If you have an app where users need to authenticate, you can improve security by adding federated authentication to your app. You can should use OpenID Connect for thatOpenID Connect OpenID Connect as an identity layer. This will allow your client to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. SURFnet offers a code base you can embed in your code. SAML is not suited for this. Read on to learn more about adding federated authentication in your app.
Best practices of apps and user authentication
The IETF How to setup your user authentication in apps is well documented. Please refer to articles online when you connect to SURFconext. The Internet Engineering Task Force (IETF) has published a list of recommended best practices for security and user experience around use of these specifications in native apps. Please read this Read the Ping Identity blog about it:https://www.pingidentity.com/en/company/blog/2017/08/08/single_sign-on_and_ios_11.html .if you want to know more about this. The Carnegy Mellon CERT also published a blog, https://insights.sei.cmu.edu/cert/2016/08/the-risks-of-google-sign-in-on-ios-devices.html , about what makes a what about good app authentication.
How adding federated authentication improves security
Offering your customers federated authentication the right way means end-users visually only hand off their password to their home organisations (like an institution)organizations, and see a their familiar home-organisation organization login page. Opposed to this are app-developers offering their own in app login page: by doing that, users get more vulnerable to phishing attacks, since they get used to inputting their passwords in all kinds of apps. App-developers offering ‘the right’ way of federated authentication can use this in their sales pitch to prospective new customers!
Ways of adding federated authentication in your app
You have a couple of options to do great authentication in your app. Check out our SSO-Libraries and read more about this:
- SURFnet SURF has build a code-base which you can find at https://github.com/SURFnet/nonweb-ssofilled with libraries that you can use to have federated login to non-web application on platforms like Android and iOS.
- Ping Identity blogged about Google’s AppAuth they donated to the OpenID Foundation:https://www.pingidentity.com/en/company/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html
- GLUU also GLUU has blogged about Google’s AppAuth initiative: https://www.gluu.org/blog/webviews-are-bad-use-appauth/
But my own in app login page looks far better!
One of the most heard objectives to ‘doing login right’ is : that the user-flow /or user-experience is worse than when I you just offer 2 input fields , one for a userid user id and another for a password. This is true. But why do you think might be true but realize that companies like Google and , Facebook , and IETF, and the Internet Engineering Task Force use and recommend the ‘right’ way? Because helping this simply because this helps keeping the end user stay secure is more important!which is of the utmost importance.
More information
We blogged about the SURFnet-SDK: https://blog.surf.nl/en/federated-login-to-native-applications-sdk/
...
our SURF software development kits to have federated login to native applications (the right way)
Questions
If you want more information, please email Raoul.teeuwen@surfnet.nl or contact us at support@surfconext.nl.