Conventional web based service sign-in processes present a barrier to accessing web based services from a mobile device. Web based services that store user data (e.g., web based email, calendaring, address book etc.) require users to sign in at the start of each session in order to verify their identities before granting the users access to their personal data. This contributes to a poor user experience as users are required to perform operations such as the entering of usernames and passwords that are formatted for a PC (many of which are long and include characters difficult to type in on a mobile device).
A conventional solution to improving the sign-in experience is to keep user sessions valid for an extended period of time after a user has signed in once by saving their authentication token in persistent cookies that have an extended expiration period (e.g., one year). A problem with this approach is that once a user is signed in on a mobile device and that device is lost, there is no way to revoke the live user session on that device. In some cases, the live user session may not even be revoked by the changing of the user's password. This is because the authentication token in the persistent cookie remains valid and thus the web based service, when encountering this persistent cookie, will not require additional validation. Consequently, anyone obtaining possession of the device can subsequently use it and masquerade as the original user for the duration of the period that the persistent cookie remains valid.
Microsoft Exchange Server™ (2003 or later) implements a remote device wipe mechanism as part of its over-the-air data synchronization protocol. This remote device wipe deletes all user-related data, including any persistent cookie, on a mobile device and essentially resets the device into its original factory configuration. Windows Mobile™ and other licensees of this protocol support this function through on-device applications. As a part of this approach data wipes are triggered by the Exchange Server and the command is either pushed to a device through a persistent HTTP connection required by the protocol (if the devices always-up-to-date feature is turned on) or pulled by a device at the next scheduled over-the-air data synchronization.
Other conventional products such as RIM Blackberry provide similar features. All of the aforementioned conventional products require mobile devices to have native applications pre-installed thereon in order to support the execution of the remote device data wipe. Moreover, because the data wipes may be correlated to scheduled synchronizations, an intervening misappropriation of a device with an ongoing live user session can enable malfeasant access to user personal data that is provided by a web based service. Because of shortcomings such as these, conventional systems such as those discussed above are inadequate as it relates to security issues that are commonplace in the current technological environment.