How should location fit into a risk based authentication strategy?
90% of legitimate logins happen at Trusted Locations, making location the strongest trust signal on mobile
Mobile authentication is challenging because it often forces app developers to choose between security and user experience. Today, most fraudulent transactions originate on mobile devices, but at the same time, mobile users are much more likely to abandon apps due to friction.
On mobile, making use of device, network and location data, can contribute directly to reducing friction during the authentication process, and detecting account takeover with ease. For example, working with Fintech customers we have seen more than 90% of logins to financial services Apps happen from a Trusted Location, a place that is frequently visited by the user like home or work. Understanding the user context makes it possible to to adjust authentication requirements based on associated risk levels, balancing fraud detection with user experience.
So how can we build secure and frictionless risk based authentication solutions for mobile apps making use of location and device intelligence to understand user context?
Step 1: Identify the user's context
On mobile, the user's context can be identified by leveraging the data collected from the user's session, including device, network and location data.
Identifying the user's mobile device is the first important step in identifying the user’s context. A known device with good history is the first sign of trust. One challenge with device intelligence is that fraudsters are increasingly using tools and techniques, such as mobile emulators, to mimic devices. To be effective a fraud detection system should be able to detect mobile emulation and other device manipulation techniques.
Network data is another type of data relevant to a user’s context. If the user is on a mobile network, the phone number can be frictionlessly verified using data provided by phone number intelligence companies, and if the user is on wi-fi, fraudulent activities can be mapped to specific networks.
Finally, the mobile device’s location data should be used to identify if the user’s current location is part of their normal behavior pattern. IP data is the least precise form of location data but can be sufficient depending on the use case. GPS, when available, is more effective. The main issue with IP location and GPS is that fraudsters use tools like VPNs, proxies, GPS spoofing apps, and mobile emulators to fake their location easily.
While there are other relevant data, these three categories of context data: device, network and location data, provide the strongest signals for mobile authentication.
Step 2: Define levels of risk based on the context data
Each category of user context data should be weighted dynamically as you verify each data’s efficiency at identifying legitimate customers from fraudsters. Here are some examples of different risk weighting combinations:
|High||New||Unknown||Not on wi-fi|
Step 3: Weigh the level of contextual risk with the level of transaction risk.
Now it's time to weigh the risk related to the transaction. This should be based on the financial and reputation risk of each transaction.
Examples of transactions that should be weighted differently:
|High||Money transfer or payment|
Adding a credit card
Adding a payee
Withdrawal from savings account
Checking account balance
Step 4: Define the level of friction introduced for each risk level
Once each variable has been weighted, it’s time to consider the different levels of friction appropriate for each risk level. Keeping friction low is essential. A bad review in the App store or Reddit could be more damaging than fraud’s direct financial costs.
|Risk Level||Amount of Friction||Type of Authentication|
|Low||Frictionless authentication||Standard device authentication|
PIN, passwords, 2FA, biometrics
|High||Block device||Contact support|
Step 5: Measure and optimize with context data
After implementing the first version of weighting for the context data, you should continuously monitor the results and adapt accordingly. Every business is different and attracts different types of users and fraudsters. Your weighting should be based on the level of risk and friction, as well as the precision of the solution and its cost.
Fraudsters are continually retooling and changing their techniques. Any fraud prevention solution needs to evolve similarly to detect emulator attacks, location spoofing, SIM swaps, BOTs, and other evolving techniques. Attackers constantly improve and add to their toolkits, and fraud prevention solution providers, like Incognia, need to improve their defenses continually. It's a never-ending war against fraudsters, but we’ve got your back.
To learn more about risk-based authentication using Incognia read more here>>