Mobile devices are key parts of our daily lives; how can identity architects leverage existing standards to ensure a smooth mobile-first authentication/authorization flow for third party mobile apps? The first party mobile experience for authentication has come a long way in the last 10 years. The majority of modern mobile devices now have built in secure key stores with biometric protection, and these are used to great effect to create secure native mobile applications with slick authentication. Joseph describes how we can extend this experience to third party native and web apps using standard OAuth2 or OpenID Connect protocols, with a quick journey starting with an example of the user experience we’re aiming for. We show the architecture of a system and the snippets of code third party mobile developers need. We also look at some of the common pitfalls, the pro & cons of alternative mechanisms like CIBA, security implications, anti-patterns and other lessons learned from deploying app2app across the UK OpenBanking ecosystem, along with the wider question of “Does my authorization server need a companion mobile app?”. (Mobile, Authentication, Standards, Financial Services, Development, Mobile IoT, Joseph Heenan