This document discusses reconciling user experience and security in mobile applications. It explores techniques for user authentication on mobile that can disrupt user experience if not implemented properly. It proposes balancing authentication complexity and frequency to improve user experience without compromising security. The document also examines using biometrics, risk-based authentication, and single sign-on across mobile apps and third-party apps to improve both security and user experience on mobile. It describes components of a solution including API routing, brokering, and protected endpoints to enable secure access to APIs from mobile applications.

1. Reconciling Mobile UX and Security
An API Management Perspective
Francois Lascelles
Chief architect
Layer 7 Technologies
@flascelles

2. Layer 7 Confidential 2
Mobile UX matters
UX
Adoption

3. Layer 7 Confidential 3
Security too
Most Businesses Probably Had a Mobile
Security Incident in the Past Year
Securing corporate information
cited as greatest BYOD challenge
(67%)
THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A
SURVEY OF IT PROFESSIONALS
Dimensional research, June 2013
“Securing [data]-to-
mobile is my top
concern”
Everybody, all the timeCompliance

4. Layer 7 Confidential 4
Secure what?
MDM Protect data at-rest
API Man Protect data source / data in-motion
Mobile browser
Any other app
Web
APIs

5. Layer 7 Confidential 5
UX Disruptors
 Key defensive techniques, such as user authentication
disrupt UX
 The impact on user experience is more severe on mobile
devices
 Compounding factors:
- Challenge frequency
- Number of secrets
- Secret complexity

6. Layer 7 Confidential 6
Reconciling UX and Security
Identify
yourself
Show me my
data

7. Layer 7 Confidential 7
Implants?
- Not mobile enough
HSM
NFC

8. Layer 7 Confidential 8
Authentication Context Lifespan
 Shorter token lifespan
- More secure
 Longer token lifespan
- Better UX

9. Layer 7 Confidential 9
Complexity VS Frequency
 Parallel sessions with varying secret complexity
 Risk assessment-determined challenge

10. Layer 7 Confidential 10
Biometrics
 Great alternative to PIN
- Fingerprint, Voice, …
 Client-side unlocking of long-lived auth context
- Client-side policy
 Multi-factor
- API-side validation

11. Layer 7 Confidential 11
Elevated, Risk-Based Authentication
 Stronger security not necessarily
less UX
- Auth only elevated when it
counts most
… (and is expected)

12. Layer 7 Confidential 12
Single sign-on challenge: Mobile App Isolation
 Mobile web
 Mobile apps
User-agent
Webapp 1
Webapp 2
Webapp 3
Cookie domain A
Cookie domain B
Access token 1
APP A
API 1
API 2
API 3
Access token 2
APP B
Access token 3
APP C
(can be different parties)
Domain A
Domain A

13. Layer 7 Confidential 13
Shared Authentication Context
 Client side platforms allow applications within a domain (signed by a
common developer key) to access a common key chain
 This allows them to share an authentication context
App A App B
KC A KC B
App A App B
Shared Key Chain

14. Layer 7 Confidential 14
Standard: Federated access token grants
 App gets an access token in exchange for another token
- SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer]
- JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]
 Let apps leverage authentication context without disturbing UX
Token endpoint
API ProviderClient
App
API Call incl proof of authentication
Get back access token

15. Layer 7 Confidential 15
Mobile App Domain
 Across a group of apps
- Consistent Auth UX
- Single sign-on
 Does not cover „3rd party‟ app

16. Layer 7 Confidential 16
3rd Party Mobile SSO
 Client side redirections and callback
- App register URL scheme to allow switching between apps
- Passing a token in a redirection callback allows an authentication context to be
extended to a 3rd party app
App A App B
openURL AppA://something?callback=AppB://somethingelse
openURL AppB://somethingelse?arg=that_thing_you_need
step 1
step 2

17. Layer 7 Confidential 17
App-to-app redirection limitations, risks
 Un-verified URL schemes opens possibility of “app-in-the-middle” attack
APPLE:
“If more than one third-party app registers to handle
the same URL scheme, there is currently no process
for determining which app will be given that scheme.
”
--link

18. Layer 7 Confidential 18
App Wrapping
 Single sign-on across mobile apps normally requires the active participation of
each app
- Wrapping an app can compensate for a 3rd party app‟s lack of awareness
 Adding a wrapper to an existing app re-signs app and enables access to shared
authentication context
- On the API side, federation still requires active participation or API calls
themselves need be redirected
3rd P
App
App A App B
Auth Context
3rd P API
?

19. Layer 7 Confidential 19
API-Side Brokering
user@corp
 API Broker
- Domain ID <> 3rd party ID
corp@sp
 Federating 3rd party is also be achieved
at API side

20. Layer 7 Confidential 20
Mobile app/API solution components
 API Routing
 API Brokering
 OAuth Endpoints
- Access token
issuing
- OpenID Connect
 Protected endpoints
 Identity infrastructure
 Secure API invocation libs
- User
prompts, redirections
- Handshake
- Share auth context
- Biometrics integration
- PKI/MDM integration
Backend Data/IdentityEdge API/OAuth GWClient-side framework

21. Layer 7 Confidential 21
Enabling Mobile Application Developer
 API discovery
 App registration
 API key
provisioning
 Client side libraries

22. Layer 7 Confidential 22
Layer 7 Mobile Access Gateway
Mobile API Delivery
Access Control, UX
Increased Developer
Velocity
• Secure Mobile Endpoint
• Manage permissions across
users, devices, apps
• Integration, Scaling
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth,
OpenID Connect,
JWT/JWS/JWE)
• Mobile SDK for iOS and
Android
• Configure, not code
• Form factors, deployment
options
2.0

23. Thank you
For more information:
• http://www.layer7.com/products/mobile-access-gateway
• http://www.layer7.com/solutions/mobile-access-solutions-overview