This article is a follow-up post to a previous blog where Appdome co-founder and CTO Avi Yehuda outlines the key reasons MFA is so hard to deliver in mobile apps. I’ll pick up where that blog left off and discuss how Appdome makes it easy to achieve the promise of making MFA Everywhere a reality.
Earlier this year Appdome announced a new service to implement enterprise Multi-Factor Authentication (MFA) to any mobile app – instantly and without coding.
MFA Everywhere Requirements
Here are several requirements to consider in order to deliver a standardized and seamless MFA experience that can be implemented everywhere.
- Ease of building and maintaining – The solution needs to be easy to implement by developers or non-developers, and easy to maintain by existing IT staff.
- Ease of use – A good MFA solution needs to increase security without degrading the user experience. If an MFA solution confuses mobile users, takes the user out of the native app experience, or imposes tedious steps on them – then they’re just not going to use the app.
- Ubiquity – Enterprises need an MFA solution that works in any app. And it must function seamlessly across different app types, OS variants, and frameworks – all while presenting the user with a logical and consistent in-app experience. In other words, it must make the complex appear simple. That’s very easy to say, very hard to do.
- Security – Mobile app security is quickly becoming a key driver of MFA in mobile apps. And you should consider MFA as complementary to other key mobile app security functions such as encryption, obfuscation and secure access. A recent ThreatPost article covers how attackers achieve account takeovers and bypass MFA controls by targeting apps that lack modern authentication.
ALL of the above conditions need to be met all the time. If not, you end up with a solution that’s either unusable, infeasible, too costly, or too limited to be useful.
Challenges With Mobile MFA
Here are some practical examples which reinforce the assertions I just made. Whether you’re an IT professional or a mobile user, I’m certain these examples will resonate personally with negative experiences you’ve had in the past.
Homegrown or closed/proprietary MFA solutions might start off Easy to use but they are not ubiquitous. If an MFA solution doesn’t work for all the apps your organization uses or requires you to implement additional or redundant services, it’s going to drive up your app development, delivery and maintenance costs as well as introduce usability challenges as users struggle with multiple authentication workflows.
As soon as you introduce multiple MFA solutions, your MFA is no longer easy to use or easy to implement. And it’s even harder to maintain and operate, not to mention very expensive. Ironically, if you implemented MFA to eliminate the operational burdens and security risks of password management, then you’re probably right back where you started (or even worse). A metaphor that comes to mind is the proverbial hamster spinning in a wheel.
Usability Rules When it Comes to Mobile Authentication
The thing that will make or break any mobile MFA solution is the user experience. At the end of the day, if your MFA solution is hard to use, you’re toast. Don’t implement MFA solutions that force mobile users to jump through hoops or perform tedious steps just to log-in to an app. Resentment will build and eventually users will do everything in their power to avoid the app.
Example of a Bad MFA Experience
Last month I was reading about a new ‘passwordless’ MFA service from a company whom I won’t name. To get it working with mobile apps you need to implement the mobile SDK. It’s one of those ‘one line of code’ SDKs, so it must be easy right? First, it wasn’t one line code (there’s no such thing actually), but I’ll leave that aside for now. The SDK is 79 pages long. I don’t know about you, but I’ve never come across anything ‘easy’ which had a 79-page instruction manual and required mobile developers in order to implement. And it’s not 1 SDK. It’s 4 SDKs (there’s an Android SDK, an iOS SDK, a React Native SDK, and a Cordova SDK). Mobile SDKs, by definition, require mobile developers AND source code in order to implement. That’s usually enough to kill the project right there.
But let’s assume you actually managed to implement the SDK, assuming you had an abundance of mobile developers and they had nothing better to do than integrate SDKs (likely 12 to 18 months later). Assuming you still have budget left over after this and you roll the app out to users, let’s now consider the user experience. This service required mobile users to go through a 5-step authentication process, including entering two sets of ‘credentials’, plus an 11-digit pin-code randomly generated from a separate authenticator app (don’t worry, the separate app is free). The user toggles back & forth between the two apps to enter the 11-digit pin code before the timer expires. All this to login to a single app! YIKES!
Newsflash: Nobody’s going to use that app
Example of a Good MFA experience
In order to deliver on the true promise of “MFA everywhere”, here’s what it takes:
- Easy to implement – Instant implementation to any iOS or Android app without coding. You’ll be done with the end to end integration in minutes – (faster than you could download an SDK, let alone write code).
- Easy to use – simple, intuitive in-app login process that’s consistent across omnichannel environments, works on any mobile app, manages all the complex interactions and differences in app design, and spares the user from all that complexity.
- Easy to deploy – Deploy to any public or private app store, all from the same integrated workflow.
- Easy to scale – integrate multiple apps and/or multiple features at the same time, or automate the entire integration process into your CI/CD auto-deploy infrastructure.
- Easy to customize – Brand your customized apps, add configuration elements, adapt the app to fit into your existing enterprise infrastructure.
- Easy to combine with other services – Multi-service integrations across different mobile service categories, such as SSO and Mobile app Security – without adding time to your build cycle.
- Easy to future-proof – doesn’t lock you into an ecosystem that limits your own mobile app strategy, distribution or roadmap.
- Easy to instantly implement any app – no matter what framework was used to build the app
Create your app in any development environment you want, then come to Appdome to Customize and Enhance it in minutes. Appdome eliminates coding, complexity, and dependencies.
Just go to your Appdome account, select the services you want to integrate – (e.g., OneLogin MFA, Nexmo Verify 2FA, PingID MFA, etc), and click the green button.
Using AI to Make MFA Everywhere a Reality
The actual integration work is done by AMI (short for AI-Enhanced Mobile Integration). AMI is the digital developer inside Appdome who generates code on behalf of Appdome customers. Consider AMI as an extension of the human development or citizen development team.
AMI completes integrations by adding the MFA SDKs, authentication workflows, and APIs into the app – all while taking into account the various elements, methods, and service interactions of the original app.
Then you can deploy your new MFA-enabled app instantly to any public or private app store.
And you can do this FAST! You can do it EASILY! You can do it NOW! From Hamster to Hercules in under a minute!
But don’t take our word for it. Try Appdome for yourself. Open a free Appdome account, and follow the simple steps in our Knowledge Base to add MFA to your app in minutes – without a single line of code.
Now that’s what I call MFA Everywhere!
Check out this video to see how easy it is to add MFA to a mobile app.
Appdome – Developer Tested, Mother Approved! Somebody call Stockholm, I see a Mobel Prize in our future!