Suddenly, corporations can no longer ignore next-generation smartphones and tablets. Unfortunately, the use of these devices for accessing enterprise and cloud applications is exposing businesses to new risks. CIOs are now asking themselves, “How do I allow my workforce to use their personal mobile devices to safely access enterprise data based on their existing corporate identities and roles?”
There are two broad categories of mobile applications to be addressed: web applications, those accessed through the mobile browser; and native applications, those downloaded and installed to the device.
If your applications, web pages or APIs are not accessible from a home computer without a VPN, they won't be accessible from a mobile device without a VPN. While generally not a concern for cloud applications, like Salesforce.com or Google Apps, this is an issue when an organization is being asked to make internal applications accessible to mobile devices.
Given the challenges of entering text on a mobile device, single sign-on becomes especially relevant. Federated identity (using standards like SAML, OpenID and OAuth) allows an organization to leverage its existing identity infrastructure, such as Active Directory, for use with mobile devices and cloud applications.
The user's authentication and authorization experience should be consistent across both web and native mobile applications. Users will become confused when they're expected to use different credentials and/or a different “login ceremony” for mobile application models, especially if accessing the same application.
What happens when an employee loses their phone? If passwords are left cached on the phone, an organization's data is put at risk. The use of OAuth in combination with SSO allows for seamless access without the risk of caching passwords.
Phishing is becoming a major problem for cloud services and is not diminished when using mobile applications. The user should be given the chance to recognize and trust the authentication service. This means a mobile browser should be used to authenticate the user, the address bar should be visible, and user passwords should not be collected within the native application itself.