Introducing the new SecureAuth Mobile SDK – Invisible 2-FA for branded apps

Dusan Vitek
Director, Product Marketing
June 02, 2021

SecureAuth has released a new SecureAuth Mobile SDK so that you can build your own iOS or Android app with an embedded mobile authenticator. When your customers need to sign into your web interface, your own mobile app will alert them, and they can confirm the sign in.

Data security for financial services is nothing new, but the public expectations for how consumer-focused private companies handle private and personal data have gone beyond just banks. The increased focus on data security and protection of customer data and PII from the regulatory bodies around the world forces every consumer brand to reassess how they protect customer data.

The new invisible 2-FA offering from SecureAuth allows consumer brands to rapidly increase the security of their customer accounts.

This also marks an important step for SecureAuth as we are further increasing our footprint in the world of cloud-hosted CIAM. We couldn’t be happier to work with our inaugural customer is PathCare, a healthcare provider headquartered in South Africa, and ADT, a home security company based in Boca Raton, Florida, on bringing modern, passwordless push authentication to popular consumer apps.

Why embedded authenticator is the way to go for app developers?

Today, if you want to protect your web app with 2-factor authentication, in most cases you have to rely either on sending a text message via SMS or ask the user to register a third-party authenticator such as Google Authenticator. Neither option is perfect – with the first you must pay a fee for each message, with the second you have to ask the user to go through a 2-FA configuration with a third-party app. Consumers don’t like when security gets in the face of convenience, so you are testing customer patience here. Think about the user experience: In both cases the user is stopped and asked to re-type a code.

Now, imagine that you are able to integrate the sign in experience between your web application and your mobile application. Your customer will never leave the fully integrated branded experience you want them to have. Imagine that you can trigger a push notification to your own mobile app every time when the user is trying to sign into their account in the web browser.

This branded experience is now possible when you integrate SecureAuth Mobile SDK into your customer mobile app. Without you having to build a massive authentication stack, SecureAuth Mobile SDK will introduce all the adaptive authentication layers for your customer IAM right into your own user flow.

One of the very important considerations is the enrollment of 2-factor authentication. SecureAuth Mobile SDK lets you perform a silent 2-FA enrollment. User performs the enrollment following the usual setup steps for your mobile app. From that moment on, user will get push notifications. There is just a tap to accept, user will not have to read or type any one-time security codes. For your customer it will all feel like a consistent branded experience.

Using SecureAuth Mobile SDK for passwordless login into your custom branded customer web app

The ideal customer login experience is that the login is invisible. That’s near impossible to do but the closest we can get to it is with passwordless experience. In consumer IAM, this ideally means replacing the password (something you know) with the possession of the mobile phone (something you have).

Let’s walk through the steps to let the user sign into their account in your customer web app without a password.

First, we need to establish identity so we will ask for username (which can also be an email address or their phone number). We can add a checkbox called “Remember my username” to allow the user to skip this step in the future. With the username field filled out, the user hits the Submit button and immediately gets a push notification on her phone displayed by your own branded app. This experience establishes trust and familiarity. The notification asks if the user wishes to approve the login. The user taps Accept, the login page in the browser disappears and lets the user in. This is passwordless push authentication with SecureAuth.

This works great when both the laptop and the phone are online. What about offline access?

In case that the push notification is not available, for example when you are traveling by plane and you only paid for Wi-Fi for your laptop, you can still go to your branded mobile app and retrieve a TOTP code to use in the web app. While this is not as elegant as a push notification, it achieves the same goal when conditions are not ideal.

As a mobile app developer, you can control how this login workflow works. Any risk checks and adaptive authentication steps are configurable through SecureAuth policies. You will be able to bring in a risk score and determine what you allow and what you don’t allow as part of the authentication.

New SecureAuth Verify REST API endpoint

Behind the scenes, your browser login page is linked to the SecureAuth Cloud IAM backend. SecureAuth processes the login request and sends a push notification to your custom mobile app with SecureAuth Mobile SDK embedded. When the user responds, the mobile SDK makes an API call to the SecureAuth Mobile SDK RESTful API endpoint called Verify API. The endpoint consumes the response and informs the adaptive authentication engine. The SecureAuth authentication engine then issues an access token and sends it to the browser.

Using OAuth 2.0 with SecureAuth Mobile SDK

We are using OAuth 2.0 as the authentication protocol for SecureAuth Mobile SDK. It’s a more secure version of the framework used in the past.

SecureAuth Mobile SDK uses our brand-new cloud service called SecureAuth Mobile Service. The service authenticates the mobile device (smartphone or tablet), provides a token for that device with an expiry date, and based on the token the app will get access to whatever service or resource they are authorized to use within the SecureAuth cloud IAM platform.

SecureAuth Mobile SDK – in Kotlin for Android, in Swift for iOS

We have built the SecureAuth Mobile SDK for Android and iOS.

  • SecureAuth Mobile SDK for Android is coded in Kotlin.
  • SecureAuth Mobile SDK for iOS is written in Swift and built with Xcode 12.0.

You should be able to jump right in.

Where do I find the repos?

We have made the repos available through the SecureAuth account on GitHub. The initial release of SecureAuth Mobile SDK version 1.0 was published on April 30, 2021.

Github is also where you find the developer documentation.

If you have questions or need assistance, reach out to us through

Continuous updates and time-limited support

Following common industry practices, SecureAuth supports version N-1 for 12 months after the first GA release of version N. We recommend you upgrade to the latest version of SecureAuth Mobile SDK as soon as possible to avoid any breaking changes.

Continue reading

What is SecureAuth Mobile SDK
Developer docs for SecureAuth Mobile SDK
Download SecureAuth Mobile SDK from GitHub

Related Stories

Pin It on Pinterest

Share This