Configuring biometrics authentication for the PingID mobile app

In the PingID admin portal, go to Setup > PingID > Configuration, and in the Mobile App Authentication section, go to the DEVICE BIOMETRICS section.

A screen capture of the Device Biometrics section. There are three radio buttons for Disable, Enable, and Require. The Require button is clicked. After the radio buttons is the Enable On section with check boxes for iOS and Android. Both are selected. After the Enable On section is the Face ID Consent section with radio buttons for Disable and Enable. The Enable button is clicked. The last section in this screen capture is the Notification Actions section which has radio buttons for Disable and Enable. The Enable button is clicked.

Enable or to require device biometrics:

Disable: Disable device biometrics. Users are not able to authenticate using their device biometrics.
Enable: Enable users to authenticate with their device biometrics.
Require: Force users to authenticate with their device biometrics. Users with devices that do not support biometrics are prompted to authenticate using swipe authentication.

Note:

If a user's mobile device supports biometrics, but they have not configured biometrics authentication on their device, they cannot sign on. The user receives an Authentication Error message on their mobile device and a Canceled message on their web browser.

An image of an Authentication Error message on an iOS device. The message says, "Authentication Error. You must have Fingerprint enabled to authenticate with PingID."

An image of a Canceled error in the PingID mobile app.

In the Enable On section, select the check box for each operating system on which you want to enable biometrics (iOS, Android).

Note:

If biometrics authentication is disabled for an operating system, or the device does not support biometrics, the standard swipe method of authentication is used.

Optional: By default, iOS device users are only asked to authorize the use of Face ID for PingID authentication when pairing PingID with their device. To prevent users inadvertently authenticating using Face ID if their phone is unlocked, force users to explicitly approve a Face ID consent notification.

Note:

This option is available on devices with the PingID mobile app 1.10.0 and later, and Face ID enabled.

To enable Face ID consent, in the Device Biometrics section, click either Enable or Require.
Click iOS.
In the Face ID Consent field, click Enable.

If you select Require in the Device Biometrics section, in the Notification Actions section, select one of the following options:

Disable: Disable notification actions for PingID mobile app. The user is unable to approve or deny PingID mobile app authentication requests from the locked screen:
- Android: The user cannot swipe down on the notification banner, and the Approve or Deny buttons are not available.
- iOS: The user cannot see alternative actions when swiping to the left on the notification banner.
Enable: Enable notification actions for PingID mobile app. The user can approve or deny PingID mobile app authentication requests from within the notification message on their locked screen. This is the default selection.
- Android: When the screen is locked, the user might receive a notification to authenticate, depending on the mobile device's notification configuration. When swiping down on the notification banner, the user can select the Approve or Deny buttons.
- iOS: The user receives a notification banner and can swipe to the left on the notification banner to see the Approve and Deny buttons.

To prevent users from bypassing the required biometrics authentication and using the passcode fallback on the mobile app, configure the Device Passcode Fallback field.

If biometrics authentication fails, by default, the user falls back to the device's passcode to authenticate.

Note:

This configuration is only relevant to iOS when the following conditions apply:

Device Biometrics is set to Require.
iOS is selected.
Notification Actions is set to Disable.

Disable: When the Disable option is selected, users are prevented from using the passcode fallback and cannot bypass the required biometrics authentication on the application.
- Only users with biometrics defined on their device, such as fingerprints or face scan, can authenticate successfully.
- If the authentication is unsuccessful, users can retry up to the maximum number of retries permitted by the OS. This is not configurable.
- If all retries are unsuccessful, access is denied, and a notification is displayed on both the accessing device browser and the mobile app.
Enable: When the Enable option is selected, and biometrics authentication fails, the user can use the device's passcode to authenticate with PingID. This is the default selection.

Important:

PingID 1.6.4 and later support device passcode fallback.
Mobile device management (MDM) can be used to prevent the user from updating the mobile lock abilities, or adding other users' fingerprints to a mobile device.
If there are users who have installed the mobile app before this setting was applied, the settings apply the next time the user is online.

Click Save.

Note:

Samsung Galaxy S5 devices have a known bug that can cause fingerprint data to become corrupted, preventing PingID from launching properly. Specifically:

The data corruption issue is a device problem (not a bug in PingID) as can be seen from sites such as: https://gs5.gadgethacks.com/how-to/4-ways-fix-your-galaxy-s5-s-dysfunctional-fingerprint-scanner-0158909/
If biometrics authentication is configured by the administrator for the organization, S5 device owners may experience a PingID launch problem due to fingerprint data corruption. This may occur even if the S5 devices were not configured for fingerprint support.

The following tables describe the user experience according to the operating system and configuration setting combination.

Cases Matrix for iPhone iOS 8+ Devices
Biometrics configured on device	State	Disable notification actions	Banner actions on locked screen	Banner actions on unlocked screen	User swipes banner right on locked screen	User presses (taps) banner on unlocked screen
Yes	Enabled	N/A (There is no option to change this in the UI.)	Swipe left. The Deny and Approve buttons are displayed. When approved, unlock with Touch ID or passcode.	Swipe the banner down to display the Approve and Deny buttons. When approved, authentication completes. No biometrics are required.	Unlock with Touch ID or passcode. When approved, the PingID app opens and requests biometrics authentication.	The PingID app opens and requests biometrics authentication.
Yes	Required	Disabled (Checked)	There is no swipe left option. The user must open the app and use biometrics authentication.	Banner display only. No actions.	The PingID app opens and requests biometrics authentication.	The PingID app opens and requests biometrics authentication.
Yes	Required	Enabled (Unchecked)	Swipe left. The Deny and Approve buttons are displayed. Once approved, unlock with Touch ID or passcode.	Swipe the banner down to display the Approve and Deny buttons. When approved, authentication completes.	The PingID app opens and requests biometrics authentication.	The PingID app opens and requests biometrics authentication.
Not configured / Not supported	Enabled	N/A	Swipe left. The Deny and Approve buttons are displayed. When 'approved', unlock with passcode.	Swipe the banner down to display the Approve and Deny buttons. When approved, authentication completes.	Unlock with passcode. When approved, the PingID app opens and requests swipe authentication.	The PingID app opens and requests swipe authentication.
Not configured / Not supported	Required	Disabled (Checked)	There is no swipe left option.	Banner display only. No actions.	Unlock with passcode. When approved, the PingID app opens and displays an error.	The PingID app displays an error.
Not configured / Not supported	Required	Enabled (Unchecked)	Swipe left. The Deny and Approve buttons are displayed. Once approved, unlock with passcode. The PingID app displays an error.	Swipe the banner down to display the Approve and Deny buttons. When approved, the PingID app displays an error.	Unlock with passcode. When approved, the PingID app opens and displays an error.	The PingID app displays an error.

Cases Matrix for Android 5.0+ Devices
Fingerprint configured on device	State	Disable notification actions	Banner actions on locked screen	Banner actions on unlocked screen	User taps on banner on locked screen
Yes	Enabled	N/A	Show content: A notification is displayed. Swipe down to display the Deny and Approve buttons. When approved, the user is prompted to unlock the device using fingerprint, and authentication completes. Hide content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app opens, requesting fingerprint authentication. Do not show notifications: Lights the screen and sounds a beep. Unlock the device. The PingID app opens, requesting fingerprint authentication.	The PingID app opens and requests fingerprint authentication.	The user is prompted to unlock the device. When unlocked, the PingID app opens and requests fingerprint authentication.
Yes	Required	Disabled (Checked)	Show content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. fingerprint Hide content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app opens, requesting fingerprint authentication. Do not show notifications: Lights the screen and sounds a beep. Unlock the device. The PingID app opens, requesting fingerprint authentication.	The PingID app opens and requests fingerprint authentication.	The user is prompted to unlock the device. When unlocked, the PingID app opens and requests fingerprint authentication.
Yes	Required	Enabled (Unchecked)	Show content: A notification is displayed. Swipe down to display the Deny and Approve buttons. When approved, the user is prompted to unlock the device using fingerprint, and authentication completes. Hide content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app opens, requesting fingerprint authentication. Do not show notifications: Lights the screen and sounds a beep. Unlock the device. The PingID app opens, requesting fingerprint authentication.	The PingID app opens, requesting fingerprint authentication.	The PingID app opens and requests fingerprint authentication.
Not configured / Not supported	Enabled	N/A	No banner display. The app prompts for PingID swipe.	No banner display. The app prompts for PingID swipe.	The PingID swipe screen is displayed.
Not configured / Not supported	Required	Disabled (Checked)	Show content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app displays an error. Hide content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app displays an error. Do not show notifications: Lights the screen and sounds a beep. Unlock the device. The PingID app displays an error.	The PingID app displays an error.	The PingID app displays an error.
Not configured / Not supported	Required	Enabled (Unchecked)	Show content: A notification is displayed. Swipe down to display the Deny and Approve buttons. When approved, the user is prompted to unlock the device using fingerprint, and the PingID app displays an error. Hide content: Displays a notification without the Deny and Approve buttons. Tap the notification to reach the prompt to unlock. When unlocked, the PingID app displays an error. Do not show notifications: Lights the screen and sounds a beep. Unlock the device. The PingID app displays an error.	The PingID app displays an error.	The PingID app displays an error.

Configuring biometrics authentication for the PingID mobile app - PingID

PingID Administration Guide