As we want to implement mobile app service, I want to [best authentication practice for native app platform (ios/android) - WITHOUT via WebKit] so that [much more mobile applicaitons.]

[metasmile]

Is your feature request related to a problem? Please describe. We are developing a mobile app service for iOS and Android platforms. Currently, we are facing challenges with authentication, specifically using WebKit-based solutions such as WKWebView for iOS. These solutions tend to feel clunky in native applications, leading to a less than ideal user experience, increased complexity, and potential security vulnerabilities. We are looking for a more seamless and secure method of implementing authentication directly within the native app, without relying on web views.

This problem also limits the range of mobile application use cases we can support. For example, real-time, user-centric applications such as messaging, finance, or any service that demands higher levels of trust and seamless UX struggle with current web-based approaches.

Describe the solution you'd like We would like to implement native authentication without relying on WebKit. A solution leveraging native iOS and Android SDKs, utilizing the latest mobile security frameworks, would be ideal.

Key aspects:

OAuth 2.0 / OpenID Connect support: Preferably using native SDKs like AppAuth for both iOS and Android to manage tokens and sessions securely. Biometric authentication: Integration with device biometrics (e.g., Face ID, Touch ID on iOS, and fingerprint/face recognition on Android) for a seamless user experience. Secure Storage: Using native secure storage options like iOS Keychain or Android Keystore for sensitive tokens and session data. Push notification support for multi-factor authentication (MFA), enabling secure verification outside web contexts. Deep integration: Authentication should feel natural within the native app workflow, without forcing users to switch between web pages and the app. Describe alternatives you've considered

Web-based authentication (via WebKit or Chrome Custom Tabs): Although widely used, this method disrupts the user experience, adds overhead, and exposes potential security vulnerabilities through web browser interactions. Building a custom backend for handling authentication: This would add significant complexity and resource overhead, particularly in managing tokens, session refresh, and security issues. While feasible, we prefer a well-established, standard solution such as OAuth 2.0/OpenID Connect that integrates directly with native SDKs. Additional context Our app is designed for high-security, user-sensitive operations, such as financial transactions, private messaging, and account management. Thus, implementing the highest security and smoothest user experience is critical.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.