Vendor Assessment: HYPR

How To Kill The Password

A Buyer’s Guide To Passwordless Authentication Technology

Last Updated	19 October 2021
Document Id	tch-vendor-access-hypr
Part of Research Product	“How to Kill The Password – Buyer’s Guide to Passwordless Technology” (tch-research-how-to-kill-the-password)

Contents

Company Key Facts

Funding

Customer Case Studies

Technology Key Facts

Technology Review

The Cyber Hut Comment

Methodology

About The Cyber Hut

About The Author

Disclaimer

Company Key Facts

	Web – https://www.HYPR.com/  LinkedIn – https://www.linkedin.com/company/HYPRcorp/  Twitter –  https://twitter.com/HYPRCorp  YouTube – https://www.youtube.com/user/HYPRKey
Founded Date	June 2014
Founders	Bojan Simic, Roman Kadinsky, George Avetisov, James Barcia
No. of Employees	~ 100
Total Funding	$67.1 million up to Series C April 2021
Locations	New York (HQ), London, Tokyo
In Their Own Words	Our Mission – We have one mission and that is to create a passwordless world. For us, security isn’t just about keeping the bad guys out. It’s about protecting people in everything they do, wherever they are. Our Story – HYPR founders realized passwords will continue to be the hackers’ favorite target unless something is done about it. They saw it as an opportunity to approach security in a brand new way. What if our everyday smartphone can be used  to change the security and user experience landscape? That became the launching pad for HYPR.

Funding

Funders: Advent International; Comcast Ventures; RRE Ventures; RTP Ventures.

Total funding: $67.1 million.

Announced Date	Transaction Name	Number of Investors	Money Raised	Lead Investors
Apr 20, 2021	Series C – HYPR	10	$35M	Advent International
Oct 1, 2019	Series B – HYPR	10	$18.3M	Comcast Ventures (Point 406 secondary)
Oct 3, 2017	Series A – HYPR	6	$10M	RRE Ventures
Oct 18, 2016	Seed Round – HYPR	3	$3M	RTP Ventures
Jun 1, 2014	Angel Round – HYPR	—	$800K	—

Source: Crunchbase

Customer Case Studies

Customer	Region / Sector	Details
AETNA CVS Health	US / Healthcare	Aetna, a CVS Health Company, is one of the world’s largest health insurers and managed healthcare providers. As part of their digital transformation initiative, the company had a C-level directive to improve both user experience (UX) and security. To Aetna, this meant moving away from passwords to what they called “Next Generation Authentication” or NGA for short. Impact: Reduced ATO Fraud by 98.4% / Saved Millions in Password Reset Costs / Enhanced Customer Login Experience / Accelerated Mobile App Adoption Across 10M+ Users / Eliminated Use of Passwords and Shared Secrets  Further Details
Oxbury Bank	UK / Agricultural Financial Services	Oxbury is the UK’s specialist agricultural bank, the only bank with a singular focus on British farmers, food producers and the rural economy. It is headquartered in Chester and operates across the UK.  Oxbury gained its full UK bank licence in early 2020 and is in its final mobilisation stages with invitation-only customers before launching fully to the wider market in Winter 2020. Impact: Passwordless customer authentication across iOS and Android / Support OxP banking platform / Time effective login/registration services Further Details
First Citrus Bank	US  / Financial Services	First Citrus Bank had a directive to eliminate the use of passwords across their workforce. The initiative was prompted by rising costs and help desk volume caused by a move to complex passwords. As a result, the company prioritized finding a solution to completely remove passwords shared secrets from the workforce login experience. Impact: 300% faster login speeds / 98% credential reset ticket request reduction / Rolled out < 1hour Further Details
VHI Healthcare	Ireland / Healthcare	Ireland’s largest health insurer approached HYPR with the goal of increasing mobile app adoption by enhancing the digital customer experience. This business initiative aligned closely with the IT objective of reducing help desk costs associated with legacy password-based authentication systems. Insurance companies know better than anyone – password resets are frequent, expensive, and comprise a large percentage of the customer’s service requests. Impact: 200,000 customers / Eliminated Centralized Passwords / Increased Mobile User AdoptionStopped Credential Reuse Attacks / Achieved PSD2 Compliant Strong Customer AuthenticationReduced Cost of Password Resets / Enhanced Customer Service Experience / Improved Customer Support Productivity / SDK Further Details

Technology Key Facts

Go To Market Message	“Authentication reimagined so you can forget about passwords” –  Protect workforce and customer identities with True Passwordless™ MFA. HYPR makes logins more secure than password-based MFA and friction-free, for everyone, everywhere.
Solutions	True Passwordless MFA / Passwordless Customer Authentication / True Passwordless SSO / Passwordless Remote Login
Products / Platform	App / SDK / Desktop MFA Client / Control Center / Integrations
Useful Links	iOS DownloadAndroid DownloadAPI ReferenceDocumentation Home

Technology Review

HYPR provides passwordless technologies for two main focus groups: customers and employees.  Being founded in 2014, they describe themselves as one of the earliest passwordless technologies and brand themselves as the “Passwordless Company”.  

They have a strong focus upon the security narrative with respect to passwordless adoption – with language aimed at describing the weaknesses of existing password and MFA based approaches.  Their main focus is upon transforming the mobile phone into a FIDO-enabled token.  With regards to FIDO, HYPR have been a member of the FIDO Alliance for 7+ years.

Workforce

Their focus on employee adoption is geared towards binding a managed workstation to the HYPR mobile application and externalising authentication to the mobile.  The enrolment process requires the employee to download the application and after an enrolment ceremony – which involves standard Active Directory authentication – a QR code then be scanned upon subsequent logins.  

This requires the installation of the HYPR MFA client on the workstation.  A couple of interesting features have been added here: namely the ability to perform “offline” authentication.  Offline in this sense, is that the workstation is not connected to the network.  In this case an OTP can be entered into the workstation that was generated from the mobile application.  This seems to resemble standard HOTP based authentication.  Another interesting feature is the ability to remotely lock the workstation from the mobile phone.  If the end user has inadvertently forgotten to lock their workstation, this could be useful. 

Source: https://www.HYPR.com/desktop-mfa/ 

Workstation platform coverage includes Windows 7, 8 and 10 as well as Mac OS.  HYPR are aiming here to focus upon “passwordless MFA” – that is to leverage both cryptographic challenge response and possession of the mobile device as a way of covering two authentication components.  The device is essentially creating a FIDO compliant key pair with registration and authentication response capabilities.  Private keys are stored securely within the Trusted Execution Environment or Secure Enclave on the device.  A local authentication event (PIN/biometric) takes place on the device in order to access the private key, in order to respond to the authentication challenge being generated by the HYPR cloud service.  A user can have multiple devices bound to a workstation.  

Other workforce integration scenarios include VPN, Remote Desktop Protocol, VPN and native Linux server.

Consumer

HYPR passwordless solutions for external facing identities, focus upon improving the security and usability talk tracks.  The HYPR SDK is the anchor feature, allowing customers to embed HYPR capabilities deep within the application they are developing.  Financial services seem to be a big area of focus, namely on the back of compliance initiatives such as Europe’s Payment Services Directive II (PSD2), which is amplifying the demand for Strong Customer Authentication (SCA).  The SDK provides several security capabilities such as jailbreak and malware detection.  The consumer focus extends the security talk track with focus upon preventing account take over (ATO), reducing fraud and preventing credential stuffing attacks.

Source: https://www.HYPR.com/passwordless-customer-authentication/ 

There are two interesting aspects of the HYPR consumer play.  Firstly they attack a discussion focused upon how consumer MFA adoption is hindered by the need for passwords and a poor MFA choice, that essentially just introduces friction for the consumer.  Secondly, they have added a capability that allows for “app-less” authentication.  That is, authentication via native web calls via the mobile – initiated via the scanning of a QR code.   

SSO

Single Sign On (SSO) integration is typically seen in the workforce enablement space.  HYPR provides integrations out of the box for a range of established identity providers, namely Okta, Ping and ForgeRock.  This integration approach allows a neat decoupling between the standard downstream application services delivered by an identity provider or access management solution and a more modular and loosely coupled set of authentication capabilities provided by HYPR.  

Source: https://www.HYPR.com/passwordless-single-sign-on-saml/

As organizations are seemingly moving towards a hybrid infrastructure powered by cloud computing, on-premises directories with identity services from a range of providers, the ability to decouple the authentication element from both the provider and the long tail of application integrations, might provide some clients with a simple adoption route with greater long term flexibility.

Control Center

The HYPR Control Center is a main administrative control plane for handling integration, analysing metrics and determining authentication performance across the user and device ecosystem.  Splunk can be leveraged as an analytics and metrics centre.

Source: https://www.HYPR.com/fido-control-center/ 

An interesting aspect of the HYPR platform is the ability to extend and expand capabilities.  Authentication does not exist in a vacuum.  It typically needs two very important components: users and applications.  HYPR provides a range of extensions through what they term “integrations”.  These integrations are for a range of identity providers such as ForgeRock, Otka and Ping Identity as well as CA Siteminder, Azure AD, Yubikey and Remote Desktop Infrastructure.  For further information see here.

App + SDK

HYPR provides a mobile application and also an SDK for customer owned developments and integrations.  The mobile application is the mainstay of the HYPR offering.  

The application is available for the main platforms of iOS and Android and is available from the respective application stores.  

The application provides a range of features, including QR code based authentication, OTP generation for “offline” desktop authentication, secure storage of private keys and material via the Secure Enclave or Trusted Execution Environment.  The application can be branded to specific customer needs.  From a workforce perspective, the app provides a binding to the desktop workstation and provides remote lock capabilities and QR code based login.

Source: https://www.HYPR.com/app/ 

API

HYPR provides an application programming interface for a range of both administrative configuration and feature initialization.  Some key APIs include user registration, authentication, app configuration, user statistics, device management, service configuration and certificate management.

Sample Technology Integration Coverage

Single Sign On Identity Providers:

Okta

Ping Identity

ForgeRock

Azure AD

CA Siteminder

FusionAuth

OneLogin

PhenixId

Hardware Tokens:

Yubico Yubikey

Feitian

SDK:

Android

iOS

Enterprise Applications:

VMWare

VDI (virtual desktop infrastructure)

RDP (remote desktop protocol)

VPN (virtual private network)

Citrix

Office 365

SSH

SIEM Integrations:

Splunk

Sumo Logic

Graylog

ELK Stack

DataDog

Devo

The Cyber Hut Comment

HYPR is a dedicated passwordless provider with a relatively long history of providing capabilities to both workforce and consumer identities.  They are heavily involved with the FIDO Alliance (the organisation that drives cryptographic passwordless authentication) and have developed a range of features based on a long list of customer implementations. 

Their focus on making the phone a FIDO token is strategic and I would imagine more nuanced mobile specific features (inline with features like remote lock and QR code app-less login) will continue to emerge.  

The ability to externalise authentication from existing identity providers and access management solutions, may also become a strategic direction for many of their clients, as the move to complex supply chains, joint ventures and hybrid infrastructure makes it difficult to adopt new authentication technologies for legacy systems.  

They should be on any shortlist for medium to large scale enterprises who are migrating beyond standard MFA and see mobile first agility as a key critical requirement.

Strengths

• Long history – founded in 2014 

• Ability to remote unlock the Windows workstation from the mobile device – a concept known as User Initiated Authentication

• Ability to perform “offline” authentication

• Optional QR code based authentication

• Strong SDK capability to embedding into consumer facing projects for PSD2/SCA flows

• Strong narrative around decoupled authentication and extending existing identity provider capabilities

• Strong array of extendable components (integrations) for enterprise applications

• Strong support of FIDO alliance

• FIDO “Control Center” acts as main policy administration console

Methodology

The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship.  We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.

1 – OSINT

The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.

We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.  

This process takes between 2 and 4 weeks to complete and uses sources such as the following:

• Crunchbase / Glassdoor
• YouTube / Twitter / LinkedIn
• Vendor Website
• Vendor Webinars & Events
• Vendor Whitepapers & Datasheets
• Vendor Case Studies
• Patent Search
• Blogs
• Documentation & Release Notes
• APIs and SDKs
• Downloads and Trials

2 – Vendor Briefings

After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.

The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer.  This process typically results in some further more technical questions that can be easily answered via email and existing documentation.

At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.

This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages.  Existing public case studies will also be analysed.

3 – Vendor Fact Check

Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented.  The vendor typically responds within 14 days with any corrections and edits.

4 – Vendor Assessment Completion

After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.

At this stage, the document can be made available to buy side practitioners as a standalone artifact.  This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.

Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.

Methodology Benefits

The benefits to this approach are twofold:  firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates.  The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.

The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.

Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.  

The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.

Vendor Assessments are typically re-evaluated every 12 months.

About The Cyber Hut

The Cyber Hut (previously Infosec Professional) has a 10+ year history of delivering research, analysis and insight on the global cyber security industry.

The Cyber Hut blends economic theory with deep technical understanding of information security, cyber security and the protection of critical information assets.  

We are leaders in the field of security economics, helping to provide actionable insight for buy side, sell side and technical practitioners.

We leverage open source, publicly available data signals and vendor briefings to analyse patterns at the edge of the emerging security plane. 

Our analysts are deep technical specialists, called upon by national bodies for standards advisory, are published authors, board members and senior community leaders.

The Cyber Hut is the trading name of TCH Research Ltd, registered in England & Wales, company number 13188456.  

Registered address: 7 Christie Way, Christie Fields, Manchester, UK, M21 7QY

Corrections should be sent to sales@thecyberhut.com.

About The Author

Simon Moffatt is Founder and Analyst at The Cyber Hut.  Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF.  He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.  

Education

B.Sc (hons) Economics (York, 2001)

M.Sc Information Security (Royal Holloway, University of London, 2022)

Professional Memberships

MBCS – Member of the British Computer Society

F.CIIS – Fellow of the Chartered Institute of Information Security

Professional Qualifications

CISSP (Certified Information Systems Security Professional) – 2007 to present

CCSP (Certified Cloud Security Professional) – 2020 to present

CEH (Certified Ethical Hacker) – 2018 to present

CISA (Certified Information Systems Auditor) – 2010 to 2014

Research Interests

Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy

Disclaimer

© 2021 TCH Research Ltd.  All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.

This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information. 

The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy. 

The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.