SecureAuth Authenticate app version 5.3 or later for iOS and Android includes an optional security feature which, if configured on a SecureAuth IdP version 9.3 or later app enrollment realm, requires the setup and entry of a PIN to view the TOTP on the app.
PIN VALUE RESTRICTIONS:
- Cannot contain consecutive, repeating digits; for example: 33333333 or 1111
- Cannot be forward or backwards sequential; for example: 123456 or 87654321
- Number of digits can be 4, 6, 8, or 10 only; the longer the pin length, the higher the security setting
- If upgrading from an earlier 5.x version of the app, then end users are prompted to create a PIN and re-connect to their profile if the realm requires a PIN.
- An account on the app must be re-enrolled for multi-factor authentication if the connected realm now requires a PIN entry.
- If end users enter an invalid PIN and exceed the maximum number of allowed attempts, the PIN will be invalidated and all PIN-protected accounts will be disconnected. See Fix "Account disconnected" issue.
- If end users attempt to change an account PIN from the settings cog in the Authenticate app (Change a PIN), they must first enter the existing PIN. If they enter an invalid PIN and exceed the maximum number of allowed attempts, the PIN will be invalidated and all PIN-protected accounts will be disconnected. See Fix "Account disconnected" issue.
- If end users have accounts on the app that use different PIN lengths, then the highest security setting (maximum 10 digits) is enforced to view the TOTP on the app. To apply the highest security setting to all accounts, you must re-enroll accounts that are not using the highest security setting.
- If end users have multiple accounts on the app, they must create a new PIN whenever they:
- Add an account that requires a higher security setting, or
- Delete the account that used the highest security setting; leaving another account that requires a shorter PIN.
- Adding a PIN to the Authenticate app is an additional security layer: mobile devices are still required to have a lock; otherwise, end users cannot use the app. If the device lock is disabled, all accounts are invalidated.
NOTE: Apple Watch and Android Wear OS watch integrations are not supported with the PIN-protected configuration in Authenticate app version 5.2 or later.