The question posed in the title of my presentation at the recent Cloud Identity Summit, "Mobile SSO: Are We There Yet?", was intended to be rhetorical. Of course we're not there yet.
But we are getting closer.
Not long before CIS, new features were announced on both iOS and Android that, in time, will likely become the defacto way of facilitating web-based authentication and authorization for native applications while also improving security and usability. My esteemed colleague, Dr. Paul Madsen (whose CIS session was not quite as well attended as mine) gave a nice overview of the new mobile OS features in his recent post about Mobile OS Developments & Native Application Authentication.
The news didn't render my session completely obsolete though. And not just because I spent a lot of time on it! I push for utilizing the system browser on the mobile device for authentication while using OAuth 2.0 and PKCE to integrate with the native application. That approach can really be thought of as an evolutionary step along the way to where the OSs are landing now and remains relevant as the prefered fallback mechanism when those new OS features are unavailable.
I spoke out against a common technique in use today, where an embedded web view is used to facilitate web based authentication, and the security and usability problems that doing so entails. Hopefully we've turned the corner on that and will start to see its usage decline.
I mention NAPPS.
Of course, no presentation of mine would be complete without some jokes. And there were jokes. Also photographs. The real joke was on me, however, as properly operating the presentation remote proved to be beyond my abilities. Luckily the crowd was patient and, laughing with (at?) me, we got through the 28 minutes together and I don't think too much of my message was lost as a result of my remote control incompetence.