Incognia Authentication Crypto Mobile App Friction Study Reveals High Friction and Low Security, Despite Increasing Crypto Fraud
Top Ranking to FTX and SoFi for Lowest Friction Password Reset and Device Change
Palo Alto, CA -- March 29, 2022 -- Mobile authentication pioneer Incognia today announced the publication of the second Crypto edition of the Incognia Mobile App Friction Report - focusing on Authentication, which highlights results from their most recent study of 21 top crypto apps and the level of friction introduced when users login, reset a password and change devices. In 2021, $14B in cryptocurrency was stolen, and funds held in illicit addresses increased 360% to $11B. At the same time, crypto app downloads surpassed 100M downloads for the first time in Q4 2021. The Incognia study was conducted to better understand the friction users face on crypto apps resulting from security measures to protect their accounts from takeover and theft. The report includes a review of 21 mobile apps including crypto exchanges (15) and crypto-wallets (6) from major apps including Paypal, Venmo, Binance US, Coinbase Wallet, Crypto.com, Robinhood, FTX, SoFi, Cash App, Blockchain Wallet, Bitmart, Voyager, and more.
Password reset and device change are particularly sensitive for crypto apps, because if not done well, those processes can lead to increased account takeover fraud, one of the most common types of fraud in the crypto space.
In the study from Incognia, 100% of the mobile apps tested used passwords or PINs as the primary method of authentication. 13 of the 15 exchanges supported optional multi-factor authentication (MFA) enabling increased security. One-time password (OTP) over SMS was the predominant MFA method, supported by nine of the 15 exchange apps, even though NIST has designated this form of authentication as restricted due to security concerns. Passwords and OTPs are highly vulnerable to social engineering attacks, which are responsible for most of the fraud losses in the fintech and crypto industries.
On crypto wallets the only way to reset a password or login using a new device, is to use the 12 word seed phrase, highlighting the importance of users keeping track of the seed phrase, otherwise access to their wallet is lost forever. Crypto exchanges in contrast supported password reset and device change using either Magiclink sent via email, or OTP either over SMS or email. FTX had the overall lowest password reset friction index, SoFi had the lowest device change friction index.
“Everyone is widely adopting mobile apps to manage finances, including cryptocurrency,” said André Ferraz, founder and CEO of Incognia. “With the high risk associated with new devices accessing user’s crypto accounts, crypto apps must manage fraud prevention and authentication while ensuring that users are not punished with high friction when legitimately changing out their devices. ”
Key findings from the report and analysis of 21 crypto apps reviewed include:
- 100% of crypto exchanges reviewed use passwords, with 85% allowing the use of biometrics to bypass the password
- 87% of crypto exchanges offer optional multi-factor authentication
- OTP over SMS: 60% of crypto exchange apps reviewed, support OTP over SMS for multi-factor authentication, despite this being a restricted form of authentication by NIST due to security concerns
- Lowest Device Change Friction: SoFi had the overall lowest Device Change Friction index among all apps.
- Lowest Password Reset Friction: FTX had the lowest overall Password Reset Friction index
To read the full report, Download the Incognia Mobile App Friction Report - Crypto Edition - Authentication here.
Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 150 million devices, Incognia delivers a highly precise risk signal with extremely low false-positive rates.
Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.
Madeline Kalicka, Karbo Communications for Incognia