PWAs for Business Applications: What Enterprise Dev Teams Need to Know

Marc Englund
Marc Englund
On Nov 22, 2022 5:30:00 PM

The benefits of Progressive Web Applications (PWA) for consumer apps and especially e-commerce apps are often reported. But beyond conversion, organic traffic, and daily active users, there are real benefits for business and enterprise applications – without additional effort, when using the right tools.

Let’s peek behind the PWA buzzword at 8 somewhat subtle and sometimes surprising benefits like increased ”phishing resistance”.

Defining PWAs

Progressive Web Apps (PWAs) are web apps you can install on your desktop or mobile device that function much like a native application, even though they still technically run in the secure sandbox provided by the web browser. The most common examples are consumer web apps installed on mobiles. However, the benefits of PWAs are not limited to mobile apps - for instance, Microsoft Outlook can be installed as a PWA.

PWA versus "regular" web applications

Let us first address the elephant in the room: All PWAs are “regular web applications,” but all web applications are not PWAs.

PWA is not a clearly defined standard. Instead, PWA can be seen as a few useful characteristics that a web application can have or lack. Google simply defines PWAs as web applications that are capable, reliable, and installable. According to Microsoft, a fully capable PWA is discoverable, installable, re-engageable, network-independent, progressive, safe, responsive, and linkable.

Perhaps the most relevant property from the workplace application's perspective is what is usually referred to as a “native-like experience.”

OS-native feel and integration

PWAs can easily be installed, and once installed, they behave much like native applications.

Spot the PWASpot the PWAs

PWAs can also access local files and folders, USB, Bluetooth, and serial peripherals such as barcode readers, receipt printers, or even advanced healthcare equipment.

One of the more subtle but powerful benefits of an installed PWA on the desktop is that it behaves like any other installed application. This includes proper window management, application switching, taskbar integration, menu participation, and so on. This OS-native feel can have a big impact on the user experience; you can launch the application in the OS-native way instead of browsing to a URL, and you can switch between applications in the usual way – seamless integration, which can have a great impact throughout the workday.

Looks like an application, works like an application

Perhaps a bit less intuitively, this OS-native feel can also have a positive impact on security.

Phishing resistance

One of the most prominent attack vectors used at the moment is "phishing". This type of attack is very hard to stop, as it tricks users to log in to malicious sites that look like the real deal. A phishing attack can even bypass most multi-factor solutions today (not including hardware-based/biometric solutions) by using a man-in-the-middle/replay attack. This often means that vigilant users are the only defense left – unfortunately, none of us are 100% vigilant all the time, especially when trying to get things done quickly. 

However, because an installed PWA looks quite different from something running in the browser, it is much harder to trick users. PWAvsMalicious

The window looks different if you open a phishing link 

An installed PWA has little or no “browser chrome” (browser-specific controls), and PWAs can even customize the installed look and feel further with colors and custom window controls. 

It’s impossible to make a malicious site running in the browser look the same way as an installed PWA, thus making it much more likely that the user realizes something is amiss.

When combined with best practices around phishing-resistant hardware/biometric authentication mechanisms provided by browsers, phishing attacks fast become difficult to execute successfully. 

PWA versus native desktop applications

PWAs are in some ways the best of both worlds as they are web applications with native UX. Users have grown accustomed to how things work “on the internet”, and PWAs use the same familiar patterns for instance for login and multi-factor authentication. 

Seamless installation (and test before you do)

PWAs have a seamless installation process and do not require elevated permissions to modify the system, as they run in the web browser and inherit the same security model as any web application or site.

The application does not even have to be installed to function. This means you can try the application without installing it, and then only install it if/when you feel that it is valuable (e.g when your usage becomes frequent). Also, should the need arise, you can log in and use the application from anywhere, even if the application is not installed on that device.

If you on the other hand want the application to be available in app stores too, that is possible with tools like PWABuilder


Just as with any web application, users (or administrators) do not have to explicitly install new updates or install security patches for PWAs. The application is “evergreen” – always up to date on the users’ computers.UpdateAvailable

PWAs update with one click

One note on predictability though: it's a good practice to inform the user when the application has been updated with changes that affect the UI so that the user knows what to expect. 


PWAs run in the web browser, and the web browser is without a doubt one of the most scrutinized and battle-tested platforms made explicitly to safely navigate on the unsecured open internet. This makes the browser a perfect fit for zero-trust architectures (e.g the Federal Zero Trust Strategy). Developers can rely on the built-in browser security features, instead of creating their own.

When a PWA wants special access to OS facilities (file system, USB, Bluetooth, etc) it still follows the browser security model, explicitly asking for specific permissions, and maintaining the sandboxed approach. Native applications are slowly getting better in this regard, but are still much more likely to acquire broad permissions at install time (hence requiring admin permissions for installation).


PWAs are inherently cross-platform in the same way generic web applications are. This means less developer time porting between platforms, and the ability to support new and upcoming platforms. This in turn allows the users of the application to choose the platform that is most convenient or cost-effective for their use case.

Developer availability

The technologies used to develop native applications are notoriously fragmented across operating systems, with developers often specializing in just one ecosystem.

In contrast, cross-platform PWAs use the same development stack as any web application, allowing companies to hire from the web developer talent pool. Full-stack, back-end, and front-end developers are some of the most common.

Developer experience

Building business applications as PWAs allows developers to use modern tools with top-notch ergonomics. They can rely on well-known and proven security practices, and do not need to invent their own auto-update mechanism. 

This allows developers to move faster and focus on the things that matter; superior DX means superior productivity. 

Creating superior business applications

Applications used by people at work should make the users feel efficient and productive, and PWA is one piece of the puzzle when creating a good user experience.

Find out why Enterprise UX matters and start building great business applications that are PWA out of the box with Vaadin today.

Marc Englund
Marc Englund
Marc is a a long time Vaadineer, carrying a Design Strategist card in his left jeans pocket. Lately he has mostly been thinking about the new #FFS, and other ways to make the developers’ day more enjoyable.
Other posts by Marc Englund