Do you feel annoyed when you have to type a long user name and password with your tiny keyboard on a mobile device every time you launch an app? Can’t always remember all your user names and passwords for different apps? Then you need single sign-on.
Single sign-on has been available for desktop and web apps for quite a while. What’s the difference when doing it on mobile devices? The concept is identical, but there are four things your mobile single sign-on solution should include:
1. Native app-friendly standards
The most commonly used standard in web apps is SAML, especially in an enterprise environment. However, it does not work very well on mobile devices. Why? Because SAML assumes its clients to be web browsers, but the mobile native apps do not run in browsers. This also tells us the age of SAML. When it came out in 2005, iOS and Android hadn’t been released yet, and Windows Mobile or Symbian only accounted for a small fraction of the overall mobile phone market.
This brings us to the new OAuth 2.0 standard, which came out in 2012. Instead of only considering browser use cases, OAuth 2.0 defines several flows, one of which is for mobile devices. The way OAuth 2.0 sends its token between clients and resource servers is specifically designed for mobile native apps, so they can consume the token without any workaround.
Therefore, when considering single sign-on solutions for your mobile apps, make sure the solution you choose supports OAuth 2.0. You’ll also need SAML support, because in mobile web apps it is still useful, and it’s still the most popular single sign-on standard for desktop web apps in an enterprise environment.
2. A strong and user-friendly authentication method
There’s always more security risk when using single sign-on, so you want to make sure that the users aren’t using weak authentication methods. But since the input on mobile devices is much harder than on desktop devices, and user experience is critical to the mobile app’s success, you also want the authentication method to be as user-friendly as possible. On mobile devices, the popular ways to accomplish both goals are to use a one-time password, certificate-based authentication and multi-factor authentication. I’ve gone through the details of these topics in my previous blog post, and you may want to read that if you haven’t already.
3. Risk-based authentication
You won’t want the user to be granted access to everything in all the apps once authenticated. For example, when the user is about to do a financial transaction, you will want to use additional authentication methods to ensure better security. The mobile devices are also moving constantly, and using a one-size-fits-all policy for mobile devices is a bad idea. Risk-based authentication solves this problem and is what you should look for when considering single sign-on solutions.
4. Revoke access at anytime
Security threats happen more often on mobile devices than desktop PCs. They are more likely to be lost and more likely to be shared with someone else. You want to be able to revoke the access anytime when things like this happen.
IBM Security Access Manager has added capabilities to address these needs in its latest release. Click the link above to see more details. Also, here is a good presentation at the IBM Pulse 2013 event that gives some more details about this topic.
What are your thoughts about single sign-on on mobile devices? Please provide your feedback in the comments or connect with me on Twitter.