Most mobile financial services apps still rely on passwords, even with added friction

Incognia has announced a report that highlights the results of their most recent study looking at authentication and friction during login and the password reset process. The study was conducted to provide mobile banking, finance, and investment/trading apps with insights into the status of mobile app login authentication and friction when a user resets their password.

The report reviewed 27 of the top mobile apps from major fintechs and banks, including Klover, SoFi, eToro, Robinhood, Stash, Coinbase, Ally Bank, CapitalOne, TD Ameritrade, Varo, and more.

Financial services apps have seen phenomenal growth in 2020. Compared to 2019, time spent on mobile financial apps in 2020 increased by 90% in the United States. At the same time, fraud losses in 2020 reached $56 billion.

This increase in fraud losses and mobile usage underscores the need for financial services companies to turn to multi-factor authentication (MFA) solutions that offer stronger security than passwordless passwords. interfere with excellent mobile user experience, a key competitive advantage in today’s application. driven world.

“Investment in new, lower-friction alternatives to orthodox authentication methods and in truly adaptive approaches is needed to ensure optimal combinations of security and UX/CX,” according to Gartner.

With passwords still being the most common authentication method across all financial applications, the friction created by the password reset process creates a pain point for users.

Passwords remain the primary form of authentication for mobile financial services apps

The study found that the majority of mobile apps, 26 of the 27 apps tested, still rely on passwords as their primary form of authentication, with a one-time password (OTP) as the most popular MFA method. common, used in 17 of the 27 applications. tested, although NIST Identity Guidelines consider out-of-band SMS authentication a restricted channel due to security concerns. The average time to reset a password was 1 minute and 12 seconds for the apps in this study.

“Resetting a password on a mobile app is a huge waste of time and can have a huge impact on customer satisfaction,” said André Ferraz, CEO of Incognia. “This is especially important for fintech companies, whose customers are looking to simplify their finances and their lives.”

The password reset experience

The data collected during the analysis of each app was used to create the Incognia Password Reset Friction Index. It provides a measure of the friction users must endure to reset a password in order to regain access to their account. The lower the index, the better the password reset experience. The index takes into account the following factors:

• Screens: The number of screens presented to the mobile user, starting from the screen immediately after clicking “I forgot my password” until the success of the process is acknowledged.
• The fields: The number of fields that the user must fill in to reset his password.
• Time: The time it takes for the whole process to perform a password reset. As elapsed time is a strong indicator of friction, time had a double weighting in the calculation of the friction index.

Key data points in the report include:

• Weakest Password Reset Friction: Klover had the lowest password reset friction overall and for financial services/banking apps. eToro had the lowest password reset friction among investment/trading apps.
• 4.6 screens: Average number of screens needed to reset the password.
• 4.2 fields: Average number of fields required to reset a password.
• 1 minute and 12 seconds: Average time required to reset a password. Klover and Varo tied for the shortest password reset time at 29 seconds.
• 26 out of 27: Applications using password login as the primary method of authentication for financial services, despite low security and high friction.