mAuth: Secure Authorization and Authentication Protocol for Native Apps

Abstract

OAuth and OIDC are well-established for handling user authentication and authorization, which are industry standards today. However, the user experience of native mobile apps remains a challenge due to the use of browser redirection. It is hard for users to determine if they can trust the web page that pops up during the login process. To improve on this, we have designed a protocol called mAuth that performs user authentication and authorization on mobile phones without the use of browser redirection. This protocol follows the best current practice (BCP) of OAuth and the FAPI standard. The analysis of the protocol showed that mAuth follows the BCPs for OAuth and FAPI through the use of attestation, demonstrating proof of possession (DPoP) with the client instance key and following the basis of the authorization code flow. From the analysis of the user experience of the theoretical protocol, which is based on our point of view, we found that it achieves the goal of better user experience. It also provides flexibility for the developer as they can choose between three different flows depending on their security and user experience demands.