Authentication Mobile App Friction Report - Crypto Edition
A review of authentication processes in top crypto apps highlights how much friction security adds to the user experience.
Incognia announced today a new Crypto Edition of its Mobile App Friction Report, focused on authentication. In this report, are the results from Incognia’s review of 21 of the top mobile crypto apps (focused in the US), including both wallets and exchanges, including Coinbase, Binance US, FTX, Paypal, Robinhood, SoFi, Webull, Crypto.com and others.
Account takeover (ATO) is the #1 type of fraud in digital channels, and crypto accounts are prime targets. In 2021, stolen cryptocurrency hit an all-time high of $14 billion. To fight this growth in crypto ATO, authenticating users is the primary line of defense at login and sensitive points in the user journey, such as password reset and logging in via a new device. The use of multi-factor authentication (MFA) is of utmost importance in increasing account security, however with the addition of extra security comes extra friction. Keeping fraudsters at bay with added security steps also can turn away legitimate users when the user experience has high friction.
Mobile users are known for short attention spans, making the need for a great user experience, with minimum friction, even more, important on mobile. This is especially true for crypto mobile apps. Given the market volatility in crypto, users are constantly checking their apps for updates on market prices. While the average American, checks their mobile phone every 10 minutes, Crypto app users have an even higher frequency of logging into their accounts as they try to stay on top of the market.
The need for higher security against ATO and lower friction prompted our review of top apps to see how crypto mobile apps are authenticating users during login, when logging in from a device, and trying to reset a password? Also we reviewed how much friction users are facing during these key points of the user journey when using crypto mobile apps.
Crypto App Authentication Reviewed
In this review we analyzed the authentication process during login, password reset and when logging in with a new device. We reviewed the security provided by MFA and the amount of friction introduced for users at three key points of the user journey while using crypto apps.
A comparison and ranking of the exchange apps is provided based on the friction during device change and password reset. Crypto wallet apps were excluded from this friction analysis since all rely solely on the seed phrase for password reset and device change.
And the winners are…
FTX had the lowest password reset friction mainly because it had minimized the number of fields that the user had to complete, to only one field, in order for users to receive an email with either an OTP or magiclink, which allowed them to reset their password. At the other end of the range, Bitmart had the highest friction, resulting from having the highest number of screens and the second-highest time to complete the process.
Comparison of Password Reset Friction Index in Crypto Apps
SoFi had the lowest device change friction requiring the least amount of time for users to log in with a new device. It took 10 seconds less time to login via a new device on the SoFi app than the second app in the ranking, and twenty-three less seconds than the average. Crypto.com had the highest friction ranking due to having the highest number of screens, ten more screens than the average. and 4x more screens than Sofi.
Comparison of Device Change Friction Index in Crypto Apps
High friction, low security and app vulnerabilities
In this review, it is notable that 100% of exchanges and wallet apps still rely on passwords for login, which is the authentication method with the lowest security and highest friction. While the majority of apps supported MFA to cover the security gap, the most common form of MFA was OTP over SMS, present in nine of fifteen exchange apps, despite this form of MFA being designated restricted by NIST due to security concerns.
On the friction front, nineteen of twenty-one apps rely on biometrics as a password shortcut, in favor of reducing friction. Although this bypass reduces friction, it also opens the door for malicious login if a bad actor is in possession of the phone, since covering the phone’s camera is enough for the phone passcode to be prompted, which is an easier ask for a fraudster to crack.
Location permissions - opportunity to reduce friction
Incognia network data from over 150M devices, shows that 90% of login on fintech apps occur from trusted locations. By asking users for their location, mobile apps are able to accurately assess the risk of a login, even from a new device, since the user location behavior is the same even with a new mobile phone. Fourteen of twenty-one apps ask for the user location in Android and nine of twenty-one ask for location in iOS. 100% of apps already asking for location can already leverage users’ location to increase security and lower friction.
Apps can also, easily and rapidly, increase location permissions opt-in to increase security for trusted users who choose to change a device and login with lower friction.
To read a full review and analysis of the authentication methods and friction for each app, download the full report here.