Introducing Location 2FA: The Second Factor That Can't Be Phished
Subscribe to Incognia’s content
Two-factor authentication was supposed to fix the password problem.
SMS codes get intercepted. OTPs get phished at scale through real-time proxy kits. Push notifications trigger fatigue attacks that eventually break through when a user taps approve out of reflex. The friction keeps going up, and fraud keeps finding a way through.
The reason is simple. Every traditional second factor relies on something the user has to do: receive a code, open an app, or approve a prompt. And anything a user can be tricked into doing, an attacker can eventually weaponize.
Today, we're launching Location 2FA, a second factor grounded in something an attacker cannot replicate at scale: the user's physical presence in a place they trust.
How it works
Location 2FA verifies that a login, transaction, or high-risk action is happening from a location the app developer has defined as trusted for that user. No code to enter, no prompt to approve, no app to open. The check runs silently against Incognia's physical trust layer, which has spent years building a persistent understanding of where each device actually lives in the real world.
App developers have full control over what trusted means in their environment.
Location 2FA supports three configuration modes that can be used independently or in combination.
The first is automatic trusted locations. Incognia continuously maintains a dynamic list of the locations a user visits most frequently, updated as behavior evolves. Users move, change jobs, travel. Their trusted locations should move with them, without requiring manual updates or a support ticket.
The second is manual trusted locations. App developers can designate places like home or work, or they can define automatic thresholds based on visit frequency and time spent. A location that a device returns to consistently over weeks or months carries a different weight than a place visited once.
The third is proximity thresholds. App developers configure the radius that defines inside versus near a trusted zone, tuned to the risk profile of each action. A routine login might pass with a wider radius. A high-value transaction might require the user to be within a tighter perimeter or only inside a trusted location.
Why location is the right second factor for this era
Credentials can be stolen. Devices can be spoofed. SMS can be hijacked. Sessions can be replayed. What cannot be faked at scale is being in the right place at the right time.
This is the same principle that underpins every signal Incognia has built. Physical presence is the one dimension of identity that resists remote attack, and it becomes even more important as AI agents take on more of the actions that used to require a human at a keyboard. When a login comes from a device claiming to be yours, running in a data center halfway around the world, location is what tells you the claim is false.
Location 2FA makes that signal directly actionable inside customer authentication flows. It lets risk and fraud teams replace brittle second factors with a check that happens in the background, adds no friction for legitimate users, and closes the door on the phishing kits and fatigue attacks that have made traditional 2FA increasingly unreliable.
From two factors to zero
The same signals that make Location 2FA work also make its opposite possible. When a trusted device shows up at a trusted location, both factors of classic two-factor authentication have already been satisfied before the user does anything. Something you have (the recognized device) and somewhere you are (the trusted place) are both verified silently, in the background, at the moment the request arrives.
That inverts the traditional trade-off. Stronger authentication has always meant more friction. Pairing Incognia's device ID with Location 2FA makes it possible for the highest-confidence scenarios to carry the lowest friction: a legitimate user on their own phone, at their own home or office, logs in and transacts with no prompts, no codes, and nothing to open.
Risk teams stay in control of where this applies. Routine logins and low-risk actions can pass silently. Password changes, high-value transfers, or sessions from unfamiliar devices still route through an explicit second factor. The result is authentication calibrated to risk rather than applied uniformly.
Available now
Location 2FA is available today to all Incognia customers and can be integrated into existing authentication flows through our standard SDK and API. Customers already using Incognia for transaction risk or account takeover prevention can enable Location 2FA with no additional integration work.
If you are rethinking your second factor strategy, we would like to talk. Reach out to your Incognia contact, or get in touch through our website.
