User may set their Android devices as the mobile authenticator and it is expected to ask users to unlock their device lock screen before approving the authentication in the Centrify mobile app. However, when receiving the mobile authentication notification on device lock screen, user can press the “Approve” button on the notification without unlocking device screen lock. And the MFA authentication process can be advanced.
This is happening due to the Android OS limitation.
There are two workarounds:
By setting Centrify App Lock
By hiding the content of notification
For i), the steps are as follow:
Enable Centrify App Lock
The policy can be configured in Admin Portal:
> Under “Policy tab” > “Policy Settings” > “Endpoint Policies” > “Common Mobile Settings” > "Security Settings":
Choose “Yes” in the “Require client application passcode on device”
Choose “Yes” at “Lock on exit”
Choose “(time limit desired)” at “Auto-Lock (minutes)”
Set app passcode on the device
User would be asked to set the passcode once the policy is delivered.
Users are enforced to unlock the device screen lock(if configured) and then enter the passcode to unlock the Centrify app first if they wish to approve or deny the MFA notification on lock screen.
For ii), Choose to hide the contents and the “approve” and “deny” options of the notification in order to prevent lock screen bypass. Users are required to unlock the screen before they can see the contents of the notification. Noted that for different Android devices there may have different settings to hide the notification contents.