mobile user authentication

Passwords must be strong but easy to remember for human users. You cannot enforce a tough password policy, such as random and long (8-10 chars) password, because users will simply not accept it and reject your app. I prefer to let the user use a short random passwords, such as 4 random digits.

One way to magnify the strength of a user credential is to combine the short random password with a longer server generated random key. The first time the user logs into the mobile app with a short password, the server generates the random key and sends it to the mobile app via a secure channel, such as a SSL connection. The mobile app saves then the random key in secure storage of the phone. For subsequent accesses to the server, the mobile app sends a user credential combining the short password and the random key. The server would not accept the short password as a credential anymore. The random key can be refreshed with certain regularity for enhanced security.

This method is pretty simple to implement and robust against attackers in possession of the user ID, the mobile app but not the legitimate user phone. To counter with an attacker which may also possess a legitimate user phone (e.g. attacker steals the phone), then limit the number of failed authentication trials and/or increasingly delay the time between each subsquent allowed authentication trial. Note that the short password is not saved in the phone but in the legitimate user memory (which I assume that does not leak information ;-) The server is assumed to be secure.