Incognia introduces Location-based Device Authorization Solution
Establishing trust in new devices and removing friction for trusted customers
Today we announced a new identity fraud detection module to address device change, which for most apps is the highest friction, highest risk part of the user journey. The new Incognia solution, called Location-based Device Authorization, leverages location signals directly from the user’s device and addresses the challenge of establishing trust in new devices without adding friction for trusted users.
Distinguishing between trusted customers and fraudsters
The authentication of a new device to a known account is a challenge because this event may either be an attacker attempting account takeover (ATO) or may be a legitimate user who simply bought a new phone and is attempting to access their account for the first time from their new device.
Traditional device fingerprinting solutions are of no use in detecting fraud for a new device because they have no information on the device. Because of the difficulty in discerning a legitimate and fraudulent new device most apps have been forced to require all users to complete multi-factor authentication (MFA). This MFA is most commonly performed via OTP over SMS which is one of the weakest forms of MFA and creates a high friction experience for all users, legitimate or fraudulent.
How frequently does device change happen?
The average lifespan (replacement cycle length) of smartphones in the United States is about 2.5 years1. On the surface, legitimate device changes may be viewed as “low frequency” user events, however, it is estimated that in the US every year more than 151M devices are changed2. Given that the number of mobile users in the US is about 300M3, this translates to approximately 50% of trusted users changing their devices every year, device change scenarios need to be managed carefully by mobile app operators.
Using location behavior to recognize trusted users
Going beyond traditional device fingerprinting solutions, Incognia Location-based Device Authorization analyzes both device integrity and device location behavior to deliver a highly accurate risk score.
- Location Behavior: Incognia checks the consistency of the location behavior between the new device and former devices, and whether the login is occurring from a trusted location for that user.
- Device Integrity: Incognia checks device characteristics including detection of the presence of emulators, rooted or jailbroken devices and use of location spoofing techniques.
- Account Access: Incognia checks association between devices, re-installations and accounts, to assess if the same device is being used across multiple accounts, or an account is being accessed by multiple devices.
- Watchlists: Incognia maintains Watchlists of devices and locations that have previously been associated with fraud, based on its network of over 200 million devices.
Incognia Location-based Device Authorization is enabled via the same mobile SDK and APIs used by the other Incognia fraud detection modules, and works on both iOS and Android devices. Data collected by the SDK is anonymized with hash and encryption techniques and Incognia adheres to privacy by design guidelines.
To learn more about location-based device authorization please read the Solution Brief and view our online resources library.