Mobile apps that use an external identity provider (IdP) that is compatible with OpenID Connect or SAML for login can now be unlocked by using the device's PIN or a biometric sensor instead of using an application-specific password. This functionality allows users to unlock apps quickly and easily.

This functionality is available for mobile apps that use the authorization code grant process between a mobile app and the Pega Platform™ server. Pega Platform acts as an identity broker and delegates authentication to the external OpenID Connect or SAML IdP. The app must have a valid access token; otherwise the user is forced to authenticate with an IdP. Valid access and refresh tokens also allow the user to unlock a device that is currently in offline mode. For more information, see Configuring a mobile app to use external login with OpenID Connect or SAML protocol.

You can set up the following additional locking methods for your mobile app:

To display a lock screen when a user tries to perform an action after a certain period of inactivity, set Authentication timeout in the operator's access group configuration. For more information, see Configuring access control for an access group.

Lock the screen after a certain period of inactivity

If a user tries to perform an action after the specified authentication time-out, the user must unlock the app by authenticating with a PIN or a biometric sensor. If neither option is configured on the device, the lock screen is not displayed.

Unlock the screen by using a biometric sensor

To lock a screen automatically after a set period of time from the user's last authentication, set the Maximum login time period in the mobile configuration settings. For more information, see Setting maximum login time.
This setting takes into account all types of authentication. The value that you define tracks the time from the last authentication using an IdP, as well as authentication using a PIN or a biometric sensor.

Lock the screen after a certain period of time

To force the app user to authenticate on app restart, select the Always prompt for password on start check box in the build tab for your mobile app. For more information, see Configuring password enforcement.
If a user is not logged off explicitly, the user is prompted with the lock screen UI to unlock the app. Clearing this check box means that the user does not have to authenticate again during an app restart.

Lock the screen after app restart