Authenticate the User
Start with the most basic point: Nothing else matters if anyone can pick up a mobile device and start using it. Ensuring that the person using the device is authorized to do so is Job No. 1 when it comes to mobile security.
There are, at this point, a number of ways for that authentication to take place. A reasonably strong passcode is one. Biometric authentication is another. In either case, if it's not enabled, it can't be effective.
One of the things users don't want - and won't tolerate - is security that adds a great deal of "friction" to the user experience. That's what makes user authentication so attractive. It adds very little friction for users, while adding plenty of friction for unauthorized individuals. That greatly lowers the chances users will try to find a way around the authentication process.
(Image: thodonal via Adobe Stock)