Lock screen Notifications

Hi,

I'd love the option to stop the push notifications from being able to be approved from the lock screen as it can be a security risk.

I know you can manually set which apps can display content on the lock screen on each device but that isn't a possibility in large deployments.

If there is a technical limitation, maybe see if you can get it to at least report the status to the dashboard.

Thanks.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Aron

    Are you using iOS or Android. What version?

    -James Carson
    WatchGuard Customer Support

  • I have a Moto g7 Android 9 phone and I do not get the notification on its lock screen. All notifications within the AuthPoint app are on.

    My "On lock screen" setting for android itself is set to "Hide sensitive content", so that is probably what is stopping them for me.

    Gregg Hill

  • This isn’t necessary.... no MFA has control over this this is done on the user level....

    For instance I can tell my phone not to allow me to accept push notifications until it scans my face (iPhone X)

    Most cell phones don’t allow access to those type of features... so you just have to make sure your users are aware.
  • Hi all,

    Sorry i forgot to reply,

    I'm on Android 10 personally.

    Most androids have the option of hiding all/sensitive notifications on the lock screen but the user may not want to enable it due to it blocking notifications from all apps.

    If it's not possible to implement, then another workaround may be for admins to choose that the notification doesn't have an accept/ decline button and the user has to open the app to approve, possibly depending on what they are logging into.

    It's not a deal breaker for me, just a feature request.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Aron

    What version of the mobile app are you using?

    On android 10, if the screen is locked, you're not able to expand to the approve/deny portion anymore:

    https://imgur.com/a/Yid56Ph

    If the phone is unlocked, you can expand to approve/deny.

    -James Carson
    WatchGuard Customer Support

  • I have a Moto G7 with Android 10 and AuthPoint 1.14.1 version. I just enabled sensitive info on the lock screen (I usually don't!), which I believe is the Android (stupid) default, and then I locked my phone. I logged into the WatchGuard Cloud and clicked to send the push. The AuthPoint notification showed up, I touched the down arrow in the upper-right corner and it says Tap again to open. I tapped again and it expanded the notification. I tapped Approve and it let me into the WatchGuard Cloud site.

    Gregg Hill

  • This isn’t necessary.... no MFA has control over this this is done on the user level....

    For instance I can tell my phone not to allow me to accept push notifications until it scans my finger or face
  • I'm on version 1.15.0 on a google pixel 3 and i can approve from the lock screen if i don't have 'hide sensitive info on lock screen' turned on.

    I think different manufacturers put different defaults on their android skins.

    Duo has the option for admins to block approvals from the lock screen
    https://duo.com/docs/policy#screen-lock

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Aron
    The feature you're mentioning on duo disallows duo from working on any device without a lock screen. It doesn't disallow you from accepting pushes without locking if the device supports that.

    This is a feature request for Authpoint, and it's ID is AAAS-12680.

    -James Carson
    WatchGuard Customer Support

  • Hi James

    Thanks for the reference #

    I think Duo by default blocks auths from the 'screensaver' if there is pin/biometrics etc set up. But if there is no security then you can approve from the 'screensaver' , but they allow the admins to block Duo on devices without a screen lock

    If the screen is locked when a Duo Mobile push authentication request is received, then the screen must be unlocked before approving the authentication request.

    Anyhow, thank you for putting the idea forward.

  • A more scalable way than "per product/per user configuration" would be to use a mobile device management (MDM) solution to register, deploy apps, apply policy and conditions to a user's phone. Here is an example: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-android or look up JAMF, AirWatch, Samsung Knox, MobileIron, etc...

Sign In to comment.