Mobile IAM: Five priorities for enterprise mobile app developers

By Jonathan Hassell

Security is always an important consideration for any developer. In order for apps to be fully secure, enterprises must control how and when users can engage with these programs. It’s particularly important for brands to monitor the specific features that different users are able to access. These considerations fall under mobile identity and access management, or mobile IAM, a field that continues to grow and change over time. In fact, InformationWeek named IAM one of the five IT infrastructure trends worth watching in 2016.

So how can enterprise mobile applications integrate mobile IAM capabilities and drive compliance with company mobile security policies? Here are five key steps that brands and app developers should consider:

Use single sign-on (SSO)

One of the best ways to enforce and manage an identity lifecycle is to embrace and leverage single sign-on technologies, which only require users to authenticate once to a central point. After that, apps can use tokens and federation to pass security information on to the user in a seamless, transparent manner. This method encourages users to choose strong passwords and engage with your app more holistically. SSO technology enables you to control identity and security in one place, without having to enable and disable accounts in a variety of security databases that your apps might use. Enterprise mobile app developers should also plug in to your company’s SSO system.

Embrace two-factor authentication

Two-factor authentication increases the overall security profile of an app considerably because it requires both something the user knows (the password) and something the user receives from the program itself (a one-time code you can send through text, e-mail or push notification). Unless a hacker has access to the device that receives the one-time code, it’s unlikely that he or she would be able to crack the account used to log into an app that enables two-factor authentication. So, in effect, this type of authentication reduces the attack surface area to scenarios in which a hacker gains access to a user’s device and uses password brute force attacks. As time goes on, more mobile app development platforms are supporting easy integration of two-factor authentication.

Take advantage of device-specific features

Your mobile IAM solution can rely on more than just accounts, user names and passwords. After all, there are now a couple of different device platforms that offer specific security features that can be used by apps. These features have started to extend to scenarios that involve mobile payments at stores, online cart checkouts and in-app purchases. As such, it’s important for enterprise mobile app developers to understand their target device’s capabilities so they can work security into the hardware features that those particular devices offer. By incorporating these features, you can help to ensure that users trust the security measures and will stick with them, as they are already familiar with their devices and have used the inherent security features in other apps and scenarios.

Integrate authorization and access roles for certain app features

It’s likely that some of your app’s functions are more generalized while other feature areas should require further authorization. For example, finding bank branch locations and applying for an account should involve a different level of security than making a wire transfer or requesting a credit card. As such, you should consider adopting a role-based approach, which will allow you to require further authentication and authorization to access certain sensitive parts of your app. By providing these types of security measures, you can attract more users. Furthermore, you can maintain the integrity of your business’s security while preserving a single code base for your efforts. You won’t have to develop multiple single apps for sensitive purposes.

Implement identity lifecycle control

One of the biggest issues in mobile IAM today is determining what to do in cases when user credentials should be expired. This particular concern comes into play in instances that involve a lost device, a forgotten password, an employee’s termination or the end of a contractor’s business relationship with an organization.

It’s clear that mobile app developers must understand the security implications of caching credentials and storing tokens within an app’s storage space on a device. They must strive to strike a balance between allowing a user access to an app after he or she should have been taken off, and continually attempting to re-authenticate and re-authorize a user. This balance is particularly important in scenarios that involve connection challenges.

Written By

Jonathan Hassell

President, 82 Ventures

Jonathan Hassell runs 82 Ventures, a technical writing and consulting firm based in Charlotte, NC. He centers his focus around network administrator, security, the cloud, and mobile technologies.

Other Articles by Jonathan Hassell
See All Posts