What does the Deduce Identity Network look like in action?

In our previous blog posts we’ve discussed the value of identity intelligence, how data poverty can mix up risk signals, and shown how the Deduce Identity Network can enable a trusted user experience.

But what does our network of 500 million user profiles and 1.4 billion daily online activities actually look like in action?

To help illustrate how Deduce’s trust signals can significantly improve the user experience—and prevent the churn that CEOs loathe—here is a day in the life of a trusted user identity on our network.

Uber—8:17 a.m.

Meet Tom. Tom is a Deduce trusted identity. We don’t know his name is Tom (Deduce defines a profile via email, device, geo, and activity), but we know he won’t be launching a credential stuffing attack any time soon.

It’s a typical work day for Tom, and Deduce’s Familiar Time of Day signal is already pointing to trust. Tom is waiting for an Uber, standing on the curb in front of his house—a new house he and his wife moved into a few weeks ago. The Uber arrives. Tom buttons his blazer, tightens his half-Windsor knot, and heads to the office.

A few minutes later, when Tom decides to check emails on his phone, he realizes the email client logged him out and he can’t remember the right password combination. Given his change of residence, Tom’s new commute path to the office could trigger an MFA (multi-factor authentication) challenge; fortunately, Deduce’s IP Address and Time of Day trust signals identify Tom as a non-malicious user and increase his allotted number of password attempts. He’s in!

Uber—8:50 a.m.

Roughly 30 minutes after boarding the Uber, Tom remembers that his wife asked him to buy plane tickets for a spontaneous Vegas trip next weekend.

Tim is only a few minutes from his office and the ticketing app with the best deal isn’t installed on his phone. Even with just a few weeks of data, Deduce’s Time of Day/Day of Week trust signals—coupled with intel from multiple cell towers—recognize Tom is commuting and expedite the account creation and verification process.

Tom acquires the last-minute tickets with time to spare.

Office—9:27 a.m.

Tom grabs his morning joe and walks to his desk. After texting his wife that they’ll soon be swimming in daiquiris and poker chips, he logs into his office computer and checks his calendar.

Uh oh. A video meeting in three minutes AND it’s on a video conferencing platform he’s never heard of?

No worries. Tom downloads and installs the software then quickly creates an account without having to verify via OTP (one-time passcode). Deduce’s recognition that Tom is actually Tom—it recognizes the IP address and device ID of his work computer at the right time of day—allows him to enter the meeting right on the dot.

Home—6:48 p.m.

Tom and his wife get home from work. They’ve hardly unpacked since moving and navigating the labyrinth of boxes in the kitchen to use the stovetop is unrealistic. Pizza it is.

Tom’s phone is dead, so he grabs his wife’s tablet. He downloads a food delivery app—the same one installed on his phone—and logs in to order their favorite: a medium Hawaiian with extra pineapple.

A user logging in on a new device might trigger an MFA under normal circumstances, but Deduce knows Trusted Tom is accessing the app from his residence on a new, albeit still familiar, network. Deduce also identifies the device ID of the tablet, as Tom’s wife has used it on the network before.

The pineapple-on-pizza debate is contentious, but we can all agree that friction has no place in the user experience.

Want to steer clear of friction and churn? Contact us today to find out how you can treat your customers like trusted users, not bad actors

New device ID and its pesky false positive problem

Every day, supermarket and liquor store cashiers reject wannabe McLovins attempting to buy six-packs with a fake ID. Likewise, every hour—perhaps every minute—fraud prevention solutions reject online logins and transactions due to a new, unfamiliar device ID.

The problem? Only 2% of fraud is perpetrated by a new device. The new device ID risk signal, one of the most widely used by authentication platforms, is guaranteed to trigger a false positive fraud risk for the 98% of good customers—and trigger a deluge of rage along with it. Per PWC, one in three consumers ditches a brand following a negative user experience; it’s hard to get more negative than erroneous multi-factor authentication (MFA) or a wrongfully canceled purchase.

False positives cost US e-commerce merchants $2 billion per year. That’s nearly 3% of their revenue, not far behind fraud-related costs (7.6%)—a possible death knell for e-tailers with razor-thin margins. 

Part Two of our “Mixed Signals” series explores the flaws of the new device risk signal, and how to combine new device ID with real-time data to keep users (and bottom lines) intact.

False positives aren’t the only problem

Device-based authentication leads to a flurry of false positives, including a 30-50% false positive rate associated with geolocation sensitivity. But it doesn’t end there. To avoid flagging legitimate customers, solutions need to track a variety of real-time risk and trust signals.

Outside of false positives, here are other downsides of counting on the new device risk signal alone:

Device spoofing. Spoofing a user’s device is a cinch and ubiquitous enough to render device ID, by itself, unsuitable for verification.

Advanced attacks. Solutions reliant upon device ID won’t detect complex attacks involving social engineering and automation (man in the middle, remote access tool attacks, etc.).

Actionability. The amount of users logging into new devices at new locations overwhelms device-based anti-fraud solutions. Consequently, good users on unfamiliar devices will be burdened with friction and deemed high-risk.

Why device ID causes false positives

The chief failing of device ID authentication is that it doesn’t account for one simple fact: consumers are constantly toggling between devices or buying new ones altogether.

Cell phones are only one of the devices that users swap because they either dropped it in the toilet or desire the latest and greatest model. It’s also not uncommon for more than one person to use a device, such as a tablet or desktop computer, making the new device risk signal an inadequate means of verifying user identity.

The increasingly remote nature in which we work and interact presents new challenges for device ID authentication—even when paired with geolocation and behavioral biometric data (both can be spoofed). For instance, someone who’s temporarily telecommuting from a family member’s house might use that individual’s computer to buy goods. Or, someone might be in quarantine at a hotel and get flagged for using their mobile device at an unusual location. Sharing login credentials with friends and relatives across households and devices is another sure-fire way to set off the device authentication tripwires.

Silencing the false alarms

Similar to device fingerprinting—a way of positively identifying a device by recognizing its unique software and hardware characteristics—real-time data is the key piece missing from device-based authentication.

The Deduce Identity Network melds the new device risk signal with other data such as device, IP, geolocation, and activity (login, checkout, account creation, password reset, etc.) to generate comprehensive real-time behavioral intelligence that drives a calculated risk or trust signal. This prevents legitimate users from being flagged and the resultant friction that makes them jump ship. 

Deduce’s 500 million anonymized user profiles, 150 thousand websites and apps, and over 1.4 billion daily activities provide a rock-solid determination of user trust—or, conversely, flat-out fraud. Device spoofing is rampant, but the Deduce Identity Network won’t fall for the fakes. Fraudsters can’t afford to create a synthetic identity capable of fooling the largest real-time identity graph in the US.

The Cliff Notes: Don’t sink users in a quagmire of friction when they’re merely transacting from a new phone or shopping for clothes on their parents’ Macbook. Treat legitimate customers like distinguished guests, not criminals.

Ready to tap the collective intelligence of our Identity Network and experience the serenity of avoiding new device false positives? Click here to learn more.

Wipe location spoofers and false positives off the map

Geolocation, geolocation, geolocation. It’s one of the common risk signals tracked by anti-fraud solutions and often the reason legitimate customers are thrown into account verification purgatory.

Geolocation locates users via a GPS signal, IP address mapped to geography, wifi network locations, or web browser location information on their device. Geolocation is helpful in combating fraud, that is, if it’s used properly. However, many fraud prevention companies erroneously depend on IP address alone, and don’t possess the data at scale to differentiate between a fraudster and someone who’s simply transacting in an unfamiliar area. This makes businesses susceptible to location spoofing—when fraudsters falsify their location by using a virtual private network (VPN) or IP spoofing techniques.

Ineffective use of geolocation also contributes to online payment fraud, which is expected to cost businesses 200 billion by 2024. Additionally, verifying location without the right intelligence leads to the much-maligned false positive, and from there metastasizes into a user experience nightmare.

How geolocation impacts users

Account takeover by way of location spoofing isn’t fun for businesses—particularly merchants who bemoan chargebacks—and neither is a false positive credit card decline, which unnecessarily annoys users and causes a churn reaction.

Imagine traveling to another state on vacation and needing to gas up your rental car. Easy enough. But the gas pump declines your credit card transaction, requiring you to call your bank and verify your identity, or, heaven forbid, actually have to go and talk to the member of staff in the office, which in turn throws off the timing of your family’s tightly packed itinerary. Even worse, what if you can’t buy a plane ticket because the airline triggered multi-factor authentication (MFA) and seats filled up by the time you verified your identity?

A recent fraud surge on the Nike SNKRS app exemplified the impact of location spoofing across verticals. The app released a special pair of sneakers only made available to customers within a certain region. Predictably, fraudsters manipulated their IP addresses in order to buy the sneakers, leaving a slew of unhappy SNKRS users in their wake.

Whether users are falsely identified as bad actors or locked out of buying a rare pair of shoes, relying on IP addresses alone to stop fraud is damaging to a brand’s user base and reputation.

IP address isn’t spoof-proof

IP addresses are easily exploited by fraudsters. Tapping a VPN or other proxy to conceal their location requires minimal sophistication. As such, businesses need to supplement IP data with additional location intelligence to accurately identify trustworthy users (and keep bad ones out). Conversely, they need to be able to identify when a legitimate, privacy-concerned user accesses online services and apps via a VPN. 

The question remains, then: What is the best (read: only) way to successfully outwit location spoofers and avoid geolocation-triggered false positives?

Relieving geolocation irritation

If location-spoofing fraudsters have your compass spinning out of control, Deduce’s identity intelligence data can provide a sense of direction. Deduce combines real-time and historical data to eliminate false positives, discerning if a user is fraudulent or if they’re simply a good, tax-paying citizen who’s on the move. 

Powered by the Deduce Identity Network—500 million anonymized user profiles, 150 thousand websites and apps, over 1.4 billion daily activities—Deduce’s algorithms analyze multiple trust signals, in addition to IP, for a given user (device, network, time of day, and a lot more) to determine if a user is legitimate.

By tracking online activity related to time of day, day of week, and specific activities such as logins, account creation, checkout, forgotten password, etc. over time, Deduce is able to discern “normal” behavior from fraudulent behavior. (After all, you’d be suspicious if your neighbor started mowing his lawn at 10:00pm, right?) As an identity’s activity is tracked over the course of two weeks, a month, six months, and so on, a more accurate picture of an identity’s behavior is established and the confidence factor increases. In fact, Deduce is likely the first to know when an ATO has occurred, usually well before the victim themselves.

In rare cases in which Deduce is not able to determine fraud via geolocation, our Customer Alerts feature quickly notifies consumers to confirm their identity and location. This feedback only strengthens Deduce’s algorithms to ensure such verification measures aren’t necessary in the future.

User experience isn’t the only incentive for companies to fortify their geolocation authentication. In some industries, such as online gaming, Deduce’s intelligence layer could prevent enormous fines related to regional gambling laws and/or the collapse of a company altogether. All the more reason to ditch an IP-only approach.

Ready to jump-start geolocation in your fraud prevention efforts? Contact us today and try Deduce for free.

Auth0 adds Deduce to its partner integrations

Time flies when you’re fighting fraud. 

It’s already been a week since Fast Company named Deduce the most innovative security solution of 2022. Now, our intelligent MFA technology is available on the Auth0 Marketplace, delivering increased security and an outstanding user experience to a huge swath of customers.

A no-code collaboration for the ages

Teaming up with Auth0 isn’t peanuts. The leading identity platform, acquired by Okta in 2021, secures access for some of the world’s biggest companies, including 1-800 Flowers, Pfizer, Sharp, and Subaru. Thanks to Deduce’s no-code integration, Auth0 customers can deploy our Intelligent MFA solution without breaking a sweat. Simple drag and drop tools enable users to add Deduce to any Auth0 workflow and choose the appropriate risk signals for their needs.

Deduce’s Intelligent MFA is especially impactful for risk-averse, regulated industries such as banking, fintech, insurance, gaming, and others. E-commerce companies that don’t employ such a solution can also be negatively affected, stung by false positives that result in abandoned shopping carts and lost customers.

Deduce’s Intelligent MFA adds just that—intelligence—to create an exemplary user experience. Our real-time intelligence layer analyzes 75 risk and trust signals for each privacy-compliant identity so only real account takeover (ATO) threats are flagged.

Here are some of the risk signals Deduce accounts for:

  • New IP Found (Is this IP new to this identity?)
  • New Device Found (Is this a new device for this identity?)
  • Suspicious Activity—Time of Day (Is this time of day not normal or suspicious for this identity?)
  • Impossible Travel Detected (Would it be impossible for a user to travel to a new location from the last known location in the given timeframe?)
  • IP / Account Cycling Detected (Has this IP frequently cycled over many different accounts?)
  • Malicious IP Detected (What malicious activity was observed for this IP across our network?)
  • Network Proxy (Is this identity using a malicious proxy?)
  • Network Hosting (Is this identity using a hosted network?)

Powering these risk signals is the Deduce Identity Network: the largest real-time identity graph for online fraud in the US. With over 450 million anonymized user profiles and upwards of 1.4 billion daily activities at its disposal, the Deduce Identity Network and its Intelligent MFA application provide a critical layer of identity fraud defense to your Auth0 Identity Platform.

A cooler way to MFA

At Deduce, we believe there’s a cooler way to MFA, which, let’s face it, can sometimes feel like “More Frustrating Authentication,”

Most MFA solutions trigger far too many false positives and burden legitimate users with circuitous verification processes. This often leads to churn, and potentially a costly hit to company reputation. A recent CMO Council report hammered this point home, indicating that 81 percent of users preferred companies that enabled easy and secure account verification, with more than 60 percent having canceled a transaction due to an inefficient authentication process.

Easy setup

Check out our solution brief to see how integrating Intelligent MFA into Auth0 can help you reduce friction, improve conversions, combat fraud, and keep customers happy. Additionally, this guide walks Auth0 users through the Intelligent MFA activation process (it’s a cinch!).

The video below shows just how easy it is to set up.

As for prerequisites, there aren’t many: an Auth0 account and tenant (sign up for free here); an API Key and a Site ID (reach out to [email protected]); and a tenant with MFA enabled.

To learn more about our partnership with Auth0, read the official press release.

There’s a cooler way to MFA

For the most part, multi-factor authentication (MFA) is effective at preventing account takeover (ATO) and other types of identity fraud. But the friction it adds to the user experience is a different story.

We like to think of MFA as “More Frustrating Authentication.” (Users with shorter fuses may prefer a different F-word). Like the helicopter parent who insists on walking their teenager to the mailbox, some MFA solutions are too overbearing and easily triggered, resulting in false positives.

Flagging legitimate users and adding multiple steps to the verification process is a sure-fire path to churn. For e-commerce brands, specifically, adding unnecessary MFA friction to existing problems such as cart abandonment and chargebacks is not on their to-do list.

Not winning any popularity contests

In 2019, a Google poll found that only 37 percent of respondents used MFA. That same year, 29 percent of respondents in a BYU study agreed that logging in with a second factor wasn’t worth the increased security.

These numbers firmly place MFA in the “Least Likely to Succeed” category of the high school yearbook. With more consumers ditching their desktops — 51 percent of US online activity was mobile in 2020 — and attention spans growing shorter by the day, user sentiment regarding MFA will continue to trend negatively.

Ironically, some outdated MFA solutions lend themselves to fraud. For example, sending a one-time passcode to a user via SMS — a widely used authentication factor — can be compromised by fraudsters through SIM-swapping. Yet another reason for MFA’s struggles.

The friction affliction

Customer churn is the most glaring downside of implementing a traditional MFA approach. Flashing a security badge to enter an office building is understandable, but a user undergoing multi-factor authentication upon each login defies justification.

Lost sales and customers are logical outcomes of MFA friction: no one wants to jump through a series of password reset hoops. Per a CMO Council report, 81 percent of users indicated they would seek out companies that employed an easy and secure identity verification process, while over 60 percent had canceled a transaction due to inefficient authentication. Deduce has seen cases in which tens of thousands of new monthly users gave up on brands due to sluggish new account verification alone — long before a conversion can take place.

The hit to customer lifetime value, and potentially brand reputation, is a tough pill to swallow. The increased friction may lead to more hours for customer support reps as well, who surely have more pressing matters to handle.

The cooler way to MFA

Fret not, there is still hope for MFA — it just needs to be smarter.

Passwordless MFA is one intelligent multi-factor option. Roughly one year ago, Auth0 released its Adaptive MFA product, a contextual solution that flags login attempts carrying legitimate risk. Another great example of reducing user friction is Stytch’s just-in-time authentication. These approaches are all steps in the right direction, as complex verification scenarios, like logging in from a new device, require increased intelligence and lots of data.

Deduce’s real-time intelligence layer is the perfect complement to these tools, and it can be seamlessly integrated right on top.

The Deduce Identity Network, consisting of more than 450 million anonymized user profiles, gathered from over 150,000 participating websites and apps, analyzes 100+ factors in real-time to verify a user’s identity. Aside from preventing account takeover and account creation fraud, Deduce’s algorithms — which also comprise billions of daily interactions from across the web — significantly reduce the odds of credible customers getting flagged for false positives.

Don’t let MFA be a multi-factor detractor. Contact Deduce today and discover the smarter way to MFA.