Passwords, while widely used, have significant drawbacks as a security measure.  One major issue is the inherent conflict between memorability and security. Complex passwords, the most secure kind, are difficult for humans to remember, which can lead to password reuse across accounts or storing them written down, both big security risks.  Furthermore, even strong passwords can be vulnerable to hacking through phishing scams or data breaches, and users can be tricked into revealing them. These limitations make passwords a less-than-ideal solution for protecting sensitive information.

Traditional authentication methods not only create a negative user experience but also pose security risks. And while they'll definitely cause headaches for users, they also come with drawbacks for app developers and companies. Implementing and maintaining a secure login system can be expensive, requiring resources for development and ongoing security audits. Additionally, password resets and forgotten credential support create a burden on customer service teams. Furthermore, relying solely on passwords limits the ability to implement multi-factor authentication, a powerful security layer that can be cumbersome to integrate with traditional login methods. These limitations can hinder user trust and ultimately impact brand reputation.

Facial authentication offers a unique solution of single sign-on for apps. Unlike passwords, which can be forgotten, shared, or hacked, facial features are a much more secure identifier. This additional layer of security makes it significantly harder for unauthorized individuals to gain access to user accounts and protected applications within the SSO system.

Add a secure Single Sign-On flow to your mobile apps

When we want to integrate a Single Sign-On (SSO) flow based on OAuth/OIDC protocols, storing a client ID and secret is usually required. Everything is fine when implementing this in a web server because we can safely store secrets in our controlled servers. However, if we want to implement this flow in a native, mobile, or single-page app, that is an all-new story.

Native apps cannot securely store secrets. It is relatively easy to find strings in a compiled app, and this would reveal any secrets written in the code. Also, in single-page Javascript apps, extracting any API keys or secrets is pretty straightforward because all their source code is available to the browser.

In summary, if we ship code to the user in either uncompiled or binary form, it will be possible for them to see what is inside. Fortunately, there is a solution. OAuth 2.0 provides an extension to the Authorization Code Flow called Proof Key for Code Exchange (PKCE). Instead of shipping a client secret in a mobile app, the app itself creates a new random secret (the Code Verifier) every time it starts the authentication flow, and the authorization server can verify this secret.

Additionally, the app generates a transform value of the Code Verifier (the Code Challenge) and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

How to integrate Youverse SSO with PKCE

Youverse had recently added support for PKCE protocol to its SSO server, allowing any user to log in without passwords by just using their face. Thanks to OpenID Connect and PKCE, it can now be securely integrated into Web, Single-Page, Native and Mobile apps!

You can now start testing our SSO service with PKCE for free. Please send us an e-mail to support@youverse.id requesting a SSO service test account with PKCE. Please include your app name and a REDIRECT_URI (it should be a valid URL recognized by your mobile application as an app link - we will use it to redirect the user back to your application after authentication) in the e-mail. It would be best to use Android App Links and iOS Universal Links for this REDIRECT_URI, so only your application can get the authorization callback.

You will receive a unique identifier for the registered app (the CLIENT_ID) and the Youverse authentication server URL (YOUVERSE_SERVER_URL). This information will be used later when integrating the SSO flow in your app.

Integration steps

As the PKCE Flow builds upon the standard Authorization Code Flow, the integration steps are very similar:

Authentication

We will perform the authentication step in the browser by calling the /authorize endpoint of Youverse SSO server, which will redirect the user to the Youverse Login page. Please use a registered browser or "in-app browser tabs" and not a "web-view" (details here).

GET <YOUVERSE_SERVER_URL>/authorize?
 response_type=code
 &scope=openid profile
 &client_id=<CLIENT_ID> 
 &code_challenge_method=S256 
 &code_challenge=<PKCE_CHALLENGE>

response_type: It should always be "code" because we use the Authorization Code Flow.

scope: Defines the OpenID Connect claims you are interested in (we currently support "openid" and "profile" only).

client_id: Unique identifier for your application. Enter the saved value of the CLIENT_ID for the app you previously registered with Youverse.

code_challenge_method: The PKCE code challenge method should be "S256" (SHA-256).

code_challenge: PKCE code challenge. Please check the PKCE protocol to implement it or use AppAuth to handle it for you.

Getting Tokens

After the user logs in and accepts the permissions for the requested scopes, the Youverse SSO server stores the code_challenge and redirects the user back to the application with an authorization code that can be used just once.

We can now exchange this code for an access_token by calling the /token endpoint of the Youverse SSO server.

curl -X POST '<YOUVERSE_SERVER_URL>/token' \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d 'grant_type=authorization_code' \
 -d 'client_id=<CLIENT_ID>' \
 -d 'code=<CODE>' \
 -d 'code_verifier=<PKCE_CODE_VERIFIER>'

grant_type: should always be "authorization_code" because we use the Authorization Code Flow.

client_id: The same as above.

code: The code returned by the Youverse SSO server to the REDIRECT_URI on successful user authentication.

code_verifier: The corresponding PKCE code verifier generated with the code_challenge sent to the Youverse server during the authentication process.

The Youverse server verifies the code_challenge and code_verifier and responds with an id_token and access_token. Your application can then use the access_token to call the /userinfo endpoint to access information about the user.

curl -X GET '<YOUVERSE_SERVER_URL>/userinfo' \
 -H "Authorization: Bearer <ACCESS_TOKEN>"

And that's it! You now have the user information based on the requested scopes. Building a secure OpenID Connect authentication flow on mobile is quite simple when using the right tools. As a plus, you get a passwordless login experience using YouFace!

To get more information and free trial licenses, please get in touch with us or join our Discord community.