Biometric unlock

Protect the mobile app with Face ID, fingerprint, or a 4-digit PIN, so that an unlocked device doesn't automatically mean an unlocked app.

Required role

Any mobile-enabled role.

Overview

The mobile app adds its own authentication layer on top of the OS unlock. Even if you hand your unlocked phone to a colleague (or lose it briefly), the app stays locked until you provide your biometric or 4-digit PIN.

Two mechanisms:

• Biometric — Face ID / Touch ID / fingerprint / face unlock, depending on what your device supports at the OS level.
• 4-digit PIN — always available as a fallback. Set during first-time setup or later in Settings → Security.

Biometric is faster and stronger; PIN is the universal fallback for when biometric fails (wet hands, dark room, mask on) or isn't available on the device.

Prerequisites

• The app is installed and paired. See Pairing and setup.
• For biometric: your device's OS has a fingerprint / face-recognition / Touch ID / Face ID enrolled.

Set up biometric unlock

At first-time setup

After the initial sync at the end of Pairing and setup, you're prompted:

1. "Set a 4-digit PIN" — enter, confirm.
2. "Enable Face ID / fingerprint?" — tap Enable to allow biometric in addition to PIN.
3. The first biometric authentication happens immediately to verify.

Done.

Later

Menu → Settings → Security:

• Toggle Biometric unlock on or off.
• Change your PIN.
• Change the lock timeout (how long the app stays unlocked when backgrounded — default 5 minutes).

Unlock the app

• When you open the app (cold start), you see the lock screen.
• The OS prompts for biometric (if enabled).
• On success, the Dashboard loads.
• On failure or unavailability, tap Use PIN and enter your 4-digit code.

Lock timeout

The app stays unlocked for a short period while backgrounded, so you don't have to re-authenticate every time you switch apps briefly. Default: 5 minutes.

Configurable in Settings → Security → Lock timeout:

• Immediately — any background = re-lock.
• 1 minute.
• 5 minutes (default).
• 15 minutes.
• Never (strongly discouraged).

What's protected by the lock

Once locked:

• The app contents are inaccessible — no task list, no hierarchy, no reports.
• Cached data on the device is encrypted at rest; the lock also requires authentication before decryption.
• Incoming push notifications still appear (configurable in OS settings) but tapping one lands you on the lock screen.

What the lock doesn't protect:

• If a malicious actor has full device access (root / jailbreak), the lock is just one defence, not all of them. Certificate pinning, session tokens, and encrypted storage are the other layers.

Rate limiting

Failed PIN attempts are rate-limited:

• 3 failed attempts → 30-second cooldown.
• 6 failed attempts → 5-minute cooldown.
• 9 failed attempts → app signs out and requires password login to re-pair.

Biometric failures don't count against the PIN limit — biometric has its own OS-level rate limiting.

Reset your PIN

You remember the current PIN

Settings → Security → Change PIN → enter current → enter new.

You don't remember

1. Tap Forgot PIN on the lock screen.
2. The app signs you out.
3. Sign in again with your password.
4. You'll be prompted to set a new PIN.

This doesn't destroy drafts or queued uploads — the cache survives.

Locked out entirely

If biometric fails and you've forgotten the PIN and failed 9 times:

• Same flow as "Forgot PIN" — sign in again with your password.

Disable the lock entirely

Settings → Security → toggle Require unlock off.

Not recommended

The app holds maintenance data that a malicious actor could tamper with (or worse, submit fake records under your identity). Unless you have a compelling reason, keep the lock on.

Multi-user devices

Only one user per device. The app doesn't support multiple user profiles on the same install. If you share a device with a colleague on a different shift:

• One of you signs out at end of shift.
• The other signs in at start of shift.
• Drafts and queued uploads must clear before sign-out or the switching user loses them.

Better: give each user their own device. Device cost is low compared to the cost of data mix-ups.

Biometric limitations

• Face ID (iPhone): works in the dark. Doesn't work through masks covering the eyes. Fails with significant facial changes.
• Touch ID (iPhone): wet / dirty fingers, cuts, cold hands all reduce reliability.
• Android fingerprint: as Touch ID. Enrolment quality matters — re-enrol your fingerprint if it keeps failing.
• Android face unlock: less secure than Face ID on most devices; still works.

If biometric isn't working reliably in your environment (cold rooms, gloves, wet work), rely on PIN.

Things to watch for

Don't share your PIN

A shared PIN means ambiguous audit trails. Each person has their own account and PIN.

Re-enrol fingerprints annually

Android fingerprint quality drifts over a year. Re-enrol if failure rate climbs.

OS locks vs app lock

The OS screen lock protects the device; the app lock protects the app specifically. Don't disable the app lock on the theory that the OS lock is enough — the OS lock fails the moment you hand the unlocked phone to someone.

Troubleshooting

Problem	Fix
Biometric prompt doesn't appear	Check Settings → Security → Biometric unlock is on; check OS-level enrolment
Biometric always fails	Re-enrol at the OS level; fall back to PIN
PIN entry rejected repeatedly when you're sure it's right	Keyboard layout; try tapping numbers slowly
Locked out after too many attempts	Tap Forgot PIN → sign in with password
App re-locks immediately	Lock timeout may be Immediately; change in Settings

Related topics

• Pairing and setup — where biometric setup is introduced.
• Settings — where the Security submenu lives.
• I can't log in — for full sign-in issues.