Mobile SSO Password Proliferation…. Any solutions??

From IIW

Session Topic: Mobile SSO?

Wednesday 3C

Convener: Craig Forster

Notes-taker(s): Craig Forster

Tags for the session - technology discussed/ideas considered: sso, android, ios, passwords, mobile

We had a small but interested group discussing some of the challenges around mobile devices and how the solutions for web SSO aren’t possible in the mobile space.

There was an interesting discussion around how entering complicated, and therefore good, passwords on mobile devices is a terrible experience. Over-loading the password reset experience, where a OTP embedded in a link is sent to the email account, was discussed as one option. The issues with this approach were discussed, and how there are similar issues to delegating to the Facebook app but leaving that logged in.

The simplicity required of any given solution was highlighted, due to the issues with typing good passwords on tiny keyboards. NFC was highlighted as a possible solution, as was some of the work from other attendees (OneID etc).

A gentlemen from Pomcor highlighted his work which was presented yesterday around cryptographic solutions to authentication via mobile devices.

The discussion shifted to possible solutions using mobile SSO using current device platforms. We had no-one familiar with iOS in the group, but there was some familiarity with the AccountManager API on Android so a brief overview was given.

The keychain on iOS was mentioned but no-one was familiar with it.

The work about redirecting to the mobile browser then back to the app in order to achieve SSO that was presented in the first session of the day was also briefly discussed. The key security hole is that the redirects aren’t secure – this is one technique from Web SSO that doesn’t translate to mobile devices.

The need for a secure IPC mechanism on mobile devices was discussed. With this, one could use a web-based SSO mechanism and pass a token to the mobile app. As it stands today, that’s not possible.