The SecureAuth Authenticate mobile app provides a Multi-Factor Authentication method for end-user validation during the login process.
The Authenticate app must first be installed on your mobile device or Chromebook and then connected to your user profile via a SecureAuth IdP mobile app enrollment realm before it can be used.
Once connected, the app can generate Time-based Passcodes (OATH TOTP), Push Notification One-time Passcodes (OTPs), and Push-to-Accept / Symbol-to-Accept login requests for you to use when authenticating to access a protected resource.
For information about features supported in earlier versions of this application, see SecureAuth Authenticate App for Android and iOS v5.2 and SecureAuth Authenticate App for Android and iOS v5.x.
CONTENTS OF THIS DOCUMENT:
SecureAuth Authenticate App – iOS and Android
In addition to iOS and Android devices, you can also set up and use the SecureAuth Authenticate App on a Chromebook. The SecureAuth IdP enrollment realm sees the Chromebook as an Android device. Although the following screens do not show a Chromebook user interface, the Android screen examples are the same as what you will see on a Chromebook.
A PIN entry (4, 6, 8, or 10 digits) might be required to view the TOTP on the app. This custom security option is configured on the QR code / URL app enrollment realm running on SecureAuth IdP version 9.3.
Tap the iOS cog icon or the Android vertical ellipses icon to open the Settings screen. Use the Change PIN options to change the app PIN or to send a request to SecureAuth Support.
1. Ensure the version on the mobile device and paired watch is supported:
2. Download and install the SecureAuth Authenticate App:
- iOS – https://itunes.apple.com/us/app/secureauth-otp/id615536686
- Android – https://play.google.com/store/apps/details?id=secureauth.android.token&hl=en_US
3. Find out which SecureAuth IdP version 9.3 app enrollment realm you should use to do the following:
- App not installed: Enroll the app and provision it for Multi-Factor Authentication usage.
- App installed: Re-enroll the app for Multi-Factor Authentication usage if you are upgrading from version 5.0.x, 5.1.x, or 5.2.x to version 5.3.
- If the app enrollment realm requires you to use a QR code to connect, ensure the mobile device has a working camera. If using a Chromebook, ensure it has a working webcam.
- If the app enrollment realm requires you to enter a URL to connect, get the web address of the app enrollment realm. See Connect with URL.
4. Follow the steps in Connect an account to your user profile below.
NOTE: Push notifications must be enabled on the mobile device to use the login request feature on the app. Push notification enablement can be applied when the app is started or through the device's setting.
Connect an account to your user profile
Choose the Connection Type
1. Start the app and tap the + icon, located at top left for iOS and top right for Android.
Connect with QR Code
1. Use a device other than the one being provisioned (for example, a desktop or laptop), to access the login page of the QR code realm.
2. After successfully logging on the realm, use the app to scan the unique QR code on the page. The QR code is valid for 10 minutes, by default. (You can change the time length in SecureAuth IdP. See the "Change the QR code scan availability time length" section in the Multi-Factor App Enrollment (QR Code) realm configuration document.)
If using a Chromebook, take a picture of the unique QR code on the page and hold the code (on a phone or printout) up to the webcam to scan it in.
3. Create a PIN on the app, if required.
4. If the account is successfully connected, a 4-, 6-, or 8-digit passcode appears on the app.
5. Enter the passcode in the Confirm box on the QR code realm page, and click Enable.
6. Tap Finished on the app.
Connect with URL
1. Enter the web address of the Multi-Factor Authentication app enrollment realm on the app.
If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name, for example, secureauth.company.com
If a different realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required, for example,
2. Select the Multi-Factor Authentication method to use for delivering the passcode you will use to connect your account.
3. After receiving the passcode and entering it on the app, you might be required to Create a PIN.
4. After the account is connected, it is listed on the Accounts screen and is available to use on the app.
Login Requests from Push Notifications
Different ways to accept Login Requests
Accept request received on the app
Tap Approve Request on the Login Request screen.
Accept request from a notification on the app
1. Swipe down on the Push Notification on the locked screen.
2. Tap the notification on the iOS screen or tap Approve on the Android screen to approve the request.
Accept request on a paired watch
Accept symbol on a paired watch
1. When a symbol is presented on the Multi-Factor Authentication page, a Login Request is simultaneously dispatched to the enrolled account on the mobile device app and the paired watch.
2. Accept the correct symbol on the paired watch or on the mobile device app.
iOS and Apple Watch Login Request screens
Android and Android Wear watch Login Request screens
App account management
Copy a passcode
1. Tap the account to go to the Passcode screen.
2. Tap the passcode to copy it to the clipboard.
Delete an account
Use one of the following ways:
- Tap Edit and tap Delete.
- Swipe left on the account and tap Delete.
Reconnect an account
1. Swipe left on the account.
2. Tap Reconnect.
Rename an account
1. Tap Edit to go to the next screen.
2. Edit the account name and tap Done for iOS or Save for Android.
PIN creation and management
SecureAuth Authenticate app version 5.3 for iOS and Android includes an optional security feature which, if configured on a SecureAuth IdP version 9.3 or later app enrollment realm, requires the setup and entry of a PIN to view the TOTP on the app.
PIN VALUE RESTRICTIONS:
- Cannot contain consecutive, repeating digits; for example: 33333333 or 1111
- Cannot be forward or backwards sequential; for example: 123456 or 87654321
- Number of digits can be 4, 6, 8, or 10 only; the longer the pin length, the higher the security setting
- If upgrading from an earlier 5.x version of the app, then you are prompted to create a PIN and re-connect to your profile if the realm requires a PIN.
- An account on the app must be re-enrolled for Multi-Factor Authentication if the connected realm now requires a PIN entry.
- If accounts on the app use different PIN lengths, then the highest security setting (maximum 10 digits) is enforced to view the TOTP on the app. To apply the highest security setting to all accounts, you must re-enroll accounts that are not using the highest security setting.
- If multiple accounts exist on the app, you must create a new PIN whenever you:
- Add an account that requires a higher security setting, or
- Delete the account that used the highest security setting.
NOTE: Apple Watch and Android Wear OS watch integrations are not supported with the PIN-protected configuration in Authenticate App version 5.2 or 5.3.
Create a PIN
You are prompted to create a secure PIN with a specified number of digits (4, 6, 8, or 10). Confirm the entry of the PIN when you enroll the app.
Create a new PIN
You are prompted to create a different, secure PIN with a specified number of digits (4, 6, 8, or 10) when adding or deleting an account on the app.
iOS Create New PIN screen: Android Create PIN screen:
Change a PIN
1. Tap the settings cog on the Accounts screen.
2. Tap Change PIN on the next Settings screen.
3. Go through the PIN creation workflow to change the PIN.
Log into an account with a PIN
Enter the PIN you created to unlock the app, validate yourself on a realm, and use the account.
New features and enhancements
Release Date: April 23, 2019
The Android Authenticate App supports the optional security feature requiring a custom PIN (4, 6, 8, or 10 digits) to access a TOTP passcode.
The Authenticate App supports Chromebook on ChromeOS build 72.x.x.x. When end-users access a TOTP passcode from the app with a PIN, Chromebook allows the transaction.
|TW-616||The Authenticate App supports iOS 12.x and Android 9.x.|
|MD-734||Authenticate App allows numbers only when creating PIN on any mobile device.|
The TOTP is displayed on one line when end-users attempt to enroll an account with a QR Code using a Sony Xperia with Android 8.0.
|MD-793||All PIN digits are displayed inside the screen, regardless of PIN length.|
The numeric keyboard is displayed on a Sony Xperia XZ1 with Android 8.0.
|MD-796||Only one PIN is needed when deleting an Android account from a SecureAuth IdP realm.|
|MD-773||After updating the Android Authenticate App to the latest version, the app icon is not updated automatically. The icon is updated after the phone is restarted.|
|MD-802||The Feedback link on the iOS Authenticate App user interface does not work on iPhone XS.|
|MD-804||On Chromebook, when the Authenticate App is open and a new notification arrives, a new window is created for the notification apart from the main application. When end-users close the main application window, the notification window remains open.|
|MD-806||On Android, the Create New PIN screen is missing. Workaround this by using the Create PIN screen to add or delete an account on the Authenticate App.|
End users must accept notifications during Authenticate app installation on mobile devices; otherwise, device registration will fail.
This scenario occurs when a SecureAuth IdP 9.3 enrollment realm TOTP seed is set to Token mode. If SecureAuth IdP is configured for Seed mode, registration of mobile devices will succeed even if the user does not accept push notifications.
New features and enhancements
Rebranded the user interface.
Completed several minor bug fixes.
|For iOS, support the optional security feature requiring a custom PIN (4, 6, 8, or 10 digits) to access a TOTP passcode from the app.|
|Android 5 OS and earlier might not show the new logo rebranding.|