Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11346: Android endpoints’ mobile authenticator notification can be approved without unlocking screen lock

App Access Service ,  

18 December,18 at 03:33 PM

Applies to: Centrify Identity Service, App Edition

Problem:

User may set their Android devices as the mobile authenticator and it is expected to ask users to unlock their device lock screen before approving the authentication in the Centrify mobile app. However, when receiving the mobile authentication notification on device lock screen, user can press the “Approve” button on the notification without unlocking device screen lock. And the MFA authentication process can be advanced.



Cause:

This is happening due to the Android OS limitation.



Workaround:

There are two workarounds:
  1. By setting Centrify App Lock
  2. By hiding the content of notification


For i), the steps are as follow:
  1. Enable Centrify App Lock
  • The policy can be configured in Admin Portal:
                 >   Under “Policy tab” > “Policy Settings” > “Endpoint Policies” > “Common Mobile Settings” > "Security Settings":
  • Choose “Yes” in the “Require client application passcode on device”
    • Choose “Yes” at “Lock on exit”
    • Choose “(time limit desired)” at “Auto-Lock (minutes)”  
 
  1. Set app passcode on the device   
  •   User would be asked to set the passcode once the policy is delivered.
 
  1. Users are enforced to unlock the device screen lock(if configured) and then enter the passcode to unlock the Centrify app first if they wish to approve or deny the MFA notification on lock screen.



For ii), Choose to hide the contents and the “approve” and “deny” options of the notification in order to prevent lock screen bypass. Users are required to unlock the screen before they can see the contents of the notification.
Noted that for different Android devices there may have different settings to hide the notification contents.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.