Mobile Authentication Done Right: Secure Single Sign-On for Mobile Apps
*This post originally appeared on the MobileIron blog prior to the acquisition in December 2020, when MobileIron became part of Ivanti.
Cloud apps are winning the enterprise. 86% of employees in the CCS Insight's Employee Mobile Technology Survey use mobile apps for work and the majority of these apps are cloud-based. Native mobile apps - not mobile browsers - are the primary way employees access mobile enterprise cloud services like Box, G Suite, Office 365, and Salesforce. Employees choose mobile apps for work because of the exceptional design and user experience. Purpose-built for productivity, a few swipes and clicks is all it takes to get stuff done via mobile apps. One great example is the Concur expense management app. Concur makes is extremely simple to take a photo of your receipts and, with a few clicks, you submit an expense report. No more scanning and uploading receipts. Good for employee productivity; great for employee happiness.
The App-to-Cloud Security Gap
Enterprises embracing mobile and cloud services expect the same security and single sign-on capabilities to work for their native mobile apps as with web-based accessed from a PC. However, the sandbox architecture of mobile apps prevents traditional SSO techniques from working effectively. Example: limitations when it comes to sharing authentication tokens between mobile apps, unless written by the same organization.
As a result, if an organization uses the Box app, Concur app, Outlook app, and Salesforce app, employees would need to provide the same credentials every time they logged into each app. To make matters worse, the smaller mobile form factor combined with increasingly complex password policies set by IT means that employees can easily fat-finger their passwords and potentially lock themselves out of the applications. Productivity fail.
This is understandably frustrating for users but also for IT; think of all the help desk tickets, wasted time, and lost productivity that occurs when you can’t get to the information you need when you need it. This leads employees to bypass IT, and find their own apps and services - hello, Shadow IT.
Shadow IT, fuelled by the consumerization of technology, has for the first time taken control away from IT and put the end-user in the driver seat. While this shift in control has increased anywhere, anytime productivity, it has created a new security gap. At MobileIron we have coined a term for this: the app-to-cloud security gap. A consequence of Shadow IT, the app-to-cloud security gap results when employees download corporate data onto unsecured devices or store it in cloud apps outside of IT’s protection.
Enterprises need three things to combat the app-to-cloud-security gap: 1) device trust, 2) app trust, and 3) user trust. We released MobileIron Access in April to ensure that only trusted devices and trusted apps with trusted users are allowed to access corporate information.
Introducing secure SSO for native mobile apps
MobileIron Access solves the mobile app-to-cloud security challenge using:
- MobileIron EMM to establish device trust - device trust is essential to keep cloud data from being stored on unregistered, insecure or non-compliant devices.
- MobileIron Tunnel to establish app trust - app trust is essential to keep cloud data from wandering away - be it via unmanaged native mobile apps or 3rd party cloud services.
This is a very nuanced scenario and requires us to consider two specific risks:
- Sloppy Apps - this is simply an IT approved app, say Microsoft Word, being downloaded from the personal app store instead of the enterprise app store. By virtue of the app being downloaded from the public app store, IT has no control over the app or data within.
- Parasite Apps - this is the case when a user connects a 3rd cloud service to a corporate cloud service like Salesforce. Salesforce has a booming ecosystem of apps and services that use Salesforce APIs to provide users with custom apps and experiences. One wrong decision by a user and all of you Salesforce data ends-up in malicious hands.
- Integrations with IdPs - to make sure only your users are getting access to the information that are entitled too
- MobileIron Tunnel, our per app VPN solution. Device and application trust is delivered using MobileIron enterprise mobility management (EMM) and MobileIron Tunnel. Employee trust is delivered by integrating with an enterprise’s Identity Provider (IdP).
MobileIron Access brings together information from the MobileIron platform and IdP to provide a comprehensive solution to the Mobile App-to-Cloud security challenge. With Secure SSO for native mobile apps, Access significantly enhances the user experience improving an organization's security hygiene while enabling user productivity.
Introducing secure SSO for native mobile apps
Today we launched enhancements to the user trust piece. MobileIron Access today became the first to deliver secure single sign-on (SSO) for native mobile apps. This makes it easier for employees to use their favorite enterprise mobile apps - without requiring them to enter corporate login credentials repeatedly and without requiring developers to wrap apps or make code changes to support SSO.
User trust - better known in technical circles as identity - is a fundamental building block of any security solution. As enterprises prepare to protect data as it moves across a range of secure and unsecure apps and devices, secure SSO for native mobile apps enhances how they can combine identity with device and app posture to make better contextual security decisions.
Secure SSO for native mobile apps builds on years of MobileIron work helping customers simplify the authentication user experience.
Looking Under the Hood
So, how does MobileIron Access with secure SSO for native mobile apps work?
Step 1: At device registration, MobileIron delivers an identity certificate and specific configurations for MobileIron Tunnel (per app VPN). This is key to establishing device and app trust.
Step 2: At app launch, the identity certificate provisioned at enrollment is presented to MobileIron Access.
Step 3: At this point, instead of handing off the authentication request to the IdP and prompting the user for credentials, Access uses the secure identity certificate to generate a SSO token for the specific cloud service
Step 4: User has secure access to cloud information on a known device via a secured app.
Remediation: If the user attempts to access cloud services via a non-compliant device or insecure app, they are presented with a customized remediation screen that walks them through the steps required to properly secure their devices and apps - no helpdesk intervention required!
This secure SSO experience can be applied to any native mobile application secured by MobileIron Access. IT gets the security it wants and employees get the experience they want, a win-win situation.