APIs

SSL Pinning API Updates

Responses to both of the following endpoints still mimic /rp/versioned/features/rpapps/ but now include the sslPins array under serverConfig.

  • /rp/wsapi/settings
    • Added “machineID”: “string”
    • Replaces /rp/versioned/features/rpapps starting with 8.4
  • /rp/deviceapi/settings
    • Added “deviceId”: “string”
    • Replaces /rp/versioned/features/rpapps starting with 8.4

Bulk Export API

  • Introspection
    • GET /cc/api/bulk/introspect/{entity} (global)
    • GET /cc/api/bulk/{rpAppId}/introspect/{entity} (rpApp)
  • Fetch
    • POST /cc/api/bulk/fetch (global)
    • POST /cc/api/bulk/{rpAppId}/fetch (rpApp)
  • Supports filtering and pagination
    • AND, OR, and NOT combiners
    • GT, LT, EQ, LIKE operators

You can find detailed descriptors of these and other API calls in HYPR's full Postman API set here.

Upcoming Changes

(Control Center) Device Manager UI Changes
HYPR Device Manager brings you a new look to match our branding changes (see below). Paired devices appearing here will also be reflected in the HYPR Mobile App and Workforce Access Client flows where applicable.

HYPR Branding Changes
You may have noticed HYPR content shifting to include a fingerprint theme; likewise, we are changing some of our product names to standardize their labeling. Some are still the old familiar titles you know and love.

We've included the full list of products and features that will be included under the grouping, HYPR Authenticate. HYPR Authenticate includes the suite of components that make up the HYPR system: Control Center (including Integrations and Plugins), Workforce Access Client, the HYPR Mobile Apps, and the SDKs.

HYPR Authenticate Name Legacy HYPR Server Name
HYPR Cloud HYPR Cloud
HYPR On Prem HYPR On Prem
RADIUS HYPR RADIUS Server

HYPR Authenticate Name Legacy HYPR Mobile App Name
HYPR for iOS HYPR Mobile App for Android
HYPR for Android HYPR Mobile App for iOS
HYPR Enterprise Passkey HYPR FIDO2 Mobile Authenticator

HYPR Authenticate Name Legacy HYPR Workforce Access Client Name
HYPR Passwordless for Windows HYPR Workforce Access Client for Windows
HYPR Passwordless for Mac HYPR Workforce Access Client for Mac

HYPR Authenticate Name Legacy HYPR SDK and API Names
HYPR SDK for iOS HYPR SDK for iOS
HYPR SDK for Android HYPR SDK for Android
HYPR SDK for Golang HYPR SDK for Golang
HYPR SDK for Java HYPR SDK for Java
HYPR SDK for JavaScript HYPR SDK for JavaScript
HYPR SDK for Python HYPR SDK for Python
HYPR Server APIs Server API

HYPR Authenticate Name Legacy HYPR Integration Name
HYPR for Okta Okta
HYPR for Workspace Google Workspace
HYPR for OneLogin OneLogin
HYPR for Azure Azure
HYPR for Ping DaVinci Ping DaVinci

HYPR Authenticate Name Legacy HYPR Feature Name
HYPRspeed Desktop SSO

HYPR Authenticate Name Legacy HYPR Plugin Name
HYPR for AD FS AD FS
HYPR for Ping Federate Ping Federate
HYPR for SiteMinder SiteMinder
HYPR for ForgeRock ForgeRock

Bug Fixes

  • (Control Center - Audit Trail) HYPR Mobile App for Android Audit Trail failure Events sessionId has been corrected
  • (Control Center - Audit Trail) The Audit Trail correctly displays the Admin username when toggles were updated by a Control Center Admin user; previously it was not showing the correct username
  • (Control Center - Device Manager) Magic links were not expiring appropriately after being accessed; now they expire correctly
  • (Control Center - Integrations) After updating an integration, a QR authentication flag in KeyCloak made it necessary to update the integration in Control Center; this now happens automatically when the integration is updated
  • (Control Center - Integrations) Parameters integrationType and integrationProvider are now included where they were not previously included in the following Events:
    • FIDO2_DEVICE_REG
    • FIDO2_DEVICE_REG_COMPLETE
    • EXTERNAL_AUTH_COMPLETE
    • FIDO2_WEBAUTHN
    • FIDO2_WEBAUTHN_COMPLETE
  • (Control Center - Integrations - Okta) Okta usernames are automatically added as an alias in HYPR; previously this was not automatic and potentially could result in users unable to login
  • (HYPR Mobile App) QR authentication code is no longer cut off in Keycloak running in an embedded browser; previously not all of it was displayed, preventing login
  • (HYPR Mobile App for iOS) Failing Touch ID during pairing correctly cancels the registration on the server
  • (HYPR Mobile App for iOS) Using QR authentication, if a user doesn’t login during the API token validity period (30 days), scenarios can result where the API token won’t refresh, generating error code 101074; the user must re-register with HYPR
  • (HYPR Mobile App; Workforce Access Client) The user's email address is now displaying where previously the user's UPN was being incorrectly shown
  • (Workforce Access Client for macOS) WFA now shows login completed when interrupted (disconnect; reboot); previously the HYPR Mobile App would login, but WFA would remain on the Login screen
  • (Workforce Access Client for Windows) The auto-upgrade from version 8.1.0 to 8.2.2 was not rebooting after installation, but does now

Known Issues

  • (Control Center) Amazon Web Services (AWS) Web Application Firewall (WAF) rule rejects images containing Extensible Metadata Platform (XMP) tags; see the Workaround in our Support documentation
  • (Control Center - Advanced Mode) Push notification authentication fails due to an invalid Firebase key