Device authentication for fighting fraud: when your phone is your new password

It’s a tale as old as time: you want to have access to your digital accounts, but you don’t want anyone else to have that access. At least, it’s a tale as old as digital accounts.

To enable this, the computers and networks you interact with need a way to determine whether it’s really you attempting to access them. That’s what authentication is. But there are lots of different types of authentication, and some are more secure and resilient to cyberattacks than others. Authenticating yourself can be as complicated as entering a password and two SMS codes, or it can be as simple as using what’s already in the palm of your hand. 

What is device authentication? 

Device authentication is a security measure that validates the identity of a device trying to connect to a network or system. You might think of it like a virtual ID check that each device must pass before it can interact with a system. This method is often used in tandem with user authentication to provide a double layer of security. For instance, an online banking system might require not only your personal password (user authentication) but also verify your smartphone (device authentication) before granting access. This combination makes it far harder for cyber criminals to gain unauthorized entry to your account, even if they somehow manage to steal your credentials.

Sometimes, device authentication is also used as part of a passwordless authentication system. This system is called "trusted device authentication," or sometimes even "phone as a token," and it uses your access to the trusted device as proof of identity in lieu of entering a password.

What are the different methods used for device authentication? 

There are several methods of device authentication that aim to ensure the secure access of resources. Here are a few examples:

1. Device fingerprint authentication: Here, software and hardware attributes like the operating system version, installed software, and device model are used to authenticate a device. 

2. Token-based authentication: In this method, a token or certificate is stored on the device when it first authenticates. This token will then be used for subsequent authentications, saving time and effort.

3. Multi-factor authentication: Sometimes, the access someone has to a physical device can act as an extra layer of security in addition to another authentication factor such as a password, security question, or biometric input. For example, someone attempting to login to an account might be prompted to open an authenticator app on their device or to enter an SMS code sent to their phone in order to gain full access.

Each of these methods has its own advantages and potential drawbacks, and many systems use a combination of these methods to provide multi-layered security.

How does device fraud happen? 

Device fraud occurs when cybercriminals manipulate, counterfeit, or otherwise illegitimately use a device in an attempt to deceive systems or gain unauthorized access to data, accounts, or networks. There are multiple ways this type of fraud can occur:

• Device ID spoofing: This is where a fraudster alters the unique identifier of a device to mask its identity. This could allow them to present their device as a brand new one so that they can access a platform multiple times under different accounts without getting caught. 

• Manipulating device attributes: In device fingerprinting, combinations of attributes like installed software, operating system, screen resolution, device ID, and device model come together to create a unique picture of that device’s identity. Fraudsters might manipulate these attributes strategically in order to disrupt fingerprinting attempts, giving them more wiggle room to commit fraud without consequences. 

• App cloners, tampering tools, rooted devices, and more: Fraudsters can also modify their devices or install software on them that makes them uniquely dangerous or high-risk. For example, rooted devices can allow users to do things their device wouldn’t normally allow, such as manipulating the location data it sends to apps. Other fraud tools like app cloners and app tampering tools can also turn a normal device into a fraud machine. 

Understanding these fraudulent tactics is essential to developing robust device authentication systems and practices that adequately guard against device fraud.

Is device ID right for security?

With the device fraud attack vectors mentioned above, it's important to consider whether device ID should continue to be used on its own for security purposes. That's not to say that device ID no longer has any use for authentication or account security. But by itself, it may not be strong enough to stand up against today's attackers and needs to be leveraged in conjunction with other signals in order to be effective.

In a previous post about device fingerprinting, we discussed how device fingerprinting, when used alone, has some vulnerabilities in today’s tech and fraud landscape. For example, the average American today owns something like sixteen connected devices—definitely more devices per capita than was common ten years ago. 

Additionally, today’s fraudsters are much more sophisticated. They’ve had two decades to study the digital landscape and learn its various fraud opportunities, and that means they’ve also had time to develop plenty of workarounds for manipulating their device fingerprints and IDs. 

Device intelligence and device integrity checks are strongest today when paired with another signal, such as location, to fill in the tamper-resistance gaps. For example, Incognia’s solution uses a combination of precise location and device intelligence to persistently identify devices even after attribute manipulation or factory resets. 

Device authentication is one tool of many in the fraud fighter’s toolkit, but it's not a magic bullet—understanding the methods and potential risks is key to ensuring robust security. Device ID has its utility but may falter under the weight of sophisticated cyberattacks if used alone. It's all about finding the right mix of security measures, adapting to evolving threats, and continually striving to enhance digital safety and account security.