Can you enable biometrics fingerprint with mobile apps use Azure AD?

Question

Just a random question really. Workday mobile app support PIN and BIOMETRICS and you can enable it in Workday tenant. Now we use Azure AD SSO when we authenticate to Workday. My question is if a mobile app support PIN and BIOMETRICS and use Azure AD SSO for authentication. Will this combination work together?? I have tested Workday native login instead of Azure AD SSO with PIN and Touch ID and that works, but at the moment i do not have a test setup of workday and azure ad SSO so cant test it in that combination. Thx in advance

Answer 1

Hey @Ronnie Jorgensen I don't see why it wouldn't work.

The Pin and Biometrics are client side, for unlocking the device to get access to the AuthToken HMAC key, per the Android docs : https://source.android.com/security/authentication

I assume that iOS follows a similar flow, and this should allow access to the app. If pin and touch ID works, then biometrics should also work, as those authentication methods are device centric.

The actual workday app is most likely constantly refreshing the token as it follows the flow described in the Microsoft AAD SSO docs here : https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on#choosing-a-single-sign-on-method

More info here on implementation specifics : https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-auth#authentication-with-provider-sdk

If you're interested in learning more, I would suggest asking Workday as they are the ones who actually implemented the application and would know more on what is supported vs not supported.