Introduction

The LYNKS mobile app provides secure mobile authentication with INCERT certificates, push notifications, and biometric support for iOS and Android devices. The mobile app serves as a second-factor authentication method, combining certificate-based security with mobile convenience for both login authentication and transaction signing.

The app enables users to approve payments and access LYNKS from their mobile devices, providing flexibility for users who need to authenticate and authorize transactions while away from their desks. The LYNKS mobile app transforms your smartphone or tablet into a secure authentication device using certificate-based cryptography, generating cryptographic signatures using certificates stored securely on your device for advanced electronic signatures compliant with electronic signature regulations.

The app's push notification system enables real-time approval workflows, allowing approvers to review and authorize transactions immediately upon request without needing to log into the web platform.

About INCERT

INCERT is a Luxembourgish certificate authority owned by the Chamber of Commerce and the Luxembourg government, providing the same trusted authority used in Luxembourg's national identity documents. INCERT certificates enable the LYNKS mobile app to create advanced electronic signatures that provide enhanced legal validity compared to simple electronic signatures.

INCERT specializes in mobile certificate solutions, delivering secure certificate-based authentication designed specifically for mobile devices. The certificates are automatically generated during app enrollment and stored securely in your device's hardware security module (secure enclave on iOS or keystore on Android), ensuring private keys never leave your device.

📘

Historical Note

The LYNKS mobile app was previously known as "FinologeeSIGN" and "Authenticator" in earlier releases. Since release 6.0 (January 2025), the app has been officially rebranded to "LYNKS mobile app" to align with platform branding.

---

Features

The LYNKS mobile app provides comprehensive authentication and approval capabilities designed for mobile convenience and security.

Login authentication

The mobile app serves as a second-factor authentication method for LYNKS web platform access. Users enter their email address on the web login screen, then receive a push notification on their registered mobile device to approve the login request.

Push notifications

Instant notification of login requests and transactions requiring approval. Push notifications deliver real-time alerts to your device, ensuring you're immediately informed of actions requiring your attention.

Biometric authentication

Face ID or Touch ID support provides device-level security. Users can authenticate to the mobile app using their device's native biometric authentication rather than entering PINs or passwords for each approval.

Transaction review

Review complete transaction details before approval. The mobile app displays all transaction information, allowing approvers to verify amounts, beneficiaries, and other details before providing their digital signature.

Device binding

Secure device registration and remote deactivation capability. Each mobile app instance is bound to a specific device, and administrators can remotely deactivate lost or compromised devices to prevent unauthorized access.

Advanced electronic signatures

INCERT certificate-based signatures provide advanced electronic signatures with enhanced legal validity compared to standard electronic signatures.

---

Authentication flow

The LYNKS mobile app authentication process leverages push notifications to enable seamless approval workflows.

Login process

1. User navigates to the LYNKS web platform login screen
2. User clicks "LYNKS mobile app" authentication option
3. User enters their email address in the login form
4. LYNKS sends a signing request to the user's registered mobile device
5. Push notification appears on user's mobile device
6. User opens the LYNKS mobile app (automatically opened via notification)
7. User reviews the login request details
8. User authenticates to the app using biometric (Face ID/Touch ID) or PIN
9. User approves the login request by tapping the approve button
10. LYNKS validates the approval signature and grants web platform access

Transaction signing process

The transaction signing flow follows a similar pattern:

1. User creates or initiates transaction in LYNKS web platform
2. Transaction requires signature based on signatory rules
3. LYNKS sends approval request to mobile app
4. Push notification appears on approver's device
5. Approver opens mobile app and reviews transaction details
6. Approver authenticates with biometric or PIN
7. Approver signs transaction by tapping approve
8. Mobile app creates cryptographic signature
9. Signature is sent to LYNKS platform
10. LYNKS validates signature and marks transaction as approved

---

INCERT Certificates

The LYNKS mobile app uses INCERT certificates for creating advanced electronic signatures. INCERT is a certificate authority providing certificate services specifically designed for mobile authentication scenarios.

Certificate characteristics

INCERT certificates used by the LYNKS mobile app:

• Automatic generation - Created during app enrollment without user intervention
• Secure storage - Stored in device's secure enclave or keystore
• Advanced electronic signatures - Provide enhanced legal validity (not qualified signatures)
• Device binding - Bound to specific mobile device hardware
• Remote revocation - Can be remotely deactivated if device compromised

Certificate lifecycle

The certificate lifecycle for mobile app certificates:

• Enrollment - Certificate generated during initial app setup
• Storage - Securely stored in device hardware security module
• Usage - Used to create signatures for login and transaction approval
• Renewal - Automatic renewal before certificate expiration
• Revocation - Manual revocation if device lost or user access revoked

Signature validity

Signatures created with INCERT certificates provide:

• Advanced electronic signatures - Higher legal validity than simple electronic signatures
• Non-repudiation - Signatures tied to specific device and user
• Audit trail - Complete logging of signature creation events
• Timestamp - Precise signature timestamp recording
• Certificate validation - Real-time certificate status checking

---

Biometric authentication

The LYNKS mobile app supports native biometric authentication on supported iOS and Android devices, providing convenient and secure access to the app.

Supported biometric methods

The app supports platform-native biometric authentication:

iOS devices

• Face ID - Facial recognition authentication on compatible iPhone and iPad models
• Touch ID - Fingerprint authentication on compatible iPhone and iPad models

Android devices

• Fingerprint authentication - Fingerprint sensor recognition on compatible Android devices
• Face recognition - Facial recognition on devices supporting Android biometric APIs

Biometric security benefits

Biometric authentication provides additional security layers:

• Device-level security - Authentication requires physical possession of registered device
• User verification - Ensures only authorized user can approve transactions
• Convenience - Faster than entering PINs or passwords
• Non-transferable - Biometric characteristics cannot be shared or stolen like passwords
• Liveness detection - Face ID includes liveness detection to prevent spoofing

Fallback authentication

If biometric authentication fails or is unavailable:

• User can authenticate with device PIN as fallback
• Multiple failed biometric attempts trigger PIN requirement
• Users can disable biometric and use PIN only if preferred
• Device security settings control biometric availability

---

Device management

Administrators can manage LYNKS mobile app enrollments and device security through tenant settings.

Device enrollment

Users enroll devices through a controlled process:

1. Administrator enables LYNKS mobile app for user account
2. Administrator provides user's mobile phone number
3. User receives enrollment instructions via email or SMS
4. User downloads LYNKS mobile app from App Store or Google Play
5. User completes enrollment by entering verification code
6. Mobile app generates INCERT certificate
7. Device binding is established
8. User can begin using mobile app for authentication

Device binding

Each mobile app instance is bound to a specific device:

• Hardware binding - Certificate tied to device hardware identifiers
• Single device per enrollment - Each enrollment represents one device
• Multiple devices possible - Users can enroll multiple devices if permitted
• Device identification - Device name and type visible to administrators

Remote deactivation

Administrators can remotely deactivate devices:

• Lost device scenarios - Immediately deactivate lost or stolen devices
• User offboarding - Deactivate all devices when user leaves organization
• Security incidents - Deactivate compromised devices
• Device replacement - Deactivate old device when user switches devices

Deactivated devices cannot create new signatures, and users must re-enroll to regain mobile app access.

Enrollment history

Complete history of device enrollments and deactivations:

• Device enrollment date and time
• Device deactivation events
• Device type and operating system
• Last activity timestamp
• Certificate status and validity

---

Configuration requirements

The LYNKS mobile app requires configuration at tenant and user levels.

Tenant-level configuration

Mobile app authentication must be enabled for your tenant:

• LYNKS mobile app authentication method enabled in tenant settings
• INCERT certificate authority trust configured
• Push notification service configured
• Device management policies defined
• Mobile app distribution strategy established

User-level configuration

Individual users must be configured for mobile app authentication:

• LYNKS mobile app authentication method enabled in user profile
• Mobile phone number entered for user account
• User receives enrollment instructions
• User completes enrollment process
• Certificate generation confirmed

Prerequisites

Before enabling mobile app for users:

• User must have smartphone or tablet (iOS or Android)
• Device must meet minimum OS version requirements
• User must have mobile phone number for SMS verification
• User must be able to download apps from App Store or Google Play
• User must complete enrollment process within validity period

Device requirements

Minimum device requirements for LYNKS mobile app:

• iOS: iOS 13 or later
• Android: Android 8.0 (Oreo) or later
• Storage: Sufficient space for app installation
• Network: Internet connectivity for enrollment and synchronization
• Notifications: Push notification support enabled

---

Security features

The LYNKS mobile app implements multiple security layers to protect authentication and signatures.

Certificate security

Mobile app certificates provide strong security:

• Hardware-backed storage - Certificates stored in device secure enclave
• Private key protection - Private keys never leave device
• Certificate-based signing - Cryptographic signatures using INCERT certificates
• Remote revocation - Compromised devices can be remotely disabled

Device security

Device-level security features:

• Device binding - Each enrollment tied to specific device hardware
• Biometric authentication - Face ID, Touch ID, or fingerprint required
• PIN protection - Fallback authentication with device PIN
• Screen lock integration - Respects device security settings

Communication security

Secure communication between mobile app and LYNKS platform:

• TLS encryption - All network communication encrypted
• Certificate pinning - Protection against man-in-the-middle attacks
• Signature verification - Server validates signatures cryptographically
• Token-based authentication - Secure token exchange for API access

Audit trail

Complete logging of mobile app activities:

• Device enrollment and deactivation events
• Login approval requests and responses
• Transaction signature events
• Failed authentication attempts
• Certificate lifecycle events

---

Common questions

Answers to frequently asked questions about the LYNKS mobile app.

Enrollment and setup

How do I enroll my mobile device?

Your administrator must first enable the LYNKS mobile app for your account and provide your mobile phone number. You'll receive enrollment instructions via email or SMS with a link to download the app and a verification code to complete enrollment.

Can I use the app on multiple devices?

Yes, if permitted by your organization's policy, you can enroll multiple devices. Each device receives its own certificate and can be managed independently. Contact your administrator if you need to enroll additional devices.

What happens if I get a new phone?

When switching to a new device, you'll need to enroll the new device. Your administrator can deactivate your old device and enable the app for your new device. You'll receive new enrollment instructions to complete the setup process.

Using the app

Do I need internet connectivity to approve transactions?

Yes, an active internet connection is required to receive approval requests and submit signatures. The app uses push notifications to alert you of pending requests, which requires connectivity.

Why am I not receiving push notifications?

Check that notifications are enabled for the LYNKS mobile app in your device settings. Also verify that the app has permission for background activity and that "Do Not Disturb" mode is not blocking notifications.

Can I use the app if I'm traveling or in a different time zone?

Yes, the app works anywhere with internet connectivity. Your approval requests will appear regardless of your location or time zone.

Security

What happens if I lose my device?

Contact your administrator immediately. They can remotely deactivate your lost device to prevent unauthorized access. You can then enroll a new device once you have a replacement.

Is my biometric data stored on LYNKS servers?

No, biometric data (Face ID, Touch ID, fingerprint) never leaves your device. Biometric authentication is handled entirely by your device's operating system and is not transmitted to LYNKS.

How secure are the certificates on my device?

Certificates and private keys are stored in your device's hardware security module (secure enclave on iOS, keystore on Android), which provides hardware-level protection. Private keys cannot be extracted from the device.

---

Best practices

Organizations should follow these best practices when implementing mobile app authentication.

Device management

• Maintain inventory of enrolled devices per user
• Establish clear policies for device enrollment
• Implement prompt deactivation process for lost devices
• Regularly review enrolled devices and remove inactive ones
• Document device management procedures

User training

• Provide comprehensive mobile app training for new users
• Create step-by-step enrollment guides with screenshots
• Establish support channels for mobile app questions
• Conduct periodic refresher training on app features

Security policies

• Require biometric authentication where available
• Implement device security requirements (screen lock, encryption)
• Establish incident response for lost or stolen devices
• Regularly audit mobile app usage and enrollments
• Monitor failed authentication attempts

Communication

• Notify users of mobile app updates and new features
• Communicate scheduled maintenance affecting mobile app
• Provide clear instructions for transitioning to new devices
• Establish escalation procedures for critical issues
• Gather user feedback to improve mobile experience

---

App updates

The LYNKS mobile app receives regular updates with new features, security improvements, and bug fixes.

Update process

Mobile app updates are distributed through official app stores:

• Updates available through App Store (iOS) or Google Play (Android)
• Users receive notification of available updates
• Critical security updates may require mandatory installation
• Update changelog describes new features and fixes
• Most updates install without requiring re-enrollment

Version compatibility

LYNKS platform maintains compatibility with mobile app versions:

• Minimum supported app version enforced by platform
• Users on outdated versions prompted to update
• Critical security vulnerabilities may force update
• Major version updates may require re-enrollment

---

Related documentation

Explore these related sections to learn more about authentication and security in LYNKS:

Core Concepts:

• Permissions - Comprehensive explanation of access control and role-based permissions - User access control and permission assignment
• Approvals - How approval workflows and signature processes function - Approval workflow concepts and signature requirements

Platform Features:

• Action Center - Centralized task and approval management - Managing approval requests
• User & Groups - User management and access configuration - User creation and mobile app enablement

Security & Authentication:

• Authentication Methods - Detailed setup and usage of SSO, LuxTrust, and mobile app authentication - Overview of all authentication options
• Single Sign-On (SSO) - Enterprise identity provider integration - Alternative authentication for login
• LuxTrust - Qualified electronic signatures - Qualified electronic signatures for high-value transactions
• Digital Signatures - Transaction signing methods and legal validity - Transaction signing and signature validation
• Compliance & Audit - Security features, audit trails, and regulatory compliance - Security audit trails and compliance

---

Support

For assistance with mobile app enrollment, device management, or technical support, contact the LYNKS support team at [email protected].

For app download issues or problems with App Store or Google Play installation, consult your device manufacturer's support resources or your organization's IT helpdesk.