--- title: Secure the Authenticator app using policies description: The PingID mobile app for Android and iOS now supports one-time passcodes and push notifications from Advanced Identity Cloud and AM. component: sdks version: latest page_id: sdks:authenticator:use-cases/how-to-apply-authenticator-policies canonical_url: https://docs.pingidentity.com/sdks/latest/authenticator/use-cases/how-to-apply-authenticator-policies.html revdate: Tue, 8 Nov 2022 16:17:48 +0000 section_ids: available_policies: Available policies enable_authenticator_app_policies: Enable Authenticator app policies next_steps: Next steps --- # Secure the Authenticator app using policies [Switch to the PingID mobile app now!](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_end_user_guide.html) The [PingID mobile app for Android and iOS](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_end_user_guide.html) now supports one-time passcodes and push notifications from Advanced Identity Cloud and AM. | | | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [![Static](../_images/apps/app-store/black.svg)](https://apps.apple.com/us/app/pingid/id891247102?itscg=30200\&itsct=apps_box_badge\&mttnsubad=891247102) | [![Static](../_images/apps/google-play/GetItOnGooglePlay_Badge_Web_color_English.png)](https://play.google.com/store/apps/details?id=prod.com.pingidentity.pingid) | We highly recommend you switch to the PingID mobile app for your MFA needs rather than the ForgeRock Authenticator app. [**Try it out**[icon: chevrons-right, set=fas, size=xs]](https://docs.pingidentity.com/pingid-user-guide/secure_authentication_with_pingid/pid_end_user_guide.html) ***Applies to***: * [icon: check-square-o, set=fa]Ping (ForgeRock) SDK for Android * [icon: check-square-o, set=fa]Ping (ForgeRock) SDK for iOS * [icon: square-o, set=fa]Ping (ForgeRock) SDK for JavaScript You can distribute the ForgeRock Authenticator app to your users so that they can participate in multi-factor authentication journeys. To help ensure the security of the app—​and therefore your system—​you can enable *Authenticator app policies*. The [Combined MFA Registration](https://docs.pingidentity.com/auth-node-ref/latest/combined-mfa-registration.html) node can apply authenticator app policies during registration of client devices. These policies can perform checks on the client device. For example, that the device has not been rooted or jailbroken, or verify the use of biometrics on the device. If the conditions of the policy are not met, the account cannot be registered in the Authenticator app. If the conditions of the policies applied to the account are breached anytime after successful registration, the account is locked, and MFA is blocked: ![Accounts that breach Authenticator app policies](../../_images/authenticator/authenticator-locked-accounts-en.png) ## Available policies The Authenticator app supports the following policies by default: * Require biometrics Policy name: `biometricAvailable` Require the device uses biometric sensors to unlock the operating system. * Device tampering detection Policy name: `deviceTampering` Require the device has not been tampered with, for example, if it has root access or is jailbroken. This policy applies if the tampering likelihood score returned by the device to the Authenticator app exceeds the provided `score` parameter, which is a number between `0` and `1.0`. The higher the score, the more likely it is that the device has been tampered with. ## Enable Authenticator app policies Use the JSON Authenticator Policies property in the [Combined MFA Registration](https://docs.pingidentity.com/auth-node-ref/latest/combined-mfa-registration.html) node to enable policies. Specify the policies and their parameters to apply to the device being registered in JSON format, as follows: ```json { "policyName" : { policyParameters | empty } } ``` **Example**: ```json { "biometricAvailable": { }, "deviceTampering": { "score": 0.8 } } ``` ## Next steps You can add support for app policies in your own Android and iOS applications, by using the Ping (ForgeRock) Authenticator module. For more information, refer to [Integrate authenticator app policies](../../authenticator-module/use-cases/integrate-authenticator-policies.html).