André Ferraz, Incognia: “we shouldn’t blame the user for falling victim to social engineering”
As the digital space gets filled with cyber criminals lurking in the shadows, it also gets overcrowded with security solutions - many of which are hard to implement for a regular user.
Online users rely on a variety of tools to protect themselves from cyber threats. Let it be a VPN helping to remain anonymous online or an antivirus software continuously scanning your device for suspicious activity.
At the same time, cyber threats are dynamically evolving, which makes them harder to detect, with social engineering tactics now fooling even IT experts. Even though robust security tools add an extra layer of protection, they’re not always easy to use and implement.
We reached out to André Ferraz, the founder and CEO of Incognia, to talk about online security and user-friendly fraud prevention solutions.
Can you tell us how Incognia came about?
The idea for Incognia began over ten years ago when my Co-Founders and I were studying computer science at a university. We realized that in an increasingly connected world, we will be interacting with hundreds of devices each day, and relying on passwords for security is no longer feasible. We set out to develop a privacy-first identity using location technology that would enable frictionless yet secure access in the world of the internet of things.
As for many companies, navigating the global pandemic has been both a challenge and an opportunity. At the start of the pandemic, we accelerated our plans for a major pivot of the company, exiting from our marketing/advertising business (sold to Magazine Luiza) to focus on the use of our location identity for authentication. Focusing on the new use case enabled the company to scale to more than 150 million mobile devices in more than ten countries in only one year.
You describe yourself as an innovator in location technology. Can you tell us more about it?
Incognia has been developing its privacy-first location identity over the last ten years. Back then, the market was not ready for our vision of a frictionless authentication solution.
So, in the meantime, we launched another business in the marketing sector leveraging the same location technology. That business was successful – we sold it in 2020 to one of the top 20 global retail companies.
It allowed us to finally get back to our roots and successfully apply the location technology to the original idea of frictionless authentication, now, when the timing is right.
Besides Incognia’s location technology, you also offer zero-factor authentication. How does this technology work?
The Incognia’s zero-factor authentication solution is based on the Incognia location identity. One of the main issues with authentication today is that it adds friction to the user experience. The more authentication layers that are added, the more friction. With Incognia, the user is not required to take any action.
It works silently in the background enabling frictionless zero-factor authentication. Using network and device signals, Incognia creates a unique location behavior fingerprint for each user from their unique location behavior.
Combining WiFi, Bluetooth, and GPS signals, Incognia location technology is highly precise both indoors and outdoors. Given every user’s location behavior history is unique, Incognia is extremely effective for secure authentication.
Have you noticed any new challenges emerge in the identification landscape during the pandemic?
The pandemic has accelerated the shift to digital services – mobile, in particular – opening up new attack surfaces. As a result, social engineering attacks have increased in volume and sophistication, now fooling even experts.
At Incognia, we believe that we shouldn’t blame the user for falling victim to social engineering, but rather that security technology needs to evolve.
Authentication which is based on any form of user action is vulnerable to social engineering attacks, and the industry needs to look to authentication techniques that take advantage of dynamic credentials and behavioral analytics, such as Incognia.
Since Multi-factor Authentication is becoming a common practice, what methods have emerged in an attempt to bypass this safety measure?
One of the most common methods of MFA today is SMS-based one-time passwords (OTPs) despite this method being flagged by NIST as restricted due to security concerns. SMS-based OTPs are vulnerable to social engineering, large-scale interception, and also SIM swap attacks.
In your opinion, which industries fail to recognize the necessity for stronger authentication methods?
Even though banks and fintech companies are aware of the need for security, they are facing huge fraud challenges. In addition, online to offline marketplaces such as social networks, dating, and delivery apps need stronger fraud detection to defend against not only financial fraud but to ensure trust and safety.
Additionally, what are some of the worst things that can happen if this safety measure is faulty or not put in place at all?
When security measures fail, there is a huge threat for financial companies – from financial loss to the individual account holders to the losses caused by damaged firm’s reputation and brand trust.
In other industries that are focused on real-world interactions, such as online dating, social networking, and ride-hailing, it could even lead to physical security issues.
Recently, the discussion around biometric authentication has gained a lot of attention. Do you think it’s going to surpass other authentication methods in the near future?
While the novelty and the ease of use of biometric authentication, such as FaceID, are appealing to users, there are increasing concerns about bias and privacy. Also, these types of authentication methods are now being tricked.
Biometric authentication systems are proving not to be the best alternatives due to security issues and high false-rejection rates. For instance, Deep fake technology is making it possible to fake video images.
Would you like to share what’s next for Incognia?
With Incognia technology already being deployed in over 150 million devices, we are seeing very compelling results in terms of security – no reported fraud from users with an enabled location. We are continuing to add more device-related signals and location intelligence to enable our customers to remove friction for legitimate users, as well as to identify the high-risk users.