Enabling zero sign-on by replacing passwords with mobile as ID

Today, MobileIron introduced the industry’s first mobile-centric, zero trust enterprise security platform that makes mobile devices the ID and secure access for the enterprise. With mobile devices as the ID, organizations can finally eliminate passwords and enable a secure and frictionless user authentication experience from all devices without the hassle of remembering and typing in passwords. Just as important, by eliminating passwords, zero sign-on also eliminates one of the top causes for enterprise data breaches.

We first introduced zero sign-on in late 2017 for devices secured through MobileIron Access. Access customers already experience the security and productivity advantages of passwordless access to business services such as Office 365, Salesforce, G Suite, and Box — all while ensuring that unauthorized users, devices, apps, and services cannot connect to these resources. In June 2019, we’re extending those capabilities to unmanaged devices. Let’s walk through how we do it:


Zero sign-on from managed devices




  1. The user attempts to login to a cloud service from a device managed by MobileIron UEM.
    At the time of registration, the device is provisioned with an identity certificate and managed app configurations. Managed apps are apps installed via UEM and are managed by IT. Unmanaged apps are those installed by the user from the Apple or Google Play stores and are not under IT control. Unmanaged apps should not be allowed to connect with business services or data.
  2. The cloud service redirects the device to MobileIron Access for authentication.
    This requires the configuration of Access as an identity provider (IdP) for managed cloud services. Access can also be configured as a delegated IdP to work alongside an existing IdP.
  3. Access verifies user, device, app, threats, and other signals before sending a standards-based token (SAML or WS-Fed) back to the cloud service.
    Access establishes user trust based on the provisioned identity certificate. Device and app trust are established based on signals from MobileIron UEM and managed app configurations. If an unmanaged app attempts to connect, Access is able to detect this and instruct the user to download the app from the enterprise app store. In addition, Access also works with MobileIron MTD to ensure devices with malicious code, apps, profiles, or connecting over malicious Wi-Fi cannot access business data.
  4. Done — The user now has immediate access to business data on a trusted device, app, and network without requiring a password. 


Zero sign-on from unmanaged devices




  1. User attempts to log in to a cloud service from an unmanaged desktop.
  2. The cloud service redirects to MobileIron Access. Access detects the unmanaged device and sends a QR code with a unique session ID.
  3. The user first authenticates to MobileIron UEM app on their managed device using biometrics and then scans the QR code. Information from the scanned QR code is sent to Access.
  4. Access validates the user and other signals before enabling the session on the specific desktop — all without requiring a username or password to be entered on the unmanaged desktop.

This significantly reduces the risk of data breaches because malicious users can no longer use stolen credentials to access sensitive business information.

Starting in June 2019, customers will be able to use MobileIron-managed iOS devices as their ID to enable zero sign-on from unmanaged devices. Support for Android will be available soon after.


Why does this matter?

A zero-password experience is finally here. This isn’t just a huge improvement to the user experience and enterprise productivity, it also eliminates one of the biggest security gaps in your organization — passwords — using our mobile-centric, zero trust security platform. And it’s only just the beginning. Stay tuned for more exciting news about how MobileIron is ushering in a whole new consumer experience for the enterprise world.

Want to learn more about zero sign-on now? Contact a MobileIron representative to get started today.