Usability - Productivity - Business - The web - Singapore & Twins

Avoiding login prompts in mobile approvals

A customer posted an interesting question: " We send eMail notifications in our workflow applications. Our users don't want to be password prompted when following that link from their mobile devices. What are my options?".
While the Notes client can handle automatic authentication (especially with embedded experiences), in iNotes LTPA has logged you in and on PC platforms Single SignOn is well established, mobile device are trickier.
The "big" solutions would entail some form of Mobile Device Management (MDM), but that's nothing you want to deploy just for one app in question. You do want to plan MDM, but that's a story for another time (IBM recommends to do that in the context of an overall Endpoint management plan).
I see different possible approaches to get around the password prompt:
  • Use a VPN:
    A good VPN server can communicate with the reverse proxy and provide an LTPA token automatically. Sample code is available for Big-IP F5 and Lotus IBM Mobile Connect. Implementing it for other VPN/Reverse Proxy combinations should be possible - check out Puakma SSO and talk to webWise
  • Use X509:
    After you deploy X509 certificates onto Android or iOS you can set the Domino Internet site document for your application to require X509 authentication. Since the certs are deployed on the device no additional prompt is required (of course that depends on how you secured the certs)
  • Go native:
    In a native (or almost native) application you can locally store the access credentials. You read/write data via JSON and https calls. Not too far off: use OAuth to authorise your mobile app.
  • Update (thx Mark, Per): Use OpenNTF's "Auto Login" project
I like the approach using a VPN with LTPA generation best since it saves you the trouble of managing the X509 certificates and adds a security layer on top
As usual YMMV

Posted by on 31 December 2012 | Comments (5) | categories: IBM Notes Lotus Notes Show-N-Tell Thursday


  1. posted by Mark Leusink on Wednesday 02 January 2013 AD:
    How about adding a "Remember me for x days" option to the login form? That would make using the application a lot easier, since it only asks for your password if the "remember me" has expired.

    A (supposedly) secure method to do so using a cookie is described here. It doesn't store the actual users' credentials in the cookie (of course...).

    I implemented that method for Domino in the " Auto Logins for Domino/ XWork" project on OpenNTF. After a user has signed in, it issues a cookie containing a random key and uses that key the next time to validate a user and create a LtpaToken.
  2. posted by Thomas Adrian on Wednesday 02 January 2013 AD:
    Imho a simple URL containing a secret key pointing to an anonymous agent that process the workflow is safe enough for most companies.
  3. posted by Stephan H. Wissel on Wednesday 02 January 2013 AD:
    The URL as sole authentication never passes a security audit. While it would make it harder to "guess" the URL (and leave evidence in the logs when you script the guessing), it would allow a simple forward to let somebody else do the approval. Security by obscurity is tempting, but not secure.
  4. posted by Stephan H. Wissel on Wednesday 02 January 2013 AD:
    @Giulio: I like the LTPA approach too
    @Mark: The remember me approach is also a viable solution.
    @Mikkel: a temporary token also works - banks call them TAN Emoticon wink.gif
  5. posted by Giulio Campobassi on Wednesday 02 January 2013 AD:
    This is an interesting post you've made Stephan. (Sorry this sounds like a plug.. it's not meant to be).

    When we started Mobilite we had to wrestle with authentication on mobile browsers. We tried a number of things, but we came to rely on LtpaToken. The way it's built into the Domino server made it quite easy and consistent to manage user identity and access to databases without changing the ACL. As we evolve our solution, this authentication technology will keep up with us. As long as you have rest-like services, building it into your applications is relatively easy for native or browser based apps. We find customers like using VPNs as well to secure the line.