Legacy MFA methods common for new device logins: Incognia app friction report
A review from Incognia of the friction experienced when users attempt to login to mobile apps with a new device indicates that only a couple of apps provide authentication from a new device without adding substantially to the time and difficulty of the process. Deprecated multi-factor authentication (MFA) techniques appear to be significantly more common than biometrics use.
The ‘Device Change Mobile App Friction Report’ for 2021 examines 24 leading mobile apps for fintechs and banks, to understand how authentication methods are used to protect logins from new mobile devices.
Account takeover attacks made up over half of all fraudulent transactions in 2020, so financial institutions are motivated to make sure they have high assurance that their users are who they say they are. Financial institutions are therefore on guard against social engineering, SMS phishing (or Smishing), and SIM swaps when an unknown device attempts to access an existing account, Incognia explains.
The study shows an average of 53 seconds to complete authentication on a new device. Three quarters of the apps tested support one-time passwords (OTP) over SMS for authentication, despite NIST deprecating the method in its SP 800-63B Digital Identity Guidelines last year for being insufficiently secure.
MFA based on a knowledge factor and a possession factor does not necessarily help, according to the study. Nine of the 24 apps support a 4-digit PIN for authenticating mobile devices, which Incognia found adds significant friction.
Two of the apps, those from E-Trade and Klover, were found to allow authentication on a new device with no visible extra step, and consequently provided authentication from new devices with the lowest friction. Incognia speculates they may be using behavioral biometrics or another passive authentication method.
Incognia has also published a Mobile App Friction Report for login authentication and password resets to analyze the use of passwords and passwordless login technologies, support for MFA among financial apps, and compare the amount of friction found in different apps.
“Most account takeover attacks are now a result of social engineering, phishing and SIM swaps but still, most Apps are using SMS as part of their device authorization process, which is highly vulnerable to these attacks,” comments André Ferraz, founder and CEO of Incognia. “Smartphones today contain technologies and sensors that can be leveraged for frictionless adaptive authentication, reducing the risk of ATO without adding friction to the user experience.”