Cross Device Authentication: Verify the Right Person in the Right Place

Web account takeover is not usually a technical problem.

The password didn't get cracked, the authentication system didn't fail. A real person, using a real device, approved access they didn't mean to grant.

With Incognia’s Cross Device Authentication, platforms can verify not just that someone approved a high-risk web session, but that the right person, in the right place, did it.

The attack didn’t break the system, it used it

Most account takeover on the web follows the same playbook.

A fraudster sends a phishing message—an email, a text, something that looks legitimate enough. The victim clicks a link or responds to what looks like a routine verification request and, without realizing it, leaks their own password or directly authorizes someone else's session.

The authentication system did exactly what it was supposed to do. A user received a challenge, responded, and access was granted.

Step-up challenges, like push notifications, QR codes, email links, and SMS, were designed to harden exactly these moments. They add a second layer of verification when the stakes are highest. And they work.

The problem is that a user who has already been manipulated will approve them too, and the step-up layer that was meant to stop the attack ends up completing it. The authentication flows aren't broken. The threat has evolved around them.

The missing layer to step-up challenges

Every step-up challenge is intentional friction to help validate the user consent: is this really you?

And when a user is socially engineered into approving someone else’s session, the answer is yes, it really is them. And that’s the problem.

The challenge can’t distinguish between a user who understands what they’re approving and a user who has been coerced or deceived into it.

No part of the process is looking at the one signal that would actually catch it: whether the approving device and the session being approved are in the same place.

Location validation is the signal that changes the equation.

No solution can predict intent—but when a user can't physically be in two places at once, distance between device and session is a concrete risk signal.

If you can verify, at the moment of authorization, that the device approving the challenge and the browser requesting access are actually in the same place, you catch the attack that standard verification misses. Same step-up flow, same user experience, one additional layer of physical context that social engineering cannot fake.

That's what Cross Device Authentication adds.

How location validation works

At the moment a step-up challenge is approved—regardless of the channel that delivered it—Incognia captures the Browser ID from the web session and the request token from the mobile SDK simultaneously.

And all the user has to do is open the mobile app. No OTP code, no facial recognition, no additional action required. Everything else happens silently in the background.

Location validation runs across multiple signals:

1. Network comparison checks whether both devices are on the same network, which is a strong indicator of physical location.

2. When that's not conclusive, Incognia's proprietary IP-to-location mapping takes over: built from behavioral data across millions of mobile devices in our network, it estimates the physical location of the web session without relying on browser location permissions.

That estimate is compared against the GPS-verified location from the mobile device, and based on the distance between the two, an assessment is defined to either low or high risk.

This check sits inside the platform's existing Incognia policy, alongside the full depth of mobile risk signals already in play: device integrity, behavioral patterns, account history. It adds the physical context that was previously missing without replacing anything that's already there.

The location intelligence powering this comes from Incognia's proprietary mobile network. That data took years to build across millions of devices. It isn't available anywhere else.

Platforms can protect that they couldn't before

Step-up challenges were built to confirm identity. Cross Device Authentication addresses the next question: is the person who just confirmed their identity in the same place as the session they're authorizing?

For financial institutions, that means a step-up layer that social engineering cannot bypass — protecting the high-value web moments where account takeover is most costly.

For marketplaces enforcing geographic eligibility, it means a location check that VPNs and browser manipulation can't defeat, since the estimate comes from a proprietary mobile network rather than browser-reported signals.

For any platform that already triggers step-up challenges at login, large transfers, password changes, or access to sensitive data, it means a signal that finally answers the question those challenges were never designed to ask. You authenticated the user. Now you can verify the moment.

Physical location, actionable at scale

Step-up challenges are already standard practice. What hasn't kept pace is the verification behind them—specifically, whether it can detect the manipulation that happens before a challenge is even delivered.

Phishing and social engineering aren't new attack vectors. What's new is the ability to verify, in real time, that the device approving a step-up challenge and the browser requesting access are actually in the same place—without requiring browser permissions and without asking platforms to replace the flows they already have.

The physical separation between an attacker's web session and a victim's mobile device has always been there as a signal. Cross Device Authentication makes it actionable.

The first production deployment is live with a major financial institution, and more are underway across financial services and marketplace platforms.