A HYPR Glossary

HYPR-1 SDK : The HYPR-1 software developer kit brings a password-less login experience to any 3rd party application. Relying parties can choose from a variety of biometric authentication methods such as fingerprint, voice, eye or facial recognition. HYPR-1 supports any device with a camera, microphone or fingerprint sensor.

HYPR2 Firmware : Our embedded solution for a secure biometric internet of things. By extending decentralized tokenization down to the firmware level, HYPR-2 securely transforms connected things into biometric things.

HYPR3 Token : A Bluetooth enabled fingerprint sensor that enables a password-less login for environments where BYOD is prohibited. The HYPR-3 biometric token was designed for FIPS 140-2 Level 3 compliant environments such as hospitals, banks and law enforcement agencies.

HYPR-Secure © : A descriptive term used to describe any application or device that has embedded our solution to achieve end-to-end biometric tokenization.

Biometric Tokenization : Biometric encryption enables the use of cancelable signatures to authenticate a user. Unlike legacy biometric authentication methods in which a template is matched against a database, decentralized systems rely on a one-to-one matching scheme and pass dynamic credentials for validation. Hackers can login with a stolen fingerprint – but not with a biometric token.

Things To Know About HYPR

What devices and biometric sensors does the HYPR platform support?

HYPR is compatible with all devices and a number of leading biometric authentication modalities including fingerprint, voice, face, retina, iris, and behavioral biometrics. Choose from any of our supported on-device authenticators:

  • Touch ID
  • Android M
  • Windows Hello
  • Samsung Sensors
  • Qualcomm Sense ID
  • Smartphone Cameras
  • Device Microphones

Is the HYPR platform only for mobile operating systems?

The HYPR platform is device-agnostic and supports desktop and mobile operating systems including iOS, Android, Windows, OSX and Linux.

Are the cryptographic authentication keys securely encapsulated on the token and never leave the token?

All keys used to generate Biometric TOTP tokens never leave the device. The keys are generated using a True Random Number Generator (TRNG) at provisioning time. The keys are not pre-generated by HYPR, are not modifiable on the device and cannot be retrieved from the device.

Is the fingerprint verified directly on the token?

Yes, the fingerprint is verified on the HYPR-3 Token via advanced fingerprint matching protocols. The 3-D swipe sensor utilized by the device authenticates the fingerprint directly on the device. The user’s fingerprint data never leaves the microprocessor.

Does the HYPR-3 Token only communicate via Bluetooth?

The HYPR-3 token communicates securely over Low Energy Bluetooth (BLE). Contact our enterprise support team to discuss customization needs such as NFC (Near-field Communication).

Is the TOTP verified directly on the token?

The TOTP is generated by the HYPR-3 Token device and is verified by an API server. The HYPR validation server can be deployed on premise or on the HYPR-Secure biometric cloud.

How is the connection between intermediary device(phone, desktop, etc) and token secured against MITM attacks or eavesdropping?

All information leaving the HYPR device is signed on the device before being transmitted over Bluetooth. If malicious actors intercepted the traffic they could not read or modify its contents. In addition, the HYPR-3 biometric OTP implements channel binding protocols to mitigate MITM vectors. To learn more about these protocols, request an evaluation.

What sort of authentication credentials are supported by the token?

The HYPR device performs authentication via UAF and Biometric TOTP (See RFC 6238). Each HYPR device contains a TRNG-based secret that is used to generate a TOTP token. When a user swipes their finger and successfully authenticates their biometric signature on the device, the TOTP token generated is then encrypted and transmitted to the device requesting authentication – such as a user’s mobile device or desktop computer. The intermediary device then forwards the encrypted TOTP to a server where the signature and TOTP are verified. If the verification is successful, access is granted. Here’s a diagram of the biometric validation server.

What type of cryptographic algorithms / protocols are used? What key lengths are in use?

The HYPR token uses RFC-6238 for TOTP. Our secret generation satisfies FIPS 140-2 section 4.9.1 with cryptographically strong sequences specified in RFC 1750. Signing algorithms supported are RSA (minimum of 2048 bit keys) and ECDSA (256 bit keys). See FIPS 186-3.

Does the device support X.509 Certificates?

The HYPR-3 Token can generate custom X509 certificates as well as import custom certificates for signing messages when needed. All communication with the device is done over a PKI signature verification scheme. To discuss custom certificates with our developers, contact us directly.

How is the token powered? What is the lifetime of the power supply? What happens to keys on power failure?

The HYPR-3 Token operates on 2 small replaceable coin cell batteries. The expected lifetime with normal use volume (5 authentications per day) use is a minimum of 2 years. When there is a power failure, keys are not destroyed and the battery can easily be replaced.

Is the time source for TOTP also on the HYPR Token?

The time source is built into the HYPR-3 device and is based on Unix time.

RFC 6238 makes no provisions for digital signatures. How are signatures integrated with TOTP? What format or protocol is in use here?

RFC 6238 does not have specifications for digital signatures. The TOTP is generated on the HYPR-3 Token and is then encrypted with a key that is stored on the device at the time of provisioning.

Regarding the random number generation according to RFC 1750, how are you seeding the PRG?

The hardware microprocessor embedded in the HYPR-3 Token contains a True Random Number Generator (TRNG) that is powerful at generating random numbers following the recommendations mentioned in RFC 1750.

What is a use case for the HYPR-3 Token if mobile devices already include embedded biometric sensors?

We encourage our customers to deploy the HYPR-1 suite and make use of the numerous biometric mobile devices available for BYOD biometrics. Certain organizations across the enterprise, banking, healthcare, and law enforcement sectors enforce strict regulatory guidelines that prevent the use of consumer devices for authentication. These institutions require specialized tamper-proof security tokens, for which provide the HYPR-3 biometric token. The device gives relying parties a low-cost and easy solution for deploying biometric authentication while maintaining the necessary levels of compliance.

Where is the seed token that is used on the HYPR-3 Token generated?

The seed token that HYPR-3 device utilizes for authentication is generated internally via a True Random Number Generator (TRNG) on the device and a NIST approved PRNG. HYPR Corp does not have access to seed tokens, nor are we capable of modifying or deploying HYPR Tokens with modified seeding protocols.

How and when is the seed token on the HYPR-3 Token generated?

The seed token is generated by users at inception when they are prompted to swipe their fingerprint five times to register. The seed token is generated via a TRNG located within the HYPR-3 Token’s tamper proof casing.