FIDO2 Settings
HYPR Control Center Standard: Control Center Settings
FIDO2 is a set of standards defining the use of mechanisms such as security keys and biometric recognition in multifactor authentication. By default, the only mechanism administrators can choose for logging into the HYPR Control Center is a mobile device. If you would like them to be able to log in with a security key, or through biometric recognition on their computer (Touch ID for Mac or Windows Hello, for example), you must enable FIDO2 authentication for the Control Center.
FIDO2 and HYPR Integrations
Some Integrations may include FIDO2 settings separate from those in HYPR Application settings. Integration FIDO2 Settings function identically to Control Center FIDO2 Settings.
- In the Control Center, click Control Center Settings in the left navigation pane.
- Go to the FIDO2 Settings tab.
- Slide the Enable Fido2 button to the On position. The following fields become active.
- Client Origin URL
The original URL at the time of registration, used to validate future authentication requests. This URL is entered automatically as part of the HYPR onboarding setup, so you typically donβt need to edit it. If you decide to change it, the value must be all lowercase. If users are unable to pair FIDO2-based devices successfully, check this URL does not contain any uppercase characters. - Discoverable Credentials
Required: The Relying Party requires a client-side discoverable credential
Preferred: The Relying Party strongly prefers creating a client-side discoverable credential, but will accept a server-side credential
Discouraged: The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential - User Verification Mode
Required: The Relying Party requires user verification for the operation and will fail if the response does not have the user verification flag set
Preferred: The Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the user verification flag set
Discouraged: The Relying Party does not want user verification - Attestation Type
Direct: The Relying Party wants to receive an attestation statement that may include uniquely identifying information
Indirect: This indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator
None: This indicates that the Relying Party is not interested in authenticator attestation
- Client Origin URL
- Once the fields are completed to your satisfaction, click Save.
Users will now have the option to register and use security keys (including the HYPR Enterprise Passkey) and built-in computer biometric devices according to the limitations you configured here.
Updated 9 months ago