What's the best way to implement authentication for mobile app that will be secure and also wont annoy the user by asking to authenticate every time the app starts? In other words, for the first time after installing the mobile app, the user needs to register/login, and after that the app always works without asking to authentication.
Native mobile applications ask for credentials when using the app for the first time, but subsequently they don't require login. The app just start and try to connect to data network (wifi, 3g, etc.), if it finds the data network then it loads the latest data, else uses the data that it was able to fetch last time it could get access the data network. Also, the app is able to reconnect automatically when data network is available and fetch the latest data with out user intervention.
I tried to develop similar features using meteor mobile app (accounts-password, useraccounts:core, useraccounts:ionic), however the app quite frequently times out and asks for re-login everytime the data network is lost. Sometimes it even hangs on the login screen and the only way out is to kill the app. The behavior seems very similar to a web app, where a session id is created and has an idle timeout, or forces login when internet connection has issues.
Any tips on how to store the credentials on first login and use it subsequent; and also good way of handling data network when disconnects are frequent?
Frameworks: 1. Meteor Platform 2. Ionic with AngularJS 3. ngCordova
Code Structure: 1. Common directory, where all the meteor method calls and schema definitions (simple schema). 2. Application files are organized as per guidelines (client,server, resources).
One of the solutions I found on stackoverflow:
Send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.
if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.
Appreciate your help, thank you!
I have built a sample here where is use a PAAS to handle user authentication. It manages the user accounts and keeps track of the last active user. It also has built in offline sync capabilities to handle when you loose connectivity.
https://github.com/aaronksaunders/IonicKinveyDataStore
the service is http://www.kinvey.com