This article was originally posted on July 31, 2017 and revised on August 10, 2017 to reflect the decision to make device security a strongly recommended option, not a requirement.
OneLogin Protect (formerly OTP) 3.3 will be released soon, and will provide administrators with the option to require that users secure their devices:
- For iPhones and iPads, users would be required to enable the Passcode feature (or Passcode + Touch ID)
- For Android phones and tablets, users would be required to enable Screen Lock using PIN, password, pattern, or fingerprint
If administrators choose to require device security, users with an unsecured device will be prompted to secure it when they first configure OneLogin Protect on the device (new installation), when they launch an already-configured OneLogin Protect app on their device (after upgrading), or when they attempt to accept push notifications (after upgrading). A button takes them to the device setting screen where they can enable security.
Why are we adding this option and recommending it strongly? For second-factor authentication with OTP to provide a strong second line of defense against intrusion, the device that hosts the OTP app must itself be secure. You don't want a stolen password and a stolen phone to provide easy entry to your OneLogin user account.