App-Clips Verify Real People Behind Devices

From day one, Footprint has had a goal of building one-click KYC to remove the toggle companies face in the ongoing battle of fraud vs friction. We knew though that if you remove friction the second time, you must be extremely confident that you are accurately verifying the person the first time. This task is only getting harder, as fraudsters are constantly getting better at creating synthetic identities and getting by tamper checks for driver's license scans. It is more important now than ever to verify that the person signing up for an account is a real person, and the real person who owns that device.

While it is costly to let a fraudulent person into an app, it is disastrous if you do that with a portable identity and enable one-click fraud. In that doomsday scenario, you would make it incredibly easy for bad actors to create accounts en-masse with little repercussions. That is why instead of being lenient on our first check by using tools like reverse look-ups, we leverage novel tools to confirm the person behind the screen truly is who they say they are.

The Footprint Toolkit to Fight Back

App Clips tie a real identity to PII

While most KYC companies focus on “magic” behind the scenes in a black box, we bring magic to developers by solving many problems at once, and users by creating the best onboarding experience. This is not to say we trail our peers on the backend. It is just an acknowledgment they should admit: traditional KYC data sources are commoditized. We all have access to the same bureau data, and have similar waterfalls.

Thus, once Footprint takes the step of verifying a phone number and matching that to pII at the bureaus, we then use a no-download mobile native experience (App clip/Instant app) to triple bind the identity by verifying that first the phone number is linked to the device it is on, and that said device is non-jailbroken, is running on an authentic Apple/Google device, running cryptographically signed code, and is from a non-spoofed IP address.

In doing so, we are leveraging App Clips (iOS) and Instant Apps (Android) to spawn a native identity and device verification flow that instantly fosters trust regardless if the user is coming from a desktop web, mobile web, or app experience.

The native device experience is not only important for building trust, but also verifying it. Behind the scenes Footprint leverages native strong cryptography, anti-fraud technologies like Passkeys for iOS and Android, Device Check, SafteyNet, App Attestation, Biometrics (liveness), and Silent Network Authentication.

Device Attestation

Apple and Google spend billions of dollars protecting their mobile ecosystem and helping their customers reduce fraud and abuse in their app stores. Google and Apple both developed sophisticated device attestation and anti-fraud framework, Footprint leverages these frameworks to detect and stop fraud during the device binding step in identity verification. Footprint can verify that the Android or iOS device is not jailbroken/rooted, is running a legitimate signed version of our code, and detect whether or not this device has been associated with other verified identities in our network. This massively raises the cost of fraud: either the adversary must compromise Apple/Google’s attestation root of trust (which is worth hundreds of millions if not billions) OR more realistically the adversary must buy legions of authentic iPhones/Androids in mass scale (prohibitively expensive). This is a massive step function increase in the cost of performing fraud.

To Conclude

Through these tools, Footprint introduces the concept of zero-trust fraud. We know fraud will happen, but now we can ensure it happens at most only once/device. Farewell to the days of same-device multi-identity fraud.

85% of Americans have a smartphone; 57% of Americans are on iOS, with nearly the entire the remaining 43% on Android. Best yet, 94.4% of the population is on iOS 14+, meaning they have app clip-compatible devices (similar maturity for Android). This means the US population is ready for App Clips + passkeys. Imagine if you felt quite confident 82% of the people in your funnel had real biometrics tied irrevocably to their identities to their device. Not only does this give you peace of mind for this group (Footprint has web-users link a passkey via app clip), but it enables you to then apply more scrutiny to the remaining 18% who are going through other means. People will commit fraud; we just want to make it very difficult and expensive for them to ever commit fraud again.

if you commit fraud with a fake identity, you need a new device to commit fraud again. If you commit fraud with your real identity, even if you get a new device, you’ll still be a labeled bad actor within. Conversely, as the good actor database grows in Footprint, there will be a smaller amount of possible synthetics or stolen identities to mathematically try within Footprint to commit fraud (keeping in mind if two people appear with the same identity, we step-up both until learning who the real owner is of the identity). App clips make sure we limit each device to one identity.