The SecureAuth Authenticate mobile app provides a multi-factor authentication method for end user validation during the login process.
The Authenticate app must first be installed on your mobile device or Chromebook and then connected to your user profile through a SecureAuth IdP mobile app enrollment realm before it can be used.
Once connected, the app can generate Time-based Passcodes (OATH TOTP), Push Notification One-time Passcodes (OTPs), Push-to-Accept / Symbol-to-Accept login requests, and fingerprint or facial recognition login requests for you to use when authenticating into your network.
In addition to the supported multi-factor authentication methods, SecureAuth Authenticate app was validated with FIPS 140-2 compliant cryptographic libraries.
For information about features supported in earlier versions of this application, see SecureAuth Authenticate App for Android and iOS v5.x.
SecureAuth has changed the product versioning scheme. SecureAuth Authenticate app v5.3 was the previous version; v5.3 and earlier version increments will not change. The scheme from the current version and later will be based on the year, month, and point release (.01) or feature release (1) number.
Example: The current version is v19.06, which stands for the year (19) and month (06) of the release. This is a new version, so there is no point or feature release number.
SecureAuth Authenticate app no longer supports new Huawei phones or updates to existing phones to align with the recent United States embargo.
CONTENTS OF THIS DOCUMENT:
SecureAuth Authenticate App – iOS and Android
In addition to iOS and Android devices, you can also set up and use the SecureAuth Authenticate app on a Chromebook. The SecureAuth IdP enrollment realm sees the Chromebook as an Android device. Although the following screens do not show a Chromebook user interface, the Android screen examples are the same as what you will see on a Chromebook.
A PIN entry (4, 6, 8, or 10 digits) might be required to view the TOTP on the app. This custom security option is configured on the QR code / URL app enrollment realm running on SecureAuth IdP version 9.3.
Tap the iOS cog icon or the Android vertical ellipses icon to open the Settings screen. Use the Change PIN options to change the app PIN or to send a request to SecureAuth Support.
- Ensure the version on the mobile device and paired watch is supported by checking the SecureAuth Compatibility Guide.
- If end users will authenticate by using fingerprint recognition or facial recognition (iOS only), guide them to turn on face or fingerprint recognition on their mobile device before enrollment so that fingerprint or facial recognition works after they complete setting up the Authenticate mobile app.
SecureAuth Authenticate mobile app supports the following mobile devices for fingerprint and facial recognition:
- iOS fingerprint recognition: iPhone 5s, 6, 6S, 6S Plus, SE, 7, 7 Plus, 8, 8 Plus
- iOS facial recognition: iPhone X, XS, XR, XS Max
- Android fingerprint recognition: Android 6+ - 9+
- Download and install the SecureAuth Authenticate app:
iOS – https://itunes.apple.com/us/app/secureauth-otp/id615536686
Android – https://play.google.com/store/apps/details?id=secureauth.android.token&hl=en_US
- Find out which SecureAuth IdP version 9.2 or later app enrollment realm you should use to do the following:
- App not installed: Enroll the app and provision it for multi-factor authentication use.
App installed: Re-enroll the app for multi-factor authentication use if you are upgrading from version 5.0.x, 5.1.x, 5.2.x, or 5.3.x to version 19.06.
- If the app enrollment realm requires you to use a QR code to connect, ensure the mobile device has a working camera. If using a Chromebook, ensure it has a working webcam.
- If the app enrollment realm requires you to enter a URL to connect, get the web address of the app enrollment realm. See Connect with URL.
Follow the steps in Connect an account to your user profile below.
Push notifications must be enabled on the mobile device to see a login request on the app. Push notification enablement can be applied when the app is started or through the device's setting.
Connect an account to your user profile
Choose the Connection Type
- Start the app and tap the + icon, located at top left for iOS and top right for Android.
- Choose either Connect with URL or Connect with QR code to follow the workflow for that option.
Connect with QR Code
- On your desktop or laptop computer, log into the webpage of the QR code enrollment realm.
- After successfully logging in, use the app to scan the unique QR code on the page. The QR code is valid for 10 minutes, by default. (You can change the time length in a SecureAuth realm. See the "Change the QR code scan availability time length" section in the Multi-Factor App Enrollment (QR Code) realm configuration document.)
If using a Chromebook, take a picture of the unique QR code on the page and hold the code (on a phone or printout) up to the webcam to scan it in.
- Create a PIN on the app, if required.
- If the account is successfully connected, a 4-, 6-, or 8-digit passcode appears on the app.
- Enter the passcode in the Confirm box on the QR code realm page, and click Enable.
- Tap Finished or the home icon on the app.
Connect with URL
- Enter the web address of the URL enrollment realm on the app.
If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name, for example, secureauth.company.com
If a different realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required, for example, https://secureauth.company.com/secureauth2
- Select the multi-factor authentication method to use for delivering the passcode you will use to connect your account.
- After receiving the passcode and entering it on the app, you might be required to Create a PIN.
- After the account is connected, it is listed on the Accounts screen and is available to use on the app.
- Tap Finished or the home icon on the app.
Login Requests from Push Notifications
The following sections show different ways to accept Login Requests.
On Chromebook, when the Authenticate app is open and a new notification arrives, a new window is created for the notification apart from the main application. When end users close the main application window, the notification window remains open.
Accept request received on the app
Tap Approve Request on the Login Request screen.
Accept request from a notification on the app
- Swipe down on the Push Notification on the locked screen.
- Tap the notification on the iOS screen or tap Approve on the Android screen to approve the request.
Accept request on a paired watch
Accept symbol on a paired watch
- When a symbol is presented on the Multi-Factor Authentication page, a Login Request is simultaneously dispatched to the enrolled account on the mobile device app and the paired watch.
- Accept the correct symbol on the paired watch or on the mobile device app.
iOS and Apple Watch Login Request screens
Android and Android Wear watch Login Request screens
Accept touch/fingerprint or face request received on the app
Touch/fingerprint ID requests are supported on iOS and Android devices; face ID requests are supported on iOS devices only.
- If end users' mobile phones are set up for face or fingerprint recognition before enrollment, the features will work automatically with the SecureAuth Authenticate app after enrollment.
- If end users want to use face or fingerprint recognition after enrollment, but did not turn on the features before enrollment, they must turn on face or fingerprint recognition on their mobile device, then set up the SecureAuth Authenticate app again.
- Tap Use Touch ID (iOS) or Use Fingerprint (Android) on the Touch ID Request (iOS) or Fingerprint Request (Android) screen.
iOS Touch ID Request screen: Android Fingerprint Request screen:
- Touch the touch (iOS) or fingerprint (Android) sensor on your device to log in.
iOS Touch Sensor screen: Android Fingerprint Sensor screen:
Facial recognition (iOS only)
- Tap Use Face ID on the Face ID Request screen.
- If you have paired an Apple Watch to your mobile device, you will receive a Biometric Request on the watch. Click OK.
- Tap Use Face ID and use the camera on your iPhone to log in.
App account management
Copy a passcode
- Tap the account to go to the Passcode screen.
- Tap the passcode to copy it to the clipboard.
Delete an account
Use one of the following ways:
- Tap Edit and tap Delete.
- Swipe left on the account and tap Delete.
Reconnect an account
- Swipe left on the account.
- Tap Reconnect.
Rename an account
- Tap Edit to go to the next screen.
- Edit the account name and tap Done for iOS or Save for Android.
PIN creation and management
SecureAuth Authenticate app version 5.3 or later for iOS and Android includes an optional security feature which, if configured on a SecureAuth IdP version 9.3 or later app enrollment realm, requires the setup and entry of a PIN to view the TOTP on the app.
PIN VALUE RESTRICTIONS:
- Cannot contain consecutive, repeating digits; for example: 33333333 or 1111
- Cannot be forward or backwards sequential; for example: 123456 or 87654321
- Number of digits can be 4, 6, 8, or 10 only; the longer the pin length, the higher the security setting
- If upgrading from an earlier 5.x version of the app, then you are prompted to create a PIN and re-connect to your profile if the realm requires a PIN.
- An account on the app must be re-enrolled for multi-factor authentication if the connected realm now requires a PIN entry.
- If accounts on the app use different PIN lengths, then the highest security setting (maximum 10 digits) is enforced to view the TOTP on the app. To apply the highest security setting to all accounts, you must re-enroll accounts that are not using the highest security setting.
- If multiple accounts exist on the app, you must create a new PIN whenever you:
- Add an account that requires a higher security setting, or
- Delete the account that used the highest security setting.
NOTE: Apple Watch and Android Wear OS watch integrations are not supported with the PIN-protected configuration in Authenticate app version 5.2 or later.
Create a PIN
You are prompted to create a secure PIN with a specified number of digits (4, 6, 8, or 10). Confirm the entry of the PIN when you enroll the app.
Create a new PIN
You are prompted to create a different, secure PIN with a specified number of digits (4, 6, 8, or 10) when adding or deleting an account on the app.
iOS Create New PIN screen: Android Create PIN screen:
Change a PIN
- Tap the settings cog on the Accounts screen.
- Tap Change PIN on the next Settings screen.
- Go through the PIN creation workflow to change the PIN.
Log into an account with a PIN
Enter the PIN you created to unlock the app, validate yourself on a realm, and use the account.
New features and enhancements
Release Date: July 11, 2019
Compatibility: SecureAuth IdP v9.2.x and v9.3.x and the SecureAuth® Identity Platform v19.07
|MD-201, MD-811||Biometric MFA is available for iOS (face and fingerprint recognition) and Android (fingerprint recognition only) devices.|
|MD-823||SecureAuth Authenticate app no longer supports new Huawei phones or updates to existing phones to align with the recent United States embargo.|
Android devices show a countdown for the duration of time before the passcode expires, and not just the last 10 seconds.
|MD-667||iOS Watch app syncs accounts after turning watch passcode off and then on.|
|MD-719||Authenticate app works on Samsung Galaxy J3 Prime phones.|
|MD-723||iOS Watch app does not show Password Required message when a passcode is set up.|
|MD-797||Android 5 devices display the Delete symbol appropriately.|
|MD-802||The Feedback link on the iOS Authenticate app user interface works on iPhone XS. End users who have not set up Apple Mail will receive a guidance message when selecting the Feedback link.|
|MD-805||When end users select an account on an Android phone, the account selection works consistently, as do the Move, Delete, Reconnect, and Edit functions.|
|If end users with iOS or Android devices enrolled for biometric login remove face or fingerprint recognition from the device, they will receive a guidance message to choose a different login method.|
|MD-823||On many Android phone models (MI, Letv, Huawei, Oppo, Vivo, Asus, Meizu), a battery-saving feature stops Authenticate app notifications from being displayed. To remedy this, the first time end users run the Authenticate app, they will receive a guidance message to enable the app in their phone's Settings.|
|MD-824||Android 8 and 9 phones display notifications appropriately when the Authenticate app pushes notifications to a paired Android Wear watch.|
|MD-828||iOS phones that use PIN protection consistently push the PIN to a paired Apple Watch.|
|MD-835||Android phones enrolled to use symbol-to-accept as a second factor display symbols on the mobile device correctly.|
|MD-836||Apple Watch Launch Watch app syncs automatically with the Authenticate app on a paired mobile device after upgrade.|
|MD-837||Android devices no longer close unexpectedly after end users remove a lock pattern, restore the lock pattern, and then delete the account.|
|MD-842||After end users enroll a mobile device with a URL, the device is successfully set up for One-time Passcode on the Authenticate app.|
|MD-847||When end users perform an unsuccessful QR enrollment on iOS devices, they receive a helpful error message.|
|MD-848||The Authenticate app correctly sends a One-time Passcode to Android 4.4 phones.|
|MD-852||On Android phones, if end users select an account to reconnect it by using a QR code, the selected account is replaced with a new account.|
|MD-659||Apple Watches paired with iOS phones occasionally flash a screen containing old data before updating with new data. The flash occurs very quickly; no action is required to work around the issue.|
|MD-702||On iOS devices, the passcode notification occasionally displays again after the end user presses OK and dismisses the notification. |
Workaround: End users do not need to authenticate again and can dismiss the additional passcode notification.
|MD-859||On Apple Watches, when end users receive a Symbol-to-Accept login request and then select the correct symbol, the login request times out. However, the Authenticate app on the iPhone can still complete the authentication. The issue occurs on Apple Watch Generation 3 paired to iPhone X (iOS 12.3.x) and iPhone XS (iOS 12.2.x).|
Workaround: This issue occurs so infrequently that SecureAuth Testers were unable to reproduce the issue on a majority of test devices. Testers attribute this bug to a Watch OS. After Testers performed a hard reboot of the Apple Watch, they could not replicate the bug again. If end users experience this bug, they can perform a hard reboot as a last resort. Perform a hard reboot by pressing the crown and side buttons simultaneously until the watch restarts. After the watch is restarted, it should automatically authenticate correctly.
End users must accept notifications during Authenticate app installation on mobile devices; otherwise, device registration will fail.
This scenario occurs when a SecureAuth IdP 9.3 enrollment realm TOTP seed is set to Token mode. If SecureAuth IdP is configured for Seed mode, registration of mobile devices will succeed even if the user does not accept push notifications.
New features and enhancements
The Android Authenticate app supports the optional security feature requiring a custom PIN (4, 6, 8, or 10 digits) to access a TOTP passcode.
The Authenticate app supports Chromebook on ChromeOS build 72.x.x.x. When end users access a TOTP passcode from the app with a PIN, Chromebook allows the transaction.
|TW-616||The Authenticate app supports iOS 12.x and Android 9.x.|
|MD-734||Authenticate App allows numbers only when creating PIN on any mobile device.|
The TOTP is displayed on one line when end users attempt to enroll an account with a QR Code using a Sony Xperia with Android 8.0.
|MD-793||All PIN digits are displayed inside the screen, regardless of PIN length.|
The numeric keyboard is displayed on a Sony Xperia XZ1 with Android 8.0.
|MD-796||Only one PIN is needed when deleting an Android account from a realm.|
|MD-773||After updating the Android Authenticate app to the latest version, the app icon is not updated automatically. The icon is updated after the phone is restarted.|
|MD-802||The Feedback link on the iOS Authenticate app user interface does not work on iPhone XS.|
|MD-804||On Chromebook, when the Authenticate app is open and a new notification arrives, a new window is created for the notification apart from the main application. When end users close the main application window, the notification window remains open.|
|MD-806||On Android, the Create New PIN screen is missing. Workaround this by using the Create PIN screen to add or delete an account on the Authenticate App.|
New features and enhancements
Rebranded the user interface.
Completed several minor bug fixes.
|For iOS, support the optional security feature requiring a custom PIN (4, 6, 8, or 10 digits) to access a TOTP passcode from the app.|
|Android 5 OS and earlier might not show the new logo rebranding.|