Secondary Authentication
The BlueFletch Launcher can be configured to require an additional form of authentication when a device's screen is unlocked while Launcher is logged-in through the Authentication module. Reauthentication can be configured as a personal identification number (PIN), face recognition, a near-field communication (NFC) tag, or a barcode. Primary and alternate reauthentication options can also be set.
Common Configuration
The following key-value pairs can be set within the settings object of the Launcher configuration JSON file.
Essential settings for all secondary authentication:
| Field | Data Type | Description |
|---|---|---|
| requireAuthOnScreenOn | boolean | Set to true to launch secondary authentication when the device screen is awakened while logged in. Default is false. |
| useSecondaryAuth | string | Indicates type of secondary auth during re-authorization. Values are "none", "pin", "face", "nfc", and "barcode". Default is "none". |
| secondaryAuthRequired | boolean | If set to true, will logout the user if they cancel setting up the secondary authentication. Default is false. Available starting Launcher 3.3.x. Starting in Launcher 3.6.x, user will have the option to logout during verification as well. |
PIN
If a PIN has been configured to be the form of secondary authentication, a user logging into a device through the BlueFletch Authentication module will be prompted immediately after successfully entering their username and password to create a PIN. The PIN must be entered the same twice to confirm the sequence, and then the user will be allowed to access the logged-in state and their role-based applications.
If the user puts the device screen to sleep without logging out, upon waking the screen, the Authentication module will prompt the user to enter their PIN to access their authenticated apps again. If the user makes too many bad attempts to enter the PIN, the Authentication module will require the user to re-enter their password to access the logged-in state.
Optionally, one application can be configured to be accessible from the lock screen. This is essential when there is a need for users to quickly access some functionality, such as the Android phone app, without entering the PIN first. See the Quick Start package configuration notes below.
Configuration
The following key-value pairs can be set within the settings object of the Launcher configuration JSON file.
Settings for specific PIN requirements:
| Field | Data Type | Description |
|---|---|---|
| useSecondaryAuth | string | (See description above.) Assign the value "pin". |
| secondaryAuthPinLength | integer | Set the minimum number of digits required for PIN. Minimum value is 4, default is 6 if not specified. Available in Auth 3.1.x. |
| pinMaxLength | integer | Number of required digits for the PIN. Minimum of 4, maximum of 10, defaults to 6 if not specified. This setting supercedes secondaryAuthPinLength, available from Auth 3.6.x and above. |
| pinEnforceConsecutiveRule | boolean | If true, will not allow more than 3 consecutive similar digits (e.g. 1111 will not be allowed, but 1112 is allowed). Default is set to true. Available from Auth 3.6.x and above. |
| pinEnforceSequentialRule | boolean | If true, will not allow more than 3 sequential digits up or down (e.g. 1234 is not allowed but 1235 is allowed). Default is set to true. Available from Auth 3.6.x and above. |
| pinEnforceBlackList | string | Comma-delimited list of PIN codes that cannot be used by the user (e.g. if 1112 is specified, even if it passes the consecutive rule, it will be disallowed by blacklist). Available from Auth 3.6.x and above. |
| pinMaxRetryCount | integer | During verification, max number of incorrect attempts allowed, after which the currently logged in user is forcibly logged out. Available from Auth 3.6.x and above. |
| pinAutoSubmit | boolean | If set to false, will require the user to tap on the Enter key after entering their PIN. If set to true, the PIN will be submitted after last entry (based on pinMaxLength). Default is true. Available from Auth 3.6.x and above. |
Settings for an optional Quick Start package:
| Field | Data Type | Description |
|---|---|---|
| secondaryAuthQuickStartPackage | string | Allow one package to be opened from the PIN unlock screen. After a PIN has been setup during a login session, when a user opens the device they will see this app's icon in the lower right corner and can choose to access the package's main activity without unlocking the device. e.g. If the value is "com.android.dialer", the user will see the Android phone icon and can launch the activity com.android.dialer.app.DialtactsActivity. |
| secondaryAuthQuickStartIcon | string | Overrides the default application icon used used to launch secondaryAuthQuickStartPackage with an image defined by file location on the device. e.g. "/sdcard/DCIM/icons/bluefletch_logo.png". |
Face Recognition
A device configured to reauthenticate by facial recognition will require that the BlueFletch Vision reauthentication APK be installed on the device and a Vision Database ZIP file be downloaded to the file location /sdcard/Download/ems_vision_database.zip. Contact your BlueFletch representative to request a Database ZIP file. On the hardware side, Vision requires a device with a front-facing camera to operate.
To reauthenticate with Vision, login with the BlueFletch Authentication module. If the device has been configured as indicated below to include a logged-in layout with the Vision application's Training activity, then after the user logs in, they can open that activity. Vision will "train" itself to recognize the user's face by collecting multiple images, ideally from a variety of angles as the user shifts the device in relation to their face.
The user may lock the device's screen. Upon unlocking, the user will be prompted for reauthentication by Vision turning on the front-facing camera. If the user's face image matches within a threshold of similarity against the expected images stored in the database, then the user is reauthenticated and returned to the logged-in state.
Configuration
Vision Training application object in a layout:
"layouts": {
"Layout Group Example": [
{
"label" : "Vision Training",
"package": "com.bluefletch.ems.vision",
"activity": "FaceTrainActivity"
}
...
]
...
}
The following key-value pairs can be set within the settings object of the Launcher configuration JSON file.
Settings for Vision application:
| Field | Data Type | Description |
|---|---|---|
| useSecondaryAuth | string | (See description above.) Assign the value "face". |
| vision_threshold | double | When using Vision reauthentication, what is the percentage threshold to indicate a match. ie. 0.45. |
| vision_attempts | integer | When using Vision reauthentication, number of attempts to match a face to the vision database. |
NFC Tag
A near-field communication (NFC) tag functions for reauthentication purposes as proof of possession of a piece of hardware (an ID badge or other object with an NFC sticker on it) that is digitally recognizable by the mobile device.
If a device has been configured to use NFC for secondary authentication, after logging into the Authentication module, the user will be prompted to tap an NFC tag with their device to associate the tag with the login session.
After tapping, the NFC icon will turn green and the user will be allowed to access their logged-in state applications.
When waking a locked device screen, the Auth module will prompt the user to tap the same NFC tag in order to unlock.
If the user taps a different NFC tag that is not associated with the session, the Auth module will display a message stating, "NFC badge data cannot be verified with this session." The NFC icon will turn red, and the user will not be returned to their logged-in state.
If the user taps the NFC tag that they associated with the session, the NFC icon will turn green and the user will be returned to their logged-in state.
Configuration
The following key-value pair can be set within the settings object of the Launcher configuration JSON file.
Settings for NFC:
| Field | Data Type | Description |
|---|---|---|
| useSecondaryAuth | string | (See description above.) Assign the value "nfc" (available in Auth module version 3.2.2+). |
Barcode
For a device configured to reauthenticate by barcode, the user will be prompted to scan a barcode after logging into the Auth module. Scanning the barcode will associate it with the session.
When the user locks the device screen and wakes it again, they can scan the same barcode to successfully verify their identity and access their applications in the logged-in state. If a different barcode is scanned, the barcode icon will turn red, and the user will receive an error message that that session cannot be verfied by the barcode data and will be able to try again.
Configuration
The following key-value pair can be set within the settings object of the Launcher configuration JSON file.
Settings for NFC:
| Field | Data Type | Description |
|---|---|---|
| useSecondaryAuth | string | (See description above.) Assign the value "barcode". |
Alternate Secondary Authentication
A device can also be configured to have two options available for secondary authentication. After entering login credentials, the authentication flow proceeds to the screen to setup or train recognition for the primary secondary authentication method, as configured by useSecondaryAuth (i.e. create and confirm a PIN, scan an NFC tag, etc. ). If configured with a different value for alternateSecondaryAuth, the screen will include an option to switch to training the alternative reauthentication method.
Once one of the two secondary authentication options is selected and trained, the authentication flow will proceed to the logged-in state. Upon unlocking the device from sleep, only the reauthentication method that was selected and trained - primary or alternate - will be available to unlock the device.
Configuration
The following key-value pairs can be set within the settings object of the Launcher configuration JSON file.
| Field | Data Type | Description |
|---|---|---|
| useSecondaryAuth | string | Indicates type of secondary auth during re-authorization. Values are "none", "pin", "face", "nfc", and "barcode". Default is "none". |
| alternateSecondaryAuth | string | Sets an alternative secondary authentication method available during reauthentication training. Accepted values are "pin", "face", "nfc", and "barcode". Only applied if useSecondaryAuth is set and is a different value than alternateSecondaryAuth. |