Most forms of cybersecurity place at least some of the responsibility on the end user. In the past, people were expected to remember (and not share) their passwords. Today people are still asked to remember passwords, and to complete extra steps (like a fingerprint scan or an SMS OTP) to verify their identity in a Multi-factor authentication scheme.
Incognia is taking a slightly different approach. The company is now pushing the concept of Zero-factor authentication, with a solution that analyzes location data to verify someone’s identity without any direct input from the user. In other words, Incognia is asking people to do less, and while that may sound counterintuitive, it could potentially close one of the biggest security gaps in the modern digital ecosystem. Simply put, security is difficult. The average user does not have the expertise needed to implement a comprehensive security plan, so it’s unreasonable to fault them when breaches inevitably occur.
With Zero-factor authentication, Incognia is taking on the security burden that has historically been passed on to the customer. In our latest executive interview, FindBiometrics Multimedia Editor Eric Weiss speaks with Incognia CEO André Ferraz about the company’s location-based security solution. He explains how Incognia can protect everyday users while removing virtually all of the friction from the authentication process, and discusses the company’s recent and future growth as it tries to change the way that people think about identity verification.
Eric Weiss, Multimedia Editor, FindBiometrics: Incognia recently published a case study about how location-based authentication created a major fraud reduction for will bank, one of your customers. What makes location-based authentication such an effective fraud prevention technique, and is that case study indicative of deployments you’ve had with other companies?
André Ferraz, CEO, Incognia: Location-based authentication is something that doesn’t require any specific action from the user, that’s why we call it Zero-factor authentication. This is passively observing the user’s behavior, and using that to understand the user’s identity. The main reason this is effective for fraud prevention is that it eliminates the human elements of the authentication process. What’s happening today is that most of the fraud losses are a result of social engineering attacks. Even if you have a strong password, even if you have an application that is using MFA, fraudsters are calling you, fraudsters are sending you text messages, and eventually they’re convincing you to share your credentials. It’s not really a matter of technology. It’s more about the process, and how much relies on the user’s actions.
Location-based authentication removes the human aspect of the authentication process. This addresses the social engineering problem, which was how will bank was being attacked.
The second thing that is relevant here is that each person has very unique location behavior. Our location behaviors are actually even more unique than things like our face. We did an internal experiment in which we compared the uniqueness of our location-based identities to Face ID, which in my opinion is the state of the art when it comes to biometrics. In Apple’s documentation, they say that the probability that a random person would be able to access your account is one in a million.
We did similar experiments using location information as an identity, and we saw that the probability was one in 10 million, so 10 times more accurate than Face ID. What’s interesting about location-based authentication is that even though each person has unique behavior, at the same time people’s behaviors are highly predictable. For example, we see that about 85 percent of mobile banking accounts are opened when the user is at home. About 90 percent of the logins and 95 percent of the high-risk transactions on financial services apps occur at locations that the user visits at least once a week. That would be your home. That would be your office. Those would be places that you go very, very frequently.
The uniqueness of our location behaviors enable very strong security. Our fraud rate has been zero percent since we launched. More than 200 million users were authenticated with our technology and no fraud was reported by any of our customers. At the same time, this high predictability enables us to recognize users in trusted locations and trusted situations, enabling them to authenticate with less friction. Because of that, we were able to find a balance between strong security, and a great user experience that doesn’t require users to do anything. They just need to be themselves.
Eric Weiss, Multimedia Editor, FindBiometrics: will bank is a challenger bank, which is to say that it’s a smaller bank that’s still new to the scene. Are there any unique security challenges that you encounter when you’re working with a smaller bank compared to a larger one that’s a bit more established? How do you deal with issues of cost and scale with some of these younger financial institutions?
André Ferraz, CEO, Incognia: The results that we were able to deliver to will bank are consistent across different-sized financial services applications. The big difference is that usually, a FinTech would not have the level of sophistication of a large bank. A large bank will have a bit more friction in the authentication process. They will have more authentication factors that the user needs to use to prove their identity. Their fraud rates tend to be a bit lower. They have additional signals that enable them to understand more about the user’s behavior. So for the bigger banks, our main value proposition is less about reducing fraud as we did with will bank, and more about reducing the reliance on high friction authentication factors.
For example, there was a bank that had a process when the user was changing devices. Let’s say you just bought a new iPhone and you want to set up your bank account on this new device. The process was bad. You had to re-authenticate using multiple factors. We got in and we solved that. About 89 percent of those device changes occurred when the user was at home, so almost 90 percent of those events happen at the most trusted location from the user. We created a simple rule. If the user is switching devices at home, let’s remove all of these high friction authentication factors. We did it, and the result was amazing. For larger organizations, what we’re doing in most cases is helping them reduce the reliance on these high friction authentication factors, which has two advantages.
One is to the user experience. The user needs to do much less to authenticate and transact. The other is that this brings a significant cost reduction. If you’re reducing the number of SMS that you send out with an OTP, that’s a huge cost reduction. If we reduce the need to ask for multiple biometric scans, that reduces friction. If you’re able to use passive signals to authenticate users, and if those signals are precise like ours, you can reduce the need for manual reviews significantly. There’s a reduction in operational costs for these larger players.
Eric Weiss, Multimedia Editor, FindBiometrics: Do those cost benefits make this solution more accessible for smaller players?
André Ferraz, CEO, Incognia: Yes. For the smaller players, it’s kind of the opposite. They still haven’t implemented all of those friction points. We’re preventing them from increasing the complexity of their product. We’re helping them provide a better user experience from day one and not worry about security anymore.
Eric Weiss, Multimedia Editor, FindBiometrics: You recently introduced the concept of Zero-factor authentication at a time when a lot of companies are emphasizing a multi-factor approach. What do you mean when you say Zero-factor authentication, and what are the potential advantages for an organization that wants to navigate the modern security environment?
André Ferraz, CEO, Incognia: Zero-factor authentication is all about removing the human action from the authentication process. As I’ve mentioned, the vast majority of fraud losses are a result of social engineering attacks, so in the end, it’s no longer a technology problem. There is already good technology to prove user identities. The problem is that fraudsters are able to convince users to share information they shouldn’t. This breaks the whole concept of multifactor authentication. People are calling and saying, “Oh, you just received an SMS with a six digit code. Can you share that with me so I can help you?” The person says, “Yes, sure. Here’s my code,” and then that person takes over your bank account and steals your money.
Removing that responsibility from the user, and bringing it to the technology companies that are specialists in security and know how to do it well, is a very important step. We’re entering an era of 5G and internet of things. This is only going to increase the complexity of our digital lives, because we’re going to be interacting with hundreds of devices at a time without even noticing. I think we need to address this issue with technologies that solve the problem without requiring the user to do anything. That’s the whole concept of Zero-factor authentication. How can we leverage data and behavioral information to identify a user without relying on them?
Eric Weiss, Multimedia Editor, FindBiometrics: In addition to the case study with will bank, you published a Mobile App Friction Report that took a closer look at the customer experience. How hard is it to strike the right balance between convenience and security? Why should businesses be trying to remove passwords and SMS One-Time Passwords from the login process?
André Ferraz, CEO, Incognia: What’s interesting about this report is that we did it in two different places. One was the US and the other was Brazil. Very different markets. We’re operating in both. What’s interesting is that in Brazil, the population basically leapfrogged the PC. They went straight to mobile, as happened in many emerging markets. We’re able to see a clear distinction between the two markets because of this phenomenon. In Brazil, the mobile applications are significantly more sophisticated than the mobile applications in the US when it comes to security, because a great part of the fraud losses and attacks originated on mobile devices.
The companies have been protecting their mobile applications more than in the US. In Brazil, only three of the top 20 applications that we analyzed were still using OTPs over SMS as part of their authentication flow. Here in the US, it was the exact opposite. 17 out of the 20 companies were still using OTPs over SMS as the secondary factor for authentication. I think that’s an interesting insight. This is even recognized by NIST. In 2019, NIST published a recommendation that people should stop using SMS as a channel for two-factor authentication.
There are multiple reasons there. The first is that SMS can be intercepted at scale. The second is that the tokens that are shared over SMS can be easily shared with someone else. This is what is then used by fraudsters to perform social engineering attacks. They are finding multiple ways to make the user believe that they should share that token, and then they’re using that to penetrate the account. The third one, which is also social engineering, is between the fraudster and the network operator. The SIM swap attack. You would call the network operator and convince that person that you bought a new SIM card, and require them to transfer the line to you. Then you can intercept those messages. The SMS channel, for me, would be the biggest concern. The friction report shows that a lot of financial institutions are still relying on that, and that’s super dangerous.
Eric Weiss, Multimedia Editor, FindBiometrics: You released a free developer edition of the Incognia platform in May. What kind of response have you received from smaller businesses? Are any businesses resistant to these new technologies, maybe more so in the US than in Brazil? If so, how do initiatives like a free developer edition help boost adoption rates and get more people to switch over to this technology?
André Ferraz, CEO, Incognia: There was a lot of demand for that. In the end, we had to change to an invite-only platform to be more controlled, because the volume of new applications coming in was big, and we realized that we were not prepared for that scale yet. We were dealing with big organizations, apps with hundreds of millions of users, and at the same time, we were having to manage relationships with an application that was just getting started. The app wasn’t even launched yet. They were trying to implement our technology into their authentication flow. We decided to step back a little bit, to become invite-only instead of an open platform.
It’s a new concept. Even though the solution is easy to use, we always need to explain, how does it work? How much more secure it is than a password. It created a lot of complexity internally because of the high volume, but one thing we learned from that was that there’s clearly a lot of demand in the industry for security solutions that are better for the user experience. Now that we took that step back, we’re making some adjustments to the platform, so we can relaunch next year open. For now, it’s an invite-only platform.
Eric Weiss, Multimedia Editor, FindBiometrics: It sounds like what you’re saying though, is that the developer edition did increase engagement, raise awareness, drive people toward this new kind of infrastructure?
André Ferraz, CEO, Incognia: Exactly. More than we were prepared for. Today we were the first search result for Zero-factor authentication. We’re starting to see more and more traffic. We’re still a start-up and we had to prioritize. We didn’t want to offer a bad experience to the customer, so we decided to change the model to provide good service to the customers that were coming instead of having people waiting to receive information from our teams.
Eric Weiss, Multimedia Editor, FindBiometrics: How does a risk-based approach to authentication translate to a better experience for individual end-users? What kinds of factors are you looking at when you analyze the level of risk present during an interaction?
André Ferraz, CEO, Incognia: With a risk-based approach, you can determine when you should challenge a user. As I’ve mentioned, 90 percent of the log-ins to financial services applications, and 85 percent of the new accounts that are opened, occur from places that are part of the user’s routine. We also recognize the device. We have our own device fingerprinting technology. It would be very unlikely for someone to steal your phone, enter your house, and then get access to your account. Obviously that could happen, but that person would not be able to do that at scale, and probably would get caught pretty quickly. There’s a much greater risk to this than to call you and ask for the token you just received over SMS.
In the end, there’s no silver bullet when it comes to security. The main thing is creating complexity for the fraudster, in a way that makes it not worth doing. What I just described was a scenario in which the fraudster would be stealing someone’s device, invading private property, and stealing funds. There are a lot of crimes here. This person has been exposed physically. Most fraudsters would not be willing to take that risk. It’s much, much harder to do than social engineering, or buying a dataset of leaked passwords on the dark web.
When it comes to signals, and the factors that we’re taking into account, the first one, which is table stakes in the industry, is identifying the device. Making sure that the device is the same as the one that has been authorized to access that account. This space is changing because platforms like Android and iOS have been changing the rules when it comes to collecting data, but it still is a technology that works quite well. That’s the first layer.
The second layer is making sure that once we recognize that device, we know that device. We want to make sure that there’s nothing weird going on. We call it device integrity checks. We try to understand if that device is rooted, because if it is rooted or jailbroken, there are additional risks. We want to make sure that there’s no malware. We identify remote access Trojans to make sure that there is no one able to access that device remotely. VPN detection. Proxy detection. Tor exit nodes. Understanding network information from that device. In respect to our technology more specifically, we also do checks to make sure that the location information from that device is not being spoofed.
That would be the second layer. The third layer is the behavioral part. This is when we analyze location and network signals. The main thing here is to analyze current behavior, compare that current behavior to historical behavior, and understand the likelihood of that being from the same person. We’re not necessarily trying to understand if you are at home or at the office, or at a place that you go frequently. We want to understand if the behavior that we’re observing today is consistent with the past. If you’re traveling, that’s fine. People travel. What we want to understand is that your device is traveling.
The beauty of location behaviors is that we can observe this continuity. Your phone went from your home to an airport. Couple hours later, we see the same device at a new airport. Then we see this device going somewhere else, like a hotel. When you access your bank account from there, you’re still experiencing a frictionless approach. You won’t be challenged to prove your identity. It’s all fine. Understanding location behaviors and network signals is also important on the negative side. Let’s say a fraudster is trying to open multiple accounts, or trying to access multiple accounts and even using multiple devices so they can hide. Probably the fraudster would be doing this from the same location. We can use this insight to identify locations that are frequented by fraudsters. If we see any activity from that particular place, we’re able to block it. This would be the third factor.
Eric Weiss, Multimedia Editor, FindBiometrics: To wrap things up, FindBiometrics just launched our annual Year in Review survey. Based on what you’ve seen in the past, what trends are you expecting to see in the authentication industry in the next couple of years?
André Ferraz, CEO, Incognia: I think there will be a big transition from multifactor to Zero-factor authentication. Consumer-facing companies are currently competing to offer the best user experience. In the e-commerce space, the companies that are winning are the ones able to deliver goods to your house as quickly as possible. They’re investing in logistics to be able to offer a great user experience. When we look to entertainment, the companies that are winning are the ones that have not only good content, but good applications that you can use to consume that content from every screen.
If we look to financial services, the problems that users face are related to the authentication and identity verification processes. You don’t want to be locked out from your bank account. You don’t want to be calling the contact center to prove that the person trying to perform that transaction is actually you. You want to do those things seamlessly. I think there’s going to be a great transition from MFA to ZeroFA as companies start realizing that Zero-factor authentication is actually more secure than multifactor authentication. Removing the human aspect of the authentication process is the stronger answer to the security issue because it’s no longer a technology issue. It’s a process issue.
I think taking responsibility for the authentication process is an important step. This has to do with implementing technology to protect people instead of blaming them. I see that a lot. I really get mad when I see security professionals blaming the user for losses, saying, “Oh, the user was stupid because they shared their passwords. The user re-used their password. This shouldn’t be done. The user has shared their token with the fraudster. I can’t do anything.” Yes, you can. You can implement better technology, and stop blaming the user. We’re starting to see that happen. I think that’s going to be the big change in the industry going forward.
Related News
![INTERVIEW: BioCatch’s Frances Zelazny on Vishing, Biometrics and Behavioral Insights [Part 1]](https://idtechwire.com/wp-content/uploads/placeholder-interviews-150x150.png)
INTERVIEW: BioCatch’s Frances Zelazny on Vishing, Biometrics and Behavioral Insights [Part 1]
It’s Getting Hot in Here – How Do You Feel About High-Friction Experiences?
ID Talk at Money20/20: Incognia CEO André Ferraz on Zero-Factor Authentication- INTERVIEW: ThreatMark CEO Michal Tresner on Behavioral Fraud Prevention
ID Talk Podcast: New Frontiers in Digital Onboarding with Onfido CRO Thomas Ammirati
ID Talk Podcast: Demystifying Biometric Smart Card Misconceptions with IDEX Biometrics
Follow Us