Incognia is turning its attention from Onboarding to Authentication with the release of the second part of its Crypto Mobile App Friction Report. Part one arrived in February, and found that the majority of cryptocurrency platforms were not taking adequate steps to verify someone’s identity during the onboarding process.
With part two, Incognia is suggesting that the industry’s standards are just as lax when authenticating users after an account has been created. In that regard, the Authentication report looked at 21 leading cryptocurrency apps (15 exchanges and six wallets), and discovered that every single one still relies on either a password or a PIN as its primary authentication method. The majority (13 out of 15) of the exchanges do support some form of optional multi-factor authentication, though in most cases (nine out of 13) that second factor is a one-time password sent through an SMS message.
That raises serious concerns about crypto security, since SMS OTPs can be intercepted, and are vulnerable to social engineering. The NIST has designated SMS passcodes as a restricted authentication factor as a result of those shortcomings, and the continued reliance on SMS in cryptocurrency increases the risk of theft and fraud for individual end users.
Having said that, the report does offer some cause for optimism. Most (85 percent) of the exchanges allow users to replace their passwords with some kind of biometric authentication factor to increase their level of security.
The Incognia report also looked at password resets and new device logins, noting that there is a higher risk of account takeovers if those processes are not secure. Unfortunately, many of the exchanges are once again relying on SMS OTPs to protect people’s accounts. Some exchanges have opted for email Magic Links as an alternative, while crypto wallets prefer to use a 12-word seed phrase for device transfers. Seed phrases are effective, but they can be hard to remember and there is a risk that people could lose access to their wallets and their crypto reserves.
As it stands, cybercriminals stole $14 billion worth of cryptocurrency in 2021, while the amount held in illicit accounts jumped 360 percent to $11 billion. That poses a major problem as crypto usage increases, to the tune of 100 million app downloads in the fourth quarter of last year. Coinbase, FTX, Cash App, and Crypto.com were some of the apps looked at in Incognia’s report.