Incognia Study Measures Device Change Friction for Financial Apps

Changing your smartphone isn’t a crime, yet users are penalized with high friction when switching devices

Palo Alto, CA -- September 21, 2021 -- Mobile authentication pioneer Incognia, today announced the publication of the Incognia Device Change Mobile App Friction Report, for 2021, which highlights results from their most recent study focusing on the level of friction introduced when users login from a new device. The study was conducted to understand how banking, financial services, and investing/trading mobile apps engage authentication methods to protect logins from a new device. The report reviewed 24 of the leading mobile apps from major fintechs and banks including E-Trade, Klover, Acorns, Current, Robinhood, Ally Bank, CapitalOne, TD Ameritrade, Chime, and more.

Changing devices is a regular, routine consumer activity, and with the release of the new iPhone 13 many users will be changing out their smartphones. Current smartphone owners were responsible for the purchase of 96% of smartphones sold in the US in 2020. However, authenticating a newly acquired device with a user’s apps is not a trivial task. The average person has around 40 apps installed on their phone, so it can be a daunting task for users to authenticate a new device with all their apps. Additionally, with account takeover attacks (ATO) representing more than 50% of all fraudulent transactions in 2020, financial institutions must work to keep users safe.

Every time a new unknown device tries to access an already existing account, financial institutions should be on guard to protect account owners against a mobile ATO. The most prominent ways for bad actors to commit ATO are social engineering, Smishing (SMS phishing) and SIM Swaps. The main defense to protect users and institutions against ATO is authentication at login. Most mobile apps introduce multi-factor authentication (MFA) methods when a new mobile device is used for logging into an account.

The Incognia Mobile App Friction study found that logging into an app from a new device took almost a minute on average (53 seconds) to complete authentication. The majority of apps, 18 out of the 24 apps tested, currently support one time passwords (OTP) over SMS for authentication when a new mobile device is added to a mobile account, despite NIST designating OTP over SMS as a restricted form of authentication because of security concerns.

“Most account takeover attacks are now a result of social engineering, phishing and SIM swaps but still, most Apps are using SMS as part of their device authorization process, which is highly vulnerable to these attacks,” said André Ferraz, founder and CEO of Incognia. “Smartphones today contain technologies and sensors that can be leveraged for frictionless adaptive authentication, reducing the risk of ATO without adding friction to the user experience.”

Key findings from the report include:

  • Lowest Device Change Friction: E-Trade had the lowest Device Change Friction of all apps and among the investment/trading apps. Klover had the lowest Device Change Friction for financial services/banking apps.
  • 53 seconds: Average time it takes to complete a device change. E-Trade had the lowest device change time at 21 seconds.
  • 6 screens: Average number of screens required to complete a device change. E-Trade and Klover tied for the lowest number at 2 screens.
  • 4 fields: Average number of fields required to complete a device change. E-Trade, Klover and Current tied for the lowest number of 2 fields.
  • 18 out of 24: Apps relied on OTP over SMS for authenticating an additional device in the accounts.
  • 9 out of 24: Apps support a 4-digit PIN for authenticating mobile devices and ask the user to change this PIN when a new device is used for login.

Download the Incognia Mobile App Friction Report – Device Change here.

About Incognia

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 100 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Media Contact

Madeline Kalicka, Karbo Communications for Incognia

(240) 427-8961

incognia@karbocom.com