Why Single Sign-On for Mobile is SSO Important and How to implement it for BYOD


By David Abbou - Feb-12-2015

As organizations continue evolving in the digital age, they will increasingly look to integrate data-rich mobile applications with mobile devices, empowering their workforce with the ability to add organizational value from any location. As the number of enterprise and consumer apps continues to proliferate, however, businesses are facing technical challenges that if not overcome can work against the very productivity benefits their enterprise mobility programs are supposed to enhance. Enter one of today’s most pressing mobility priorities – password management. This challenge is already on the front-burner for corporations in many industries. As access to more corporate data is needed by professionals, IT must figure out how to simplify authentication processes. Creating and implementing a secure Single Sign-on (SSO) process is becoming another must-have, but the complexity of this challenge is causing too many enterprises to delay tackling this issue head on.

But analysis paralysis costs organizations time, money and valuable IT resources. Requiring users to undergo separate log-in and authentication processes per mobile app creates several significant issues that span both sides of the employee – IT security spectrum:

1. Workflow disruptions and hampered productivity

Time is money. Having to remember multiple passwords or re-entering the same password multiple times to access the enterprise apps equals too much time being spent on menial sign-on processes, contradicting all the time-saving benefits mobility is supposed to produce. Users (aka people in general) have proven to be notoriously inefficient at creating and remembering multiple passwords with any degree of reliability. The tediousness of it all leads to the next major issue…

2. Deters users from using enterprise apps altogether

This one is not rocket science. No matter how impressive a product you may produce, not nearly enough people are buying if you don’t make the experience a comfortable one. The same is true for enterprise apps. Unlike desktops or laptops, touchscreen functionality makes typing passwords on smartphones much slower and less user-friendly. Not the end of the world if you’re typing a password once or twice, but definitely a nuisance if you need to re-enter it several times in one workday. This results in too many users resorting to ad hoc methods of getting their work done. This circumvents security policy and undermines the potential that can be accomplished by everyone using a uniform platform to transmit and share data. But it’s not just users who feel the migraine. If they’re feeling the stress, you can be sure it will projected onto IT…

3. Burdens IT with troubleshooting user errors and managing multiple user IDs:

Still don’t have a SSO process in place? I have one question for you: How big is your Help Desk?! The preventable traffic directed towards your IT staff to satisfy forgotten passwords and reset requests affects both the quantity and quality of their own performance. It’s safe to say their resources would be best allocated elsewhere. Another significant load levied on IT administrators is the need to handle multiple user identities and create separate credential directories for each app. And that’s not even including the time spent on password security vulnerabilities…

4. Multiple passwords open the door for hackers to enter your network

Hackers are keenly aware of the opportunity that password processes offer them, and the more inefficient these processes are all the better for them. Keylogger malware or keyboard capturing is a very prevalent attack method where the user’s keystrokes are recorded by the intruder. This is often used to capture passwords and access enterprise apps where valuable data can be stolen. But mobile apps and device data are just the beginning. The captured credentials can also be used to log-in and attack network resources behind your organization’s firewall.

How to implement an SSO process

The mission then is clear: implement an SSO process that lets users access multiple apps and services by logging in just once. But this project doesn’t have to become a ’Mission Impossible’ if planned with the right components. Here are the must-have ingredients:

1. Central authentication platform

First, you’ll need one centralized platform to handle identity management and deliver mobile app access to all of the different BYOD devices in your network. This is necessary so that users will log in to this platform only once and have their credentials authenticated and approved.

2. Authenticate device passcodes, not domain passwords

All BYOD users should be required to use a passcode on their devices and this is directly related to how mobile security threats such as keyboard logging, phishing and man in the middle (MITM) attacks intercept passwords. You can’t always control if a password can be compromised within a mobile device, but you can control how far that password will take the intruder. Using device passcodes in tandem with a One-time Password system is much more user-friendly and prevents many of these security threats.

3. One-time Password (OTP)

OTP systems also helps prevent the above-mentioned attacks and other hack techniques by ensuring that a unique and temporary password is used only once – each time a user logs into a session. Using this method in addition to smartphone passcodes goes a long way towards strengthening the authentication process.


Access to the network needs to be granted through your corporate VPN network first. This is more secure and works well in combination with an OTP system. An SSL VPN will let you grant users access to specific apps they are approved for.

5. Enterprise Authentication Standards

Typically the go-to authentication protocol has been Kerberos, which allows users to login once within either a LAN network, domain or from a mobile device. Users request encrypted session keys/tickets to access network resources, instead of keying in their password. These tickets are typically time-stamped helping reduce the risk of eavesdropping and replay attacks. While Kerberos has worked very effectively for PCs and laptops, it can be much more problematic when extended to mobile devices. A popular alternative protocol to use is SAML 2.0, an open, XML-based protocol which enables the creation and use of a security token which can be used to log into multiple apps. This facilitates cross-domain SSO processes and allows users to log in using existing IDs, such as Facebook or Google credentials.

6. Consider your Security Architecture

Integrating SSO for mobile devices is going to become the standard going forward. So it’s important to consider in which way this can be achieved most smoothly and securely. You need a solution that can support the various mobile devices, each version of each accompanying OS, the variety of enterprise apps and SaaS tools that you need to provide to your users. One technology that complements all of these requirements effectively is Virtual Mobile Infrastructure (VMI). Under VMI architecture, a centralized mobile platform situated on a remote server runs a mobile OS which supports all mobile OS versions and devices. This is where all of the apps and network services your enterprise needs to deliver to mobile devices is stored. In light of this, enterprise IT can manage SSO and password management from a much more controlled environment. A reflected image of the apps is transferred to devices using remote display protocol. OTP systems and all other authentication details are not exposed to mobile devices, neutralizing many of the security risks that mobile devices have introduced to your network.