Avoiding login prompts in mobile approvals

A customer posted an interesting question: " We send eMail notifications in our workflow applications. Our users don't want to be password prompted when following that link from their mobile devices. What are my options?".
While the Notes client can handle automatic authentication (especially with embedded experiences), in iNotes LTPA has logged you in and on PC platforms Single SignOn is well established, mobile device are trickier.
The "big" solutions would entail some form of Mobile Device Management (MDM), but that's nothing you want to deploy just for one app in question. You do want to plan MDM, but that's a story for another time (IBM recommends to do that in the context of an overall Endpoint management plan).
I see different possible approaches to get around the password prompt:

• Use a VPN:
  A good VPN server can communicate with the reverse proxy and provide an LTPA token automatically. Sample code is available for Big-IP F5 and Lotus IBM Mobile Connect. Implementing it for other VPN/Reverse Proxy combinations should be possible - check out Puakma SSO and talk to webWise
• Use X509:
  After you deploy X509 certificates onto Android or iOS you can set the Domino Internet site document for your application to require X509 authentication. Since the certs are deployed on the device no additional prompt is required (of course that depends on how you secured the certs)
• Go native:
  In a native (or almost native) application you can locally store the access credentials. You read/write data via JSON and https calls. Not too far off: use OAuth to authorise your mobile app.
• Update (thx Mark, Per): Use OpenNTF's "Auto Login" project

I like the approach using a VPN with LTPA generation best since it saves you the trouble of managing the X509 certificates and adds a security layer on top
As usual YMMV