The user authentication process is an integral part of mobile app security. Well-designed authentication flows allow developers to ensure that third parties will not get access to the user’s data stored within the app.
The authentication process can be based on secret codes created by a user (e.g., passwords and PINs), one-time passwords sent via SMS, hardware tokens, or biometric characteristics (e.g., fingerprint). Users need to complete authentication in order to confirm their identity and get access to the chosen mobile app.
Two Types of Login Flows
There are two basic types of login flows. The first type is called “native login flow”. As you can guess from its name, users are required to submit a login and password using the “native” app (the system doesn’t redirect users to the web browser). The key benefit of this flow type is that it delivers a smooth user experience.
The second type of login flow is called “web-based login flow”. This flow is more complex: when users open an app, the system redirects them to a web login page. The main disadvantage of this approach is that it may disturb the user experience. Despite this disadvantage, most developers choose this approach over native login flow because it offers higher security.
The use of web-based login flow allows boosting protection against runtime repackaging attacks and adding multifactor authentication. In some industries, an extra authentication factor is required by law. For instance, healthcare apps need to use multifactor authentication to comply with the Health Insurance Portability and Accountability Act. In addition, financial mobile apps must comply with the Payment Card Industry Data Security Standard.
Twelve-Factor Mobile Apps: 3 Basic Rules to Follow
When developers opt for a web-based approach and use a twelve-factor mobile app, they do the following:
-
Avoid using Android WebView, or any other embedded web window to display the web login page. Instead, use a mobile browser app such as iOS Safari or Chrome to ensure better security.
-
Take advantage of Proof Key for Code Exchange (PKCE) cryptography or use iOS Universal Links/Android App Links to mitigate authorization code interception attacks.
-
Leverage OAuth 2 Authorization Code to provide access to protected resources, such as web APIs.
Since the mobile application market is developing fast, it gets obvious that developers can compromise neither user experience nor app security. Trying to find the best solution possible, experts designed Hypermedia Authentication API, a new approach that combines the advantages of both login flow types discussed above. Hypermedia Authentication API significantly improves user flow while also providing top-level security and flexibility.
Well, this standard hasn’t been widely recognized yet. But it’s proved to be effective, and it’s definitely worth trying out. It’s important to note that the twelve-factor mobile app is compatible with this new standard.
Tokens Management
When we talk about the twelve-factor mobile app, we talk primarily about two types of tokens: short-lived access tokens and long-lived tokens (refresh tokens). To protect the mobile app from hackers and sudden data loss, it’s vital to ensure that tokens can be canceled (revoked) anytime. Every time the user logs out from the mobile application, the system withdraws token requests and activates resources protection.
Biometric Authentication
Among other things, the twelve-factor mobile app also enables biometric authentication. It allows users to log into the app using fingerprint scans, voice commands, or face ID.
Most users prefer biometric authentication over other options. Why? People tend to forget their passwords or use one password for many different accounts, risking their sensitive data. For this reason, users find it easier and more secure to log in using their fingerprints rather than passwords and PINs. Thus, biometric authentication prevents personal data breach risks while improving user engagement.