PingID Administration Guide

Configuring biometrics authentication for the PingID mobile app

Allow users to authenticate using their fingerprint or Face ID.

Steps

  1. In the PingID admin portal, go to Setup → PingID → Configuration, and in the Mobile App Authentication section, go to the DEVICE BIOMETRICS section.

    A screen capture of the Device Biometrics section. There are three radio buttons for Disable, Enable, and Require. The Require button is clicked. After the radio buttons is the Enable On section with check boxes for iOS and Android. Both are selected. After the Enable On section is the Face ID Consent section with radio buttons for Disable and Enable. The Enable button is clicked. The last section in this screen capture is the Notification Actions section which has radio buttons for Disable and Enable. The Enable button is clicked.
  2. Enable or to require device biometrics:

    Choose from:

    • Disable: Disable device biometrics. Users are not able to authenticate using their device biometrics.

    • Enable: Enable users to authenticate with their device biometrics.

    • Require: Force users to authenticate with their device biometrics. Users with devices that do not support biometrics are prompted to authenticate using swipe authentication.

      If a user’s mobile device supports biometrics, but they have not configured biometrics authentication on their device, they cannot sign on. The user receives an Authentication Error message on their mobile device and a Canceled message on their web browser.An image of an Authentication Error message on an iOS device. The message says,

      An image of a Canceled error in the PingID mobile app.

  3. In the Enable On section, select the check box for each operating system on which you want to enable biometrics (iOS, Android).

    If biometrics authentication is disabled for an operating system, or the device does not support biometrics, the standard swipe method of authentication is used.

  4. Optional: By default, iOS device users are only asked to authorize the use of Face ID for PingID authentication when pairing PingID with their device. To prevent users inadvertently authenticating using Face ID if their phone is unlocked, force users to explicitly approve a Face ID consent notification.

    This option is available on devices with the PingID mobile app 1.10.0 and later, and Face ID enabled.

    1. To enable Face ID consent, in the Device Biometrics section, click either Enable or Require.

    2. Click iOS.

    3. In the Face ID Consent field, click Enable.

  5. If you select Require in the Device Biometrics section, in the Notification Actions section, select one of the following options:

    Choose from:

    • Disable: Disable notification actions for PingID mobile app. The user is unable to approve or deny PingID mobile app authentication requests from the locked screen:

    • Android: The user cannot swipe down on the notification banner, and the Approve or Deny buttons are not available.

    • iOS: The user cannot see alternative actions when swiping to the left on the notification banner.

    • Enable: Enable notification actions for PingID mobile app. The user can approve or deny PingID mobile app authentication requests from within the notification message on their locked screen. This is the default selection.

    • Android: When the screen is locked, the user might receive a notification to authenticate, depending on the mobile device’s notification configuration. When swiping down on the notification banner, the user can select the Approve or Deny buttons.

    • iOS: The user receives a notification banner and can swipe to the left on the notification banner to see the Approve and Deny buttons.

  6. To prevent users from bypassing the required biometrics authentication and using the passcode fallback on the mobile app, configure the Device Passcode Fallback field.

    If biometrics authentication fails, by default, the user falls back to the device’s passcode to authenticate.

    This configuration is only relevant to iOS when the following conditions apply:

    • Device Biometrics is set to Require.

    • iOS is selected.

    • Notification Actions is set to Disable.

    Choose from:

    • Disable: When the Disable option is selected, users are prevented from using the passcode fallback and cannot bypass the required biometrics authentication on the application.

    • Only users with biometrics defined on their device, such as fingerprints or face scan, can authenticate successfully.

    • If the authentication is unsuccessful, users can retry up to the maximum number of retries permitted by the OS. This is not configurable.

    • If all retries are unsuccessful, access is denied, and a notification is displayed on both the accessing device browser and the mobile app.

    • Enable: When the Enable option is selected, and biometrics authentication fails, the user can use the device’s passcode to authenticate with PingID. This is the default selection.

      • PingID 1.6.4 and later support device passcode fallback.

      • Mobile device management (MDM) can be used to prevent the user from updating the mobile lock abilities, or adding other users' fingerprints to a mobile device.

      • If there are users who have installed the mobile app before this setting was applied, the settings apply the next time the user is online.

  7. Click Save.

    Samsung Galaxy S5 devices have a known bug that can cause fingerprint data to become corrupted, preventing PingID from launching properly. Specifically:

    The following tables describe the user experience according to the operating system and configuration setting combination.

Table 1. Cases Matrix for iPhone iOS 8+ Devices
Biometrics configured on device State Disable notification actions Banner actions on locked screen Banner actions on unlocked screen User swipes banner right on locked screen User presses (taps) banner on unlocked screen

Yes

Enabled

N/A (There is no option to change this in the UI.)

  1. Swipe left. The Deny and Approve buttons are displayed.

  2. When approved, unlock with Touch ID or passcode.

Swipe the banner down to display the Approve and Deny buttons.

When approved, authentication completes. No biometrics are required.

Unlock with Touch ID or passcode.

When approved, the PingID app opens and requests biometrics authentication.

The PingID app opens and requests biometrics authentication.

Yes

Required

Disabled (Checked)

  • There is no swipe left option.

  • The user must open the app and use biometrics authentication.

  • Banner display only.

  • No actions.

The PingID app opens and requests biometrics authentication.

The PingID app opens and requests biometrics authentication.

Yes

Required

Enabled (Unchecked)

  1. Swipe left. The Deny and Approve buttons are displayed.

  2. Once approved, unlock with Touch ID or passcode.

Swipe the banner down to display the Approve and Deny buttons.

When approved, authentication completes.

The PingID app opens and requests biometrics authentication.

The PingID app opens and requests biometrics authentication.

Not configured / Not supported

Enabled

N/A

  1. Swipe left.

  2. The Deny and Approve buttons are displayed.

  3. When 'approved', unlock with passcode.

Swipe the banner down to display the Approve and Deny buttons.

When approved, authentication completes.

Unlock with passcode.

When approved, the PingID app opens and requests swipe authentication.

The PingID app opens and requests swipe authentication.

Not configured / Not supported

Required

Disabled (Checked)

There is no swipe left option.

  • Banner display only.

  • No actions.

Unlock with passcode.

When approved, the PingID app opens and displays an error.

The PingID app displays an error.

Not configured / Not supported

Required

Enabled (Unchecked)

  1. Swipe left. The Deny and Approve buttons are displayed.

  2. Once approved, unlock with passcode.

  3. The PingID app displays an error.

Swipe the banner down to display the Approve and Deny buttons.

When approved, the PingID app displays an error.

Unlock with passcode.

When approved, the PingID app opens and displays an error.

The PingID app displays an error.

Table 2. Cases Matrix for Android 5.0+ Devices
Fingerprint configured on device State Disable notification actions Banner actions on locked screen Banner actions on unlocked screen User taps on banner on locked screen

Yes

Enabled

N/A

Show content:

  1. A notification is displayed.

  2. Swipe down to display the Deny and Approve buttons.

  3. When approved, the user is prompted to unlock the device using fingerprint, and authentication completes.

Hide content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app opens, requesting fingerprint authentication.

Do not show notifications:

  1. Lights the screen and sounds a beep.

  2. Unlock the device.

  3. The PingID app opens, requesting fingerprint authentication.

The PingID app opens and requests fingerprint authentication.

  1. The user is prompted to unlock the device.

  2. When unlocked, the PingID app opens and requests fingerprint authentication.

Yes

Required

Disabled (Checked)

Show content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. fingerprint

Hide content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app opens, requesting fingerprint authentication.

Do not show notifications:

  1. Lights the screen and sounds a beep.

  2. Unlock the device.

  3. The PingID app opens, requesting fingerprint authentication.

The PingID app opens and requests fingerprint authentication.

  1. The user is prompted to unlock the device.

  2. When unlocked, the PingID app opens and requests fingerprint authentication.

Yes

Required

Enabled (Unchecked)

Show content:

  1. A notification is displayed.

  2. Swipe down to display the Deny and Approve buttons.

  3. When approved, the user is prompted to unlock the device using fingerprint, and authentication completes.

Hide content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app opens, requesting fingerprint authentication.

Do not show notifications:

  1. Lights the screen and sounds a beep.

  2. Unlock the device.

  3. The PingID app opens, requesting fingerprint authentication.

The PingID app opens, requesting fingerprint authentication.

The PingID app opens and requests fingerprint authentication.

Not configured / Not supported

Enabled

N/A

  • No banner display.

  • The app prompts for PingID swipe.

  • No banner display.

  • The app prompts for PingID swipe.

The PingID swipe screen is displayed.

Not configured / Not supported

Required

Disabled (Checked)

Show content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app displays an error.

Hide content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app displays an error.

Do not show notifications:

  1. Lights the screen and sounds a beep.

  2. Unlock the device.

  3. The PingID app displays an error.

The PingID app displays an error.

The PingID app displays an error.

Not configured / Not supported

Required

Enabled (Unchecked)

Show content:

  1. A notification is displayed.

  2. Swipe down to display the Deny and Approve buttons.

  3. When approved, the user is prompted to unlock the device using fingerprint, and the PingID app displays an error.

Hide content:

  1. Displays a notification without the Deny and Approve buttons.

  2. Tap the notification to reach the prompt to unlock.

  3. When unlocked, the PingID app displays an error.

Do not show notifications:

  1. Lights the screen and sounds a beep.

  2. Unlock the device.

  3. The PingID app displays an error.

The PingID app displays an error.

The PingID app displays an error.