QR Fallback Controls


For instances where a HYPR Mobile App device has a broken camera, this feature provides users a fallback mechanism to still register and authenticate without having to scan a QR code using the HYPR Mobile App.

When the server gets the QR Fallback request, it caches the expected payload from the QR image as a .JSON string, then uses it to generate an activation code, which the user then enters to pair the device. In keeping with already existing HYPR precedents in the HYPR Passwordless client for offline authentication recovery codes, the code consists of six alphanumeric characters. This random activation code is generated securely via OWASP-recommended methods.

The user experience assumes the following:

  • The user's device has either a broken or disabled camera; or perhaps using the camera is not allowed; or the user just does not wish to use it
  • HYPR Mobile App is installed on the device
  • HYPR Passwordless is installed on the workstation

The entire user flow is described in full detail in QR Fallback.

New Endpoint (Open API)

This new API is OPEN (no API token needed). This is because registration attempts specifically will not have the ability to access API tokens until the registration is complete. This new endpoint is simply an alternative means to link the client and mobile device, mostly centered around a unique 64-digit PIN they need to share during auth/registration flows.

Upon opening the Manual Entry screen, the HYPR Mobile App will communicate with a new Server API.

This Server API, living at /rp/versioned/device/pendingqr has been implemented along side a new cache store. This cache now houses pending QR response payload values, which are the keys to retrieve these payloads: the activation code mentioned above, again displayed by the client to the user. The server will now search its cache and return the appropriate response. The contents of the response from this API match the payload of information that would be stored in the QR image itself. The HYPR Mobile App, receiving a response from server, will continue with the QR flow as it currently exists, using the payload that is provided via the cache lookup.


Endpoints and Payloads

The payload that is cached during the creation of the QR codes will vary based upon the API that is used to generate the QR code.

For example, authentication attempts created via the endpoint /oob/qr/client/authentication/requests will have a completely different .JSON structure than a QR code created via /rp/versioned/client/qr/create being used for registration.



  "activationCode": "acotlc"  


Provided below are examples for both responses that can be expected when retrieving fallback payloads from their respective APIs (also labeled above each response).

Example Response 1 (authentication/registration QR code originating via /rp/versioned/client/qr/create):

"qrCode": "{  

Example Response 2 (authentication QR code originating via /rp/api/oob/qr/client/authentication/requests):

"qrCode": "{  
  • The successful response status is 200 accompanied by a .JSON representation of the DeviceAuthenticationQrRequestResponse or QRCodeMetadata object
  • The response for a request that is unable to be processed, which indicates that the pending auth/reg does not exist in cache is 400

Adjustments to Existing Endpoints

Create QR

Once initiated from HYPR Device Manager or HYPR Passwordless, QR Fallback sends an additional create QR code request, specifying it as a fallback attempt by appending includeQRFallbackCode: true to the request; this triggers Control Center to cache the respective QR response payload (authentication or registration).

For both authentication and registration, an activation code is paired with only specified QR requests coming into CC.


Cache on Delivery

This call leaves generation of the fallback activation code tied to the initiation of the fallback QR flow, meaning HYPR only caches payloads that the user specifies (wait for the user to click, β€œshow activation code”) instead of caching all payloads from which realistically only a fraction would need to be looked up manually.



	"includeQRFallbackCode": true // New variable to request fallback code in payload  


More Keys

Encoded in QR metadata will now be an additional key pair value for activationCode which will appear client will not receive back along with the usual payload. This key pair value will exist in the new payload as "actionCode": "8E3nf8".


  // Securely generated 6 lowercase character code, GET API request & key for cache retrieval  
  "qrFallbackActivationCode": "lpptzh"  
  • The successful response status is 200 accompanied by an encoded QR string
    • Add "includeQRFallbackCode": true to the request and the response body will also include "qrFallbackActivationCode": {{CodeForGETAPIRetrival}}
  • The response for a request body unable to be processed is 400

Java SDK- and Keycloak-specific Endpoint Adjustments

The API below is specifically used by Keycloak to authenticate users with QR codes, it contains a different payload and response than the authentication attempts above. The main consumer of this endpoint is HYPR’s Java SDK, which uses Keycloak for access.


To specify fallback caching is needed for this authentication request, which is false by default, a new value must be added to the request body. This follows the same appended value to the request body for the /qr/create endpoint.

  • The successful response status is 200 accompanied by an encoded QR string, which alone has been the existing body
    • Add "includeQRFallbackCode": true to the request and the response body will also include "activationCode": {{$CodeForGETAPIRetrival}}, the code uses for authentication
  • The response for a request body unable to be processed is 400

Audit Trail Event

A new audit event, QR_FALLBACK_PAYLOAD_RETRIEVED, has been added to server to indicate when a QR fallback cache request is made, regardless of whether the attempt was successful or not. This is handled entirely by Control Center and occurs when the new endpoint /rp/device/pendingqr receives a request.

See Event Descriptions for the entire list of HYPR Events.


Privacy Please

Payloads of fallback requests DO NOT contain any information that can label a user accurately in an Audit Trail Event.

Currently no Audit Trail Events cover creation of registration or authentication QR images.



Events will be visible in the Audit Trail of the RP Application on which they’re specifically occurring.