Mobile devices, such as smartphones, tablets, and notebooks, often have native applications written specifically for that mobile device and/or the operating system running on the mobile device. Such native applications often communicate with other computing devices over a network such as the Internet, where the other computing devices will deliver content or services to the mobile device's native application. The networked native application executing on the mobile device can be referred to as a client app, and the computing devices in communication with the client app may be referred to as servers.
Servers do not necessarily trust the client apps, or the users of the client apps. Often before substantive communication begins between a client app and a server, the server must authenticate and authorize the client app. For example, a client app that allows a user to access their bank accounts communicates with a bank's server. Because access to a bank account is sensitive and should be restricted only to the owner of the bank account, the server requires the mobile device, client app and/or client app user to identify and authenticate itself.
A user may have multiple client apps going to the same enterprise. Each individual client app may force the user to authenticate multiple times using the same credentials within a single usage period, thus creating authentication and authorization redundancy.
Multiple client apps often reside on the same mobile device. However, mobile device platform restrictions often prevent interprocess communication between client apps. This restriction can create multiple redundant authentication or logoff requests when accessing associated network resources. For example, a user may have one client app on their mobile device to access an enterprise HR system, and another client app to mange their enterprise customer relationship management (CRM) system. The user may choose to have his mobile device first execute the HR app, which requires authentication to a n enterprise's HR servers The user may then choose to have his mobile device access the CRM system, also requiring authentication using the same enterprise wide identification. In other words, a user and/or mobile device may be forced to authenticate several times within a relatively short time period when multiple computing services are accessed through multiple client apps that use the same or a related identity. When the user logs out of his banking app, the investment app may remain logged in despite both apps relying on the same credentials. This unintended consequence may create a security risk where a user may believe he or she is logged out of all applications using a specific credential, but actually remains logged into one or more other applications.