How should location fit into a risk based authentication strategy?

90% of legitimate logins happen at Trusted Locations, making location the strongest trust signal on mobile

Mobile authentication is challenging because it often forces app developers to choose between security and user experience. Today, most fraudulent transactions originate on mobile devices, but at the same time, mobile users are much more likely to abandon apps due to friction.

On mobile, making use of device, network and location data, can contribute directly to reducing friction during the authentication process, and detecting account takeover with ease. For example, working with Fintech customers we have seen more than 90% of logins to financial services Apps happen from a Trusted Location, a place that is frequently visited by the user like home or work. Understanding the user context makes it possible to to adjust authentication requirements based on associated risk levels, balancing fraud detection with user experience.

So how can we build secure and frictionless risk based authentication solutions for mobile apps making use of location and device intelligence to understand user context?

Step 1: Identify the user's context

On mobile, the user's context can be identified by leveraging the data collected from the user's session, including device, network and location data. 

[banner_1]

Device

Identifying the user's mobile device is the first important step in identifying the user’s context.  A known device with good history is the first sign of trust. One challenge with device intelligence is that fraudsters are increasingly using tools and techniques, such as mobile emulators, to mimic devices. To be effective a fraud detection system should be able to detect mobile emulation and other device manipulation techniques.

Network

Network data is another type of data relevant to a user’s context. If the user is on a mobile network, the phone number can be frictionlessly verified using data provided by phone number intelligence companies, and if the user is on wi-fi, fraudulent activities can be mapped to specific networks. 

Location

Finally, the mobile device’s location data should be used to identify if the user’s current location is part of their normal behavior pattern. IP data is the least precise form of location data but can be sufficient depending on the use case. GPS, when available, is more effective. The main issue with IP location and GPS is that fraudsters use tools like VPNs, proxies, GPS spoofing apps, and mobile emulators to fake their location easily.

While there are other relevant data, these three categories of context data: device, network and location data, provide the strongest signals for mobile authentication.

Step 2: Define levels of risk based on the context data

Each category of user context data should be weighted dynamically as you verify each data’s efficiency at identifying legitimate customers from fraudsters. Here are some examples of different risk weighting combinations:

Risk Level Device Location  Network
Low Known Trusted

Known wi-fi 

Medium Known Unknown

Known mobile 

High New Unknown Not on wi-fi
High Known Unknown Malicious

Step 3: Weigh the level of contextual risk with the level of transaction risk.

Now it's time to weigh the risk related to the transaction. This should be based on the financial and reputation risk of each transaction.

Examples of transactions that should be weighted differently:

Risk Level Transaction
High Money transfer or payment
High

Password change

Medium

Adding a credit card

Medium

Adding a payee

High

Withdrawal from savings account

Low

Checking account balance

Step 4: Define the level of friction introduced for each risk level

Once each variable has been weighted, it’s time to consider the  different levels of friction appropriate for each risk level. Keeping friction low is essential. A bad review in the App store or Reddit could be more damaging than fraud’s direct financial costs.

Risk Level Amount of Friction Type of Authentication
Low Frictionless authentication Standard device authentication
Medium  Full authentication

PIN, passwords, 2FA, biometrics

High Block device Contact support

Step 5: Measure and optimize with context data

After implementing the first version of weighting for the context data, you should continuously monitor the results and adapt accordingly. Every business is different and attracts different types of users and fraudsters. Your weighting should be based on the level of risk and friction, as well as the precision of the solution and its cost.

Fraudsters are continually retooling and changing their techniques. Any fraud prevention solution needs to evolve similarly to detect emulator attacks, location spoofing, SIM swaps, BOTs, and other evolving techniques. Attackers constantly improve and add to their toolkits, and fraud prevention solution providers, like Incognia, need to improve their defenses continually. It's a never-ending war against fraudsters, but we’ve got your back.


To learn more about risk-based authentication using Incognia read more here>>

Most recent

What lies beneath a highly precise fraud risk assessment?

Learn how location behavior and device intelligence power Incognia's risk assessment model

Could OTP security get any worse? Yes. Bots.

Bots are being used to automate the theft of one time passwords OTPs for account takeover (ATO) on mobile.

Why Incognia when considering behavioral biometrics

Location behavior offers a compelling authentication signal for banking and financial services