How location technology and zero factor authentication could change the security landscape [Q&A]
The death of the password has been predicted for a long time, but although it's been augmented by things like multi-factor authentication and biometrics, it still clings to life.
However, businesses are looking for ways to eliminate fraud without impacting the customer experience. One way to do this is to use location technology to provide ‘zero factor’ authentication, allowing businesses to protect themselves and their customers without disrupting the customer experience.
We spoke with André Ferraz, CEO of Incognia to find out more about how this works.
BN: Why is location technology a superior form of fraud prevention technique?
AF: With the growing relevance of mobile as the main online channel, location behavior data is being leveraged to identify when the user is accessing or transacting from a trusted location. A recent study conducted by Incognia found that 90 percent of legitimate logins and 95 percent of legitimate high-risk transactions occur from a trusted location. A trusted location is a place that is part of the user’s routine, such as their home, office or favorite restaurant. This means that users can be securely authenticated in more than 90 percent of the cases with no friction. In addition, given location behaviors are dynamic, an identity based on it is harder to mimic or forge. The failure rate of this technology is currently one in 100,000,000. As fraudsters are continually evolving their processes and tactics, it is essential to employ the use of location technology to stave them off.
BN: What is zero-factor authentication?
AF: Zero-factor authentication (0FA) offers a mobile-native solution for risk-based and continuous authentication that works silently in the background, requiring no action from the user. It's completely frictionless from a user experience perspective. Users only have to opt-in for location services. Leading financial services apps that follow best practices are achieving opt-in rates above 90 percent. As a result, mobile users are no longer forced to compromise security for convenience.
By taking advantage of the technologies and sensors on today's mobile devices, 0FA uses network, location and device data from the mobile device to accurately detect low-risk and high-risk users, which makes Incognia's 0FA technology a strong alternative to OTPs, passwords and traditional biometrics.
BN: How does location technology enable a 0FA approach?
AF: Each user's location behavior pattern is unique and made up of frequently visited 'trusted locations.' According to data from Incognia's network of more than 100 million devices, 90 percent of legitimate user logins on banking and fintech apps occur from a trusted location. But location solutions based solely on GPS are easily spoofed and offer less precision, particularly indoors. However, there are 0FA approaches to localization that detect location spoofing and are accurate within 10 feet.
Additional sensors are leveraged to reach superior accuracy and precision, such as WiFi, Bluetooth, cell towers, and motion sensors. Incognia's approach to location is called environment fingerprinting, which clusters signals specifically attributed to a unique location. To ensure that the location data is trustworthy, these signals are correlated with the location and compared to the historical information associated with the environment. By working in the background, this ensures the process is completely frictionless while continually verifying for the safety of the customer and business.
BN: What is passwordless authentication and how does 0FA compare?
AF: Passwordless authentication can be defined as any authentication method that utilizes a non-traditional password, but it does not necessarily mean eliminating or reducing friction from the authentication process. Passwordless authentication includes zero-factor authentication, biometric authentication, patterns, magic-links, security keys, mobile push and other login formats.
Some vendors have been claiming that OTPs (one-time passwords) are also considered passwordless authentication, even though there is a password involved in the authentication process.
Zero-factor authentication offers the best possible user experience: no friction. Users don't need to do anything during the customer onboarding process, other than just be themselves. With an assessment based on the device, the network and location signals 0FA will recognize the user automatically. To deploy zero-factor authentication with confidence, developers need to ensure strong device fingerprinting capabilities and location spoofing detection. Device fingerprinting means collecting identifying data from a device in order to authenticate and verify the user, based on unique data.
Given it requires users to opt-in for location data sharing, users also have more control. On average, more than 90 percent of the users opt-in for the service because the value proposition is desirable: better user experience and higher security.
When these tools are available, security tends to be higher than existing authentication factors such as biometric authentication, passwords and OTPs.
BN: Are 0FA and zero-trust the same? Do they work together?
AF: They are not the same, but they are absolutely related. Zero-factor authentication employs concepts from the zero-trust approach, but zero-trust does not necessarily use zero-factor authentication. A zero-trust approach trusts no one and assumes that there is no device, network or location that should be trusted by default even if previously verified. In zero-trust architecture, security should be monitored constantly, and users should be authenticated continuously, instead of authenticating the user once and letting them navigate freely when inside the perimeter.