What is zero-factor authentication? Featured Image

What is zero-factor authentication?

The role of zero-factor authentication in delivering passwordless authentication on mobile

Interest in passwordless authentication is growing due to increasing user impatience with passwords, and the growing UX and security costs associated with this outdated type of authentication. For companies looking to adopt passwordless authentication, there are several approaches. For mobile, zero-factor authentication delivers not only a passwordless authentication experience but also a frictionless authentication experience for mobile users. 

The trouble with passwords

Passwords were first utilized in computing in the ’60s and since then have become the main authentication factor for online services. However, today passwords are no longer secure and are not the most user-friendly, creating significant friction in the user experience.

The UX cost of passwords

  • customer drop-off costs: customers often quit an App when they encounter friction
  • contact center costs: customers having trouble authenticating or resetting their passwords need to contact support for help
  • software costs: managing and paying for multiple authentication factors can be costly

The security cost of passwords

  • financial loss: having to reimburse customers that had their accounts hacked or deal with chargebacks
  • reputation damage: angry customers posting on social media about the security flaws of the application


The authentication alternatives to passwords

Because of the security vulnerabilities of passwords, multiple new types of authentication methods have been introduced, including one-time passcodes (OTPs), biometric authentication, and security keys. To increase security these additional authentication factors are typically used in conjunction with passwords for multi-factor authentication (MFA), which increases friction even more. Offering a seamless customer experience is today one of the main differentiators of online businesses, yet security and risk management leaders, by increasing security, are unfortunately adding friction for legitimate users.

To fix the problem, many companies are looking to adopt passwordless authentication strategies using one of the three approaches outlined by Gartner in its report entitled “Passwordless Authentication Is Here and There, but Not Everywhere”:

  • Single Factor: Simply replacing a legacy password as the sole authentication factor.
  • Multi-Factor: Replacing a legacy password as one factor in MFA, creating passwordless MFA.
  • Zero-Factor: Using network, location, and device signals to recognize users. 

The defining quality of zero-factor authentication is that no action is required from the user, it is based on recognition signals that work silently in the background. This is undoubtedly the best an application can get in terms of user experience for authentication. 

To achieve zero-factor authentication, there are two approaches:

  • Using the rule-based evaluation of network, location, and device signals.
  • Using multiple familiarity signals, including passive behavioral biometrics, to increase trust in online identity.

If an anomaly is detected via zero factor authentication then the application should invoke additional authentication steps, preferably passwordless MFA to ensure both protection of accounts and delivery of a good user experience. 

The components of zero-factor authentication

Network signals

Network signals refer to analyzing data such as the IP address, WiFi connection and Phone number to identify any positive or negative history associated with that particular account or other accounts. For example, if a WiFI connection was previously associated with an account takeover attack, it is a substantial risk signal when it shows up in a new transaction. On the other hand, if a legitimate user frequently uses a particular WiFi connection, the next time there is activity relating that account to that WiFi connection it can be used as a trust signal. As network activity can be very dynamic and easily manipulated by users and fraudsters, it is a signal that cannot be relied on solely but needs to be used in combination with others.

Device signals

Device fingerprinting is the most commonly used method to identify a device and evaluate its trustworthiness. In summary, the technique consists of collecting hardware and software information for identification. However, the approach has been recently affected by new privacy policies implemented by the browsers and operating systems, making traditional techniques less precise and reliable. Because of this,  it is a signal that has to be used in combination with others.

Location signals

Location signals include data such as the IP location, GPS, Wifi scans, Bluetooth scans, and Cell-tower scans. An important consideration is that today location spoofing using VPNs, proxies, fake GPS Apps, and emulators is prevalent (more details can be found in this blog post about location spoofing - Five ways Fraudsters Spoof Location). Assuming there is good location spoofing detection technology in place, location signals can help identify if the user is at a familiar place or region and can be used as a trust signal. Additionally, specific locations can be flagged as suspicious based on historical fraud activity and used as a risk signal. 

The precision of the location data defines the strength of the signal for both trust and fraud detection. For example, if the location data is sufficiently precise to be able to identify a specific “place” or location, Apps can identify if the user is in a trusted environment such as the home, office, or other frequently visited trusted location. In a study conducted by Incognia that analyzed data from financial services Apps, 90% of the legitimate sessions and 95% of the legitimate sensitive transactions happen from trusted locations, which means that there is a possibility to implement zero-factor authentication for the vast majority of the cases. For fraud detection, precision is also relevant. By identifying the exact place from which fraud originates, companies can block that specific location without impacting consumers’ user experience that lives or stay nearby, avoiding false positives.

To implement zero factor authentication with confidence, Apps have to make sure they have good location spoofing detection, strong device fingerprinting and access to a large volume of historical data about the reputation of devices, locations and networks.

At Incognia, we combine precise location with place-level accuracy, device and network signals to deliver a zero-factor authentication experience for mobile. 80-95% of users opt-in for zero-factor authentication on financial services apps, with users eager to experience less friction and increased security. 

We published a recent case study of the results Will Bank, a challenger bank, achieved using Incognia, zero factor authentication, including friction-free login for 93% of the logins while reducing fraud losses by more than 90%. Of most interest for fraud prevention, is that with Incognia approving hundreds of millions of logins, the users who had location services turned on, experienced zero account takeover fraud.

Zero factor, zero friction.