How to Design Two-Factor Authentication Users Actually EnjoyOctober 11, 2019
Two-factor authentication today is a must. When the news features an endless parade of massive database hacks, your password just isn’t safe. Your password collection isn’t safe. In fact, passwords themselves are coming into question. The problem is that hackers have had decades to figure out ways to steal and use stolen passwords.
So we introduce a second layer of security: the two-factor authentication. Not every brand agrees on what that second factor should be, and technically, that is a good thing. When authentication from one service to the next isn’t even stored in the same kind of data file, hackers have a much harder time putting stolen passwords to use.
However, the downside of the second-factor disparity is that not all second-factor passwords are fun, convenient, or even usable. Today, we’re diving into where two-factor authentication has gone wrong, where it has gone right, and how to hone your authentication style for your users.
The Two Branches of Two-Factor Authentication
There are two types of two-factor authentication. First, there are those that ask you to use a separate phone or email address to confirm your login. Next, those that get creative with personalized ways to authenticate on-site. These both have their pros and cons.
The Phone Assumption (and Requirement)
The more serious and, at this point, more traditional, type of two-factor authentication requires users to have access to their email or, worse, their phone to access their account. These usually send a special code to a contact channel the user-provided on account creation. This is a generally smart way to do things because it also alerts a real user if someone is trying to hack their account.
Serious brands prefer phones because they are more secure. Smart brands that use this method ask to send an SMS code, but offer to send email instead. Because what if someone’s phone is dead or left on the counter? What if they’re a wacky tablet-user or teen who doesn’t have a phone? Not-so-smart brands only offer phone-auth and users without their phone on-hand and getting signals are flatly denied access.
Gamified Password Alternatives
The more fun and potentially just as secure are gamified second-factor authentication. These methods are often explored but have not been as widely used or accepted as secure by the greater web and mobile development community.
The idea behind a gamified password alternative is that the user does something unique. Perhaps they are given a grid of dots, then asked to draw a picture. Then they draw the same picture from the dot-grids every time using the exact same dots. It’s nearly impossible for a hacker to replicate because they will likely make at least a one-dot mistake.
Another option features an array of color-similar but not content-similar pictures. The user knows the order of the pictures they select. However, it would be difficult even for an onlooker to remember the difference.
Gamified password alternatives include the full scope of technological possibilities, from tapping the notes of a song to actually singing to one’s phone. Just as long as the developers remember not to use anything that is device-limiting unless their app, too, is limited only to that type of device.
The Keys to Enjoyable Two-Factor Authentication
For developers considering the two-factor possibilities for their own UI/UX, the key is to know your app and your audience.
- Security considerations
- Access device capabilities
- User preference
Serious audiences may prefer that you stick to tried-and-true code sending methods. As long as the email is always an acceptable alternative. Gamified options are not time-consuming.
To truly optimize both security and experience, you may want to offer a small selection of second-factor authentication based on the access device and preferences of your audience. A small selection of password games can delight the secure login process. A smart way to broach the issue is to decide between an access-code and a practical all-device gamified password.
Learn More About Designing Two-Factor Authentication
The next time you’re designing a basic keycode based two-factor authentication system, stop and consider: Would a gamified password alternative be preferable to my audience? Simply adding a grid-picture or photo-selection as an option might lead you to discover things about your audience and login streamlining that you had not witnessed before. For more insights into UI/UX design for business and consumer software, contact us today.