Practical out-of-band authentication for mobile applications

Mobile devices create new opportunities and challenges for authentication. On one hand, the readily-available sensors provide new opportunities for authentication credentials, such as biometrics and context of the device. On the other hand, mobile applications rely on network services to create rich functionality that often require protection of their sensitive data. The ability for the mobile application developer to adopt a wide range of authentication protocols and techniques is an intractable challenge for adopting new authentication technologies. In this paper, we propose a flexible framework that enables an out-of-band authentication channel for mobile applications. The framework allows applications to delegate authentication to an independent security service on the client that, in turn, supports an extensible range of authentication protocols. Importantly, the approach presented in this paper does not require any modification of the underlying system, thus not requiring support from the operating system or hardware vendor. Our server-driven approach supports administration and enablement of new authentication techniques and security policies with minimal to no client application modifications. We show the viability of our design by means of a framework prototype and integrating it with a representative authentication system built in-house. We also discuss security and non-security challenges of realizing this approach.