The old trope of 'something you know, something you have and something you are' has served as a useful model for distinguishing authentication mechanisms. Historically, the 'what you know' of passwords has dominated - with associated security issues, from phishing to countless breaches of password stores. Reflecting their security issues, the trend today is away from passwords to the 'what you have' of mobile phones - either acting as a second factor to traditional password-based schemes, or replacing passwords completely.
A smart phone is effectively a powerful portable computer, with the following important features relevant to authentication:
Connectivity. By definition, mobile devices are connected, supporting authentication schemes in which an authentication challenge can be sent over the network to the device, for example, via an SMS message or through the mobile operating system's (OS) notification infrastructures.
Processing power. This allows for on-board computations, in support of cryptography and so on.
User interface. This interface happens by the user being prompted to enter credentials and so on, or shown one-time codes and so on.
Secure storage. Secure storage allows for the storage of identifiers, secrets and credentials used in authentication schemes.
Biometrics. Increasingly, devices have hardware that allows a check of some biometric of the user, for example, a fingerprint or retina.
Single user. Devices are typically associated with a single user. Consequently, authentication of the device can serve as a proxy for the user of that device.
Different mobile-based authentication schemes leverage these features in different manners. For instance, PingID™ is a mobile based authentication scheme that authenticates users by sending a challenge to an application installed on that user's previously registered device through the Google Cloud Messaging for Android™ or Apple Push Notification Services. Upon receipt, the user simply swipes their screen to answer the challenge.
A different mobile-based authentication model is being normalized by the FIDO™ (Fast Identity Online) Alliance. The FIDO specifications standardize a model that leverages the emerging biometric capabilities of devices. In the FIDO model, the user authenticates to the device through a biometric check--serving to unlock a cryptographic key that is then used to authenticate to the server.
While mobile-based authentication schemes like these can significantly improve the authentication experience for users, performing such an explicit authentication for each and every application may still not be ideal. Consequently, there is value in combining a mobile-based authentication with SSO mechanisms because a user's single mobile-based authentication can be leveraged across multiple applications.
Standardized mechanisms for enabling SSO to mobile browser applications are well established. The Security Assertions Markup Language (SAML) enables SSO for a mobile browser in exactly the same form as a desktop browser. Other web browser SSO protocols exist, such as OpenID® and WS-Federation. More recently, OpenID Connect (Connect) has emerged as a protocol that, as it is built on top of OAuth, can enable both web browsers and native applications.
Both OAuth and Connect can be used to secure native mobile applications (unlike SAML and other web SSO protocols). But neither OAuth nor Connect can, out of the box, enable an SSO experience across native applications as both presume that the user must separately authenticate to, and authorize each, native application on its own. The Native Applications (NAPPS) working group (WG) in the OpenID Foundation is defining a profile of OpenID Connect that will enable an SSO experience between and across both web and native mobile applications.
Strong mobile-based authentication & SSO make a powerful combination - SSO effectively amortizes the cost (both usability & economic) of a strong authentication over multiple applications - and mobile based authentication can actually reduce those costs.