FB pixel

Legacy MFA methods common for new device logins: Incognia app friction report

Legacy MFA methods common for new device logins: Incognia app friction report

A review from Incognia of the friction experienced when users attempt to login to mobile apps with a new device indicates that only a couple of apps provide authentication from a new device without adding substantially to the time and difficulty of the process. Deprecated multi-factor authentication (MFA) techniques appear to be significantly more common than biometrics use.

The ‘Device Change Mobile App Friction Report’ for 2021 examines 24 leading mobile apps for fintechs and banks, to understand how authentication methods are used to protect logins from new mobile devices.

Account takeover attacks made up over half of all fraudulent transactions in 2020, so financial institutions are motivated to make sure they have high assurance that their users are who they say they are. Financial institutions are therefore on guard against social engineering, SMS phishing (or Smishing), and SIM swaps when an unknown device attempts to access an existing account, Incognia explains.

The study shows an average of 53 seconds to complete authentication on a new device. Three quarters of the apps tested support one-time passwords (OTP) over SMS for authentication, despite NIST deprecating the method in its SP 800-63B Digital Identity Guidelines last year for being insufficiently secure.

MFA based on a knowledge factor and a possession factor does not necessarily help, according to the study. Nine of the 24 apps support a 4-digit PIN for authenticating mobile devices, which Incognia found adds significant friction.

Two of the apps, those from E-Trade and Klover, were found to allow authentication on a new device with no visible extra step, and consequently provided authentication from new devices with the lowest friction. Incognia speculates they may be using behavioral biometrics or another passive authentication method.

Incognia has also published a Mobile App Friction Report for login authentication and password resets to analyze the use of passwords and passwordless login technologies, support for MFA among financial apps, and compare the amount of friction found in different apps.

“Most account takeover attacks are now a result of social engineering, phishing and SIM swaps but still, most Apps are using SMS as part of their device authorization process, which is highly vulnerable to these attacks,” comments André Ferraz, founder and CEO of Incognia. “Smartphones today contain technologies and sensors that can be leveraged for frictionless adaptive authentication, reducing the risk of ATO without adding friction to the user experience.”

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


Move over, Armani: Italy’s It Wallet is the digital ID accessory of the season

Bravo to Italy for the forthcoming launch of its digital wallet scheme, clearing the path for a national digital identity…


Sumsub brings non-doc biometric identity verification to new markets

Biometric identity verification providers are expanding their market reach in various ways, including Sumsub’s support for users without ID documents…


Scottish Government emphasizes security of new platform for digital public services

Scotland is talking up the data security measures designed and build into ScotAccount, a single-sign on (SSO) service designed to…


Zambia, Namibia, Tanzania upgrade digital ID systems in concert with development partners

Zambia has carried out a major first step in its transition towards a modern legal and digital identity system, by…


Bermuda delays facial recognition deployment for national CCTV project

Bermuda’s government will not be deploying facial recognition capabilities in its CCTV system, at least for now, due to unspecified…


Florida Police deploy Idemia ABIS for latent fingerprint biometric analysis

Idemia Public Security North America has announced the implementation of its automated biometric identification system, Storm ABIS, by forensics examiners…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events