If you have an a native mobile app where users need to authenticate, you can improve security by adding federated authentication to your app. If you will implement federated authentication you should use OpenID Connect oAuth as an identity layer. This will allow your client to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. SURFnet offers a code base you can embed in your code. SAML is not suited for this. Read on to learn more about adding federated authentication in your app.
...
How to setup your user authentication in apps is well documented. Please refer to articles online when you connect to SURFconext. The Internet Engineering Task Force (IETF) has published a list of recommended best practices for security and user experience around use of these specifications in native apps. Read the Ping Identity blog if you want to know more about this. The Carnegy Mellon CERT also published a blog what about about good app authentication.
How adding federated authentication improves security
...
You have a couple of options to do great authentication in your app. Check out our SSO-Libraries and read more about this:
- Ping Identity blogged about Google’s AppAuth they donated to the OpenID Foundation.
- GLUU also blogged about Google’s AppAuth initiative.
- SURF has build a code-base filled with libraries that you can use to have federated login to non-web application on platforms like Android and iOS.
- Ping Identity blogged about Google’s AppAuth they donated to the OpenID Foundation.
- GLUU also blogged about Google’s AppAuth initiative.
- This code base is not maintained, as the AppAuth library nowadays seems to offer similar functions.
But my own in app login page looks far better!
One of the most heard objectives to ‘doing login right’ is that the user-flow or user-experience is worse than when you just offer input fields for a user id and a password. This might be true but realize that the disadvantages don't outweigh that advantage. Please understand that companies like Google, Facebook and the Internet Engineering Task Force use and recommend this recommend 'their way' simply because this helps keeping the end user secure which is of the utmost importance.
...