Company Blog | Incognia

Mobile Authentication - Security and Friction Rankings

Written by Paula Skokowski | July 8, 2021 at 4:05 PM

With the increasing adoption of mobile, fraudsters are exploiting weaknesses in mobile authentication methods including in passwords, OTP over SMS, and biometrics, with the goal of account takeover. And this is where the tug of war between security and friction begins in mobile app design. The risk of fraudsters and cybercriminals accessing user accounts on mobile has led to increasing focus on security controls, which unfortunately are also keeping legitimate customers out.

Understanding the relative security and friction of the different mobile authentication methods and their role in multi-factor, passwordless, and zero factor authentication, is an important consideration in mobile app design. When security adds friction and slows down access to information and mobile services, the result is increased abandonment rates and lower conversion rates. This is why minimizing friction is the #1 concern for delivering a superior user experience on mobile.

The choices for mobile authentication today extend way beyond passwords to include use of authenticator apps, one-time passwords, mobile push, security keys, recognition signals and various forms of biometrics and behavioral biometric-based authentication.

Given all the choices, not all authentication factors are created equal. They vary in the strength of their authentication and also in their associated friction for the user. Understanding the relative security and friction for the variety of authentication options is important for optimizing security and friction for mobile users.

Mobile Authentication factors comparison

The following table shows a list of choices for authentication and how they rank for both security and friction. In reviewing the authentication options it is evident that authentication factors rank differently for security and friction.

No authentication solution offers both the strongest security and least friction. The good news is given that multi-factor authentication (MFA) requires two or more authentication factors it is possible to combine authentication factors to get the optimum balance of security and friction.

Combining MFA with risk-based authentication offers the opportunity to provide an initial low friction authentication option to users and only invoke higher security, higher friction, authentication methods for the high-risk logins or sensitive transactions.  This leads us to Incognia's top picks for a risk-based approach to mobile authentication.

Top picks for mobile authentication

  • Low-Risk Authentication:  Recognition Signals 
  • High-Risk Authentication: Mobile Push

    To learn more about the different types of mobile authentication options, and recommendations for the best authentication choices for minimizing friction for low-risk logins and increasing security for high-risk transactions on mobile - download the full report: Mobile Authentication - From Passwordless to Frictionless.