How It Works

Device binding links a user's account to a specific device, such as a mobile phone or computer. This ensures that only authorized devices can access the user's account, thereby reducing the risk of unauthorized access and fraud.

To implement device binding, users are required to go through an additional verification step when logging in from a new device. This can include performing eKYC or entering a one-time password (OTP) through the originally registered phone number or email address.

What Device Binding Tries to Address

🔒 SECURITY RISKS: If device binding is not implemented, fraudsters can access a victim's account without needing to gain access to their device. This allows them to perform fraud digitally and remotely, with a low barrier to entry.

👩 USER EXPERIENCE: Without device binding, users may need to authenticate themselves repeatedly through complex user journeys, which can be inconvenient and frustrating.

⚖️ COMPLIANCE ISSUES: Some industries and regions mandate device binding as part of their security and compliance regulations. Failure to comply can result in legal and financial consequences.

Example

Assuming a user has a digital bank account that they access through a mobile app:

• During the user's first login, the app records the phone's unique identifier and binds it to the user's account.
• For subsequent logins, the user only needs to provide core credentials, such as biometric authentication, or a combination of username, password, and security question.
• If the user attempts to log in from a new device, such as a laptop, the bank's system recognizes it as a new device and requires additional verification.
• To complete the login process, the user receives a one-time code via SMS or email, which they must enter.
• More stringent account policies may require users to perform eKYC, such as facial recognition and ID document scans, to access their account.