How Lock Enabled Mobile Application works
Hi,
Please find below concern for Lock Enabled mobile Application,
What's the backend mechanism in pega mobile when login using a pin or fingerprint? Is pega feasible to identify user who has onboarded with or without a pin?
Can we automatically logout a user if the user has an inactive session as an example number of days of inactivity in a mobile app?
Is pega able to provide protection if the user is already onboarded(Lock Enabled mobile Application) and input incorrect pin number of times next logging?
How does Pega handle the sessions for mobile apps?
Thanks.
Pegasystems Inc.
PL
Application lock implementation depends on "Unlock with" setting:
- Biometric and device lock - user can unlock application with biometric (fingerprint or faceID) or with passcode which is set for his/her device
- Biometric and app PIN - user can unlock application with biometric, or with PIN. User will be asked to set PIN after first login so this PIN may differ from the PIN which is set in device settings
- App PIN only - same as previous option, but biometric is disabled
More details about this options and lock timeouts you may find on this page.
ATIT
SA
Hi @lukjj,
Thanks for the response.
We configured to disable the user ID if the user enter wrong password three times. But in the lock enabled mobile, a user can enter the pin for infinity time, So there is a possibility for brute force attack.
Is there a way to limit the enter pin for number of time?
Pegasystems Inc.
PL
Currently, there is no possibility to set such limit. This functionality is planned, but currently not assigned to any release.
Please consider one of the following options:
- If mobile user devices are enrolled to MDM, you may enable "Biometric and device lock", and configure MDM to enforce device passcode to be enabled - most devices have limits for incorrect attempts.
- If App PIN with limit for incorrect PIN attempts is required for yours use-case, you may consider to create ticket in My Support Portal. Limits are planned under EPIC-74580, so you may refer this id in your ticket - depending on current workloads of engineering teams, Support may prioritise this.
ATIT
SA
HI @lukjj,
Thanks for the response.
Can we automatically logout a user from mobile, if the user has an inactive session for a time period?
Thanks,
Sutharsan.
Pegasystems Inc.
PL
Currently there's no built-in mechanism which may allow this, but you may consider to try to implement this as custom rules on server side or as custom module on mobile side.