Incognia has published a new report that quantifies the amount of friction that passwords add to mobile apps in the financial industry. The Mobile App Friction Report called particular attention to the password reset process, and advised financial institutions to replace passwords and SMS one-time passwords (OTP) with stronger forms of multi-factor authentication.
Digging into the numbers, the Incognia report examined mobile apps from 27 leading banks and financial services providers, including those from Klover, Coinbase, CapitalOne, and TD Ameritrade, amongst several others. It found that the vast majority (26 of the 27) still use passwords as their primary authentication method, while 17 of 27 still use SMS passcodes as their secondary authentication factor.
That last stat is especially concerning because the SMS passcodes are one of the more vulnerable forms of authentication, to the point that the NIST has cautioned against the use of the technology. With that in mind, Incognia argues that the financial industry’s continued reliance on passwords and SMS technology increases the risk of fraud, and does so while saddling customers with a more aggravating user experience.
On that front, Incognia noted that the average password reset process took more than a minute to complete, and forced the user to navigate more than four screens to enter information into another four fields. Unfortunately, that extra friction has not deterred cybercriminals, with fraud losses going up $56 billion in the US in 2020.
“Resetting a password on a mobile app is a huge waste of time and can greatly impact customer satisfaction,” said Incognia Founder and CEO André Ferraz. “This is especially important for fintech companies, whose customers seek to simplify their finances and lives.”
According to Incognia, the recent increase in remote traffic (mobile financial app use was up 90 percent in 2020) has created an urgent need for stronger forms of authentication. The company went on to pitch its own passive authentication offering, which analyzes device and location information to evaluate the risk level during each interaction. The solution also utilizes behavioral biometrics for an additional layer of security.
Incognia released a free developer version of its platform back in May.