User Authentication

Owned by Ray Pearce (Unlicensed)
Last updated: Jan 12, 2015
3 min read

User Authentication is a process that allows an app to validate the user’s details, usually against a remote server. Validating and identifying a user allows the app to not only restrict access to authorised users, but it also allows the data being displayed to be customised for the current user.

An example of this would be a field worker who can login to the system and then download his own specific list of jobs or appointments for the day, or even a user who wants to connect to a service to check anything from phone bills to account details.

Authentication is usually performed by the app prompting for the user’s login details then sending these details to either a web service designed to validate credentials, or for when higher levels of security are needed, to a RADIUS server that will validate the details against a directory system such as Active Directory.

When authentication data is sent from (and to) the mobile device, SSL encryption is used to keep the data transfer secure.

Authentication via a Web Service

Directory services, such as Active Directory or even Sharepoint, are generally kept on an internal company network. For a handheld device to authenticate against the directory service from a remote location the handheld device will need to communicate with the server in some way.

Web services are a common way to allow two-way communication through a firewall whilst keeping general access restricted.

A web service is a piece of software designed specifically to act as a communication means between software running on an internal network, and the remote devices. For an authentication system, a web service would take requests from remote devices in the form of an authentication request containing the user’s details. The web service would then communicate with the directory system, and then return the result to the remote device.

This way a user’s credentials can be validated remotely whilst keeping the directory service behind the firewall.

Some systems, such as a Sharepoint, already have web services built into the system that have been designed for this type of remote integration. For systems that don’t have their own web services, then custom web services can be created.

Authentication via RADIUS

When extra levels of security are needed, user authentication can be done via RADIUS. RADIUS is a well-established protocol that is specifically designed for secure remote authentication.

The authentication is performed between a RAIDUS Server and a RADIUS client. The RADIUS Client is the Blink Mobility Platform server. The RADIUS server can be a daemon installed on the company network.

In this process, the user will enter their login details on their mobile device. These details are taken by the RADIUS Client which is currently running on the Blink Mobility Platform.

The RADIUS Client will then pass these credentials, along with a Secret (which is a string that is used by RADIUS for secure authentication), to the RADIUS Server running on the company network. The RADIUS Server, running behind a secure firewall, will connect with the directory service, such as Active Directory.

The RADIUS Server will pass the validation results back to the RADIUS Client, which will in turn pass a reply to the mobile device on whether or not this user has been validated.

The following diagram shows the flow of data between the end user, RADIUS Client, RADIUS Server, and the directory service.