Most financial services mobile apps still rely on passwords, even with added friction
Incognia announced a report which highlights results from their most recent study focusing on authentication and friction at login and the password reset process. The study was conducted to provide banking, financial services, and investing/trading mobile apps with insights on the state of mobile app login authentication and the friction when a user resets their password.
The report reviewed 27 of the leading mobile apps from major fintechs and banks including Klover, SoFi, eToro, Robinhood, Stash, Coinbase, Ally Bank, CapitalOne, TD Ameritrade, Varo, and more.
Financial services apps experienced tremendous growth during 2020. When compared to 2019, time spent on mobile financial apps in 2020 was up by 90% in the U.S. At the same time fraud losses in 2020 increased to $56 billion.
This surge in both fraud losses and mobile usage highlights the need of financial services companies to look to multi-factor authentication (MFA) solutions that provide stronger security than passwords without interfering with a great mobile user experience, a key competitive advantage in today’s app-driven world.
“Investment in new, lower-friction alternatives to orthodox authentication methods and in truly adaptive approaches is needed to ensure optimal combinations of security and UX/CX,” according to Gartner.
With passwords still present as the most common authentication method in the set of financial apps, the friction created by the password reset process creates a pain point for users.
Passwords still the primary form of authentication for financial services mobile apps
The study found that the majority of mobile apps, 26 out of the 27 apps tested, still rely on passwords as the primary form of authentication, with one time password (OTP) as the most common MFA method, used in 17 of the 27 apps tested, even though NIST’s identity guidelines consider out-of-band authentication over SMS a restricted channel due to security concerns. The average time to reset a password was 1 minute and 12 seconds for the apps in this study.
“Resetting a password on a mobile app is a huge waste of time and can greatly impact customer satisfaction,” said André Ferraz, CEO of Incognia. “This is especially important for fintech companies, whose customers seek to simplify their finances and lives.”
The password reset experience
The data gathered during the analysis of each app was used to create the Incognia Password Reset Friction Index. It provides a measure of how much friction users must endure to reset a password to regain access to their account. The lower the Index, the better the password reset experience. The index accounts for the following factors:
- Screens: The number of screens presented to the mobile user, counting from the screen immediately after clicking “forgot my password” until success of the process is acknowledged.
- Fields: The number of fields the user has to fill in to reset their password.
- Time: The amount of time the whole process takes to complete a password reset. Since elapsed time is a strong indicator of friction, time had a double weighting in the calculation of the friction index.
Key data points from the report include:
- Lowest password reset friction: Klover had the lowest password reset friction overall and for financial services/banking apps. eToro had the lowest Password Reset Friction among investing/trading apps.
- 4.6 screens: Average number of screens required to reset password.
- 4.2 fields: Average number of fields required to reset a password.
- 1 minute and 12 seconds: Average time it takes to reset a password. Klover and Varo tied for the shortest password reset time at 29 seconds.
- 26 out of 27: Apps using password-based login as their primary authentication method for financial services, despite low security and high friction.