--- title: Integrate authenticator app policies description: Applies to: component: sdks version: latest page_id: sdks:authenticator-module:use-cases/integrate-authenticator-policies canonical_url: https://docs.pingidentity.com/sdks/latest/authenticator-module/use-cases/integrate-authenticator-policies.html revdate: Tue, 8 Nov 2022 16:17:48 +0000 section_ids: prerequisites: Prerequisites step_1_handle_policies_on_the_client: Step 1. Handle policies on the client step_2_create_custom_policies: Step 2. Create custom policies --- # Integrate authenticator app policies ***Applies to***: * [icon: check-square-o, set=fa]Ping (ForgeRock) SDK for Android * [icon: check-square-o, set=fa]Ping (ForgeRock) SDK for iOS * [icon: square-o, set=fa]Ping (ForgeRock) SDK for JavaScript You can build and distribute your own authenticator app to your users so that they can participate in multi-factor authentication journeys. To help ensure the security of your app—​and therefore your system—​you can enable *authenticator app policies*. This topic explains how to integrate support for authenticator app policies into your projects that use the Ping (ForgeRock) Authenticator module. ## Prerequisites To integrate app policies into your application that uses the Ping (ForgeRock) Authenticator module, ensure you have completed the following tasks first: 1. Configure your server to apply app policies. Refer to [Secure the Authenticator app using policies](../../authenticator/use-cases/how-to-apply-authenticator-policies.html). 2. Integrate the Ping (ForgeRock) Authenticator module into your app. Refer to [Set up your Ping (ForgeRock) Authenticator module project](../getting-started/01-setup-your-project.html). 3. Start the Ping (ForgeRock) Authenticator module in your app. Refer to [Initialize the Ping (ForgeRock) Authenticator module](../getting-started/02-start-the-module.html). ## Step 1. Handle policies on the client Policies are associated with an account registered in your authenticator app. The `Account` class has the following attributes for handling app policies: | Attribute | Type | Visibility | Description | | --------------- | ------- | ---------- | ------------------------------------------------------------------------------------------------------- | | `lockingPolicy` | String | Public | The policy that caused the account to become locked. Only the first policy that was breached is listed. | | `policies` | String | Public | A JSON string containing the policy names to apply, as configured in the combined MFA node. | | `lock` | Boolean | Private 1 | Whether the account is currently locked or not. | 1 Use the public `isLocked` method to determine whether the account is currently locked or not You can use the `lockAccount` and `unlockAccount` methods to manage registered accounts. To lock an account, you need to provide the policy that has been breached, as follows: * Android * iOS ```java // Reference to the authenticator object: FRAClient fraClient = FRAClient.builder() .withContext(context) .start(); // Reference to the "Device tampering detection" policy: FRAPolicy policy = new DeviceTamperingPolicy(); // Lock the account: boolean result = fraClient.lockAccount(account, policy); ``` ```swift // Create the authenticator object: FRAClient.start() // Reference to the "Device tampering detection" policy: let policy = DeviceTamperingPolicy() // Lock the account: let result = try FRAClient.lockAccount(account: account, policy: policy) ``` ## Step 2. Create custom policies You can extend the new abstract class `FRAPolicy` to create new policies that you can attach to accounts. In the class, implement the `evaluate` method which returns `true` when policy conditions are met or `false` if the conditions are breached. For example, if the tampered score exceeds the specified value, the evaluator would return `false`. * Android * iOS ```java static class AppIsUpToDatePolicy extends FRAPolicy { @Override public String getName() { return "appIsUpToDate"; } @Override public boolean evaluate(Context context) { // Policy condition logic here return true; // policy conditions met // return false; // policy conditions breached - lock account } } ``` ```swift class AppIsUpToDatePolicy: FRAPolicy { public var name: String = "appIsUpToDate" public var data: Any? public func evaluate() -> Bool { // Policy condition logic here return true // policy conditions met // return false // policy conditions breached - lock account } } ``` To have the SDK evaluate your new policy, create a policy evaluator, as follows: * Android * iOS Use `FRAPolicyEvaluator.FRAPolicyEvaluatorBuilder` and its methods `withPolicies` and `withPolicy` to pass policies to the evaluator: ```java FRAPolicyEvaluator policyEvaluator = new FRAPolicyEvaluator.FRAPolicyEvaluatorBuilder() .withPolicies(FRAPolicyEvaluator.DEFAULT_POLICIES) .withPolicy(new AppIsUpToDatePolicy()) .build(); ``` Use the `FRAPolicyEvaluator.registerPolicies()` method to pass policies to the evaluator. Note that the default built-in policies are always evaluated. To keep any existing registered policies on the account, specify the `shouldOverride: false` parameter: ```swift let policyEvaluator = FRAPolicyEvaluator() try policyEvaluator.registerPolicies(policies: [AppIsUpToDatePolicy()], shouldOverride: false) ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------- | | | `FRAPolicyEvaluator.DEFAULT_POLICIES` includes both of the default built-in policies `BiometricAvailablePolicy` and `DeviceTamperingPolicy`. | Pass the policy evaluator when building your authenticator client: * Android * iOS ```java FRAClient.builder() .withContext(context.getApplicationContext()) .withPolicyEvaluator(policyEvaluator) .start(); ``` ```swift try FRAClient.setPolicyEvaluator(policyEvaluator: policyEvaluator) FRAClient.start() ``` If the policy evaluator fails, the SDK automatically locks the account. Locked accounts block certain methods, including `FRAClient.updateAccount`, `PushMechanism.accept` and `OATHMechanism.getNextOathToken`. Calling these methods on a locked account throws an `AccountLockException`.