Computing devices such as mobile phones and tablets are offering a growing number and diversity of computing applications. In 2017, the Apple App store alone had over two million “apps” available for download across a wide variety of industries. However, the sheer number of options can prove overwhelming for some users, and many users actually prefer to use only a few applications rather than switch between applications for various purposes.
Certain service providers that offer applications handling sensitive data (e.g., financial service providers) require a heightened level of security before permitting a user to access such data (e.g., to check the status of a financial portfolio) or interact with the service provider (e.g., to place a stock order). As a result, many such service providers have not integrated their platforms with other applications, accepting some inconvenience to the user (e.g., operating within a separate app with a separate password to remember) as a necessary cost of data security.
Other approaches to heightened security also suffer from significant drawbacks, particularly in the context of mobile phones or tablets. For example, one common approach is to use a one time password (OTP) as a second level of authentication. Under this approach, an application generates an OTP (e.g., a sequence of numbers) on its server and sends the OTP to the user's computing device (e.g., via a message, email or display screen). Then, the user keys the OTP into the third party application, which sends the OTP back to the target application to verify that the user-entered credentials match the generated OTP. One challenge with this approach is that if an unwanted party has gained access to the user's device, the OTP is then sent to the same compromised device, rendering the OTP ineffective as a second line of defense.