Two-factor authentication: How Security and UX can work together on the user journey

Two-factor authentication is important for maintaining security, but adding it into the UX can interrupt for the flow for a user. How can you marry the need for security with the need for an effortless experience?

For example, imagine you've designed a smooth, intuitive user journey, where people can effortlessly access your site. They’re so close to giving you their details and signing up to your site when the request for two-factor authentication interrupts their journey.

Your site asks your user for a mobile number, which they're reticent to hand over. Now your user has to hunt around for their phone, find the code, and log in. This disruption threatens the relationship – it's a time where a user might vow to log in later, but not come back.

Working together for UX and security

When these kinds of needs come up, it's tempting to allow frustration to cause antagonism between UX teams and security. Security teams are focused on protecting data. Even if there are interruptions to the UX, they are most concerned that the site is secure.

In the worst cases, UX and security teams work against one another, each trying to undermine the other’s hard work to achieve their goals. As a UX specialist, however, you need to accept that security is important. It's essential for the business, and solid security is important for every user.

Doing away with passwords and identity protection may make your site more user-friendly, but if anyone can steal your customers’ information, you’re hardly offering a good user experience.

Securing the user journey may often require a compromise on ease of use, but a talented UX specialist should be able to optimize the UX of security features.

At the very least, working together with security teams, you can minimize the disruption to the user journey that data protection can cause, and there are numerous ways you can do that.

Does everything really need to be secure?

If you open up Amazon, you can browse the items available and see recommended purchases as if you were logged in from the start. It’s only when you try to actually complete your purchase or access your account information that it stops and asks you to log-in.

Go through your site and rank the content and features as public, personal, and secure. Your service catalog, for example, should be public; your user’s wishlist and profile would be personal; and their credit card details would be secure.

Make sure that only the latter two items require a login and only the secure things require full encryption. That way, you’re never asking your user to go to the effort of re-entering their password details if they want to check the price of your service.

A secure path

Ever the innovator, Slack offers users a “Magic Link” to access their accounts. When a new login is created, Slack sends an email to the user with an access link. They can get into their account from the same device with a simple click at any time, but the link is still safe behind their email login.

It can even be sent by text message; and if their phone and email are compromised, they have bigger problems than just your site. It’s a simple solution that others can implement.

New tools

The majority of high-end smartphones have fingerprint scanners and facial recognition.

You could even combine this with a Magic Link like Slack’s – open an email on your phone and it opens a fingerprint or face verification interface that unlocks your account – barely any hassle and still safe.

Safe space

Android is currently trialing a feature they call "Trusted Place." This works along the same lines as the Magic Link. If you’re accessing your account from your email, which only you have the password for, it’s probably you; likewise, Android reasons that if you’re accessing your device from your own house, which only you have a key to, you’re probably who you say you are.

As such, you can now set your Android phone to track your location so that when you unlock it in your own house, it will remain unlocked until you leave. Once your phone tracks you leaving your house, it switches back to a more secure setting and starts locking itself when not in use.

This is, of course, reliant on your user trusting everyone they let into their house, but that option and the choice to manually lock their phone when strangers are around, is up to them. Perhaps not one for the most secure of features, like payment details, but certainly an option for personal information.

Chromebooks and Apple Macs use a similar feature, whereby they remain unlocked so long as your phone is also unlocked nearby, assuming it will be on the desk next to you whenever you’re working at your computer.

Of course, this has many of the same drawbacks as two-factor authentication, but at least you don’t have to deal with entering random numbers constantly.

How secure can you get?

This ultimately is the key: no matter what anyone tells you, there is no possible way to make any system completely secure.

Make your site as simple and user-friendly as possible, while still making it difficult for hackers to access user accounts and information. You can only achieve that balance by working with security teams on the UX of your security features as much as that of your UI.