Two-factor authentication: How Security and UX can work together on the user journey

You design a smooth, intuitive user journey, where people can effortlessly access your site, flow through the process with barely a click and be thrilled by the ease with which they acquire what they need.

They love that you’ve taken the time to build a process to log-in with an existing account (like Facebook or Google) and they don’t need to memorise another password.

They’re so close to giving you their details and signing up to your site… then suddenly two-factor authentication interrupts their journey like a ringing gong.

Your site asks your user for a mobile number, which they fear to give in case they start getting cold-called, and threatens to send them a code by text that they will need to enter into your site.

Now your user has to hunt around for their phone – you can only pray they haven’t broken or lost it – bring it out of their bag or coat, drag it over to their device like Sisyphis, before flicking back and forth between devices, transcribing long numbers as if they were in a 90s film about computer hacking.

USB kidding

I once worked with a security consultant who firmly believed that passwords should be replaced by USB keys that you could stick into a port on your device to unlock your account. This was supposedly on the basis that people wouldn’t forget them like they do their logins.

I’m sure I don’t need to point out that people can lose a small piece of plastic much more easily than they can permanently forget a memorable word, or that keys are much more easily stolen than information, let alone that many devices don’t have USB ports anymore…

With these kinds of attitudes, it can be very tempting to allow frustration to cause antagonism between UX teams and security. Security teams are solely focused on protecting data, so can become miopic. For them, if no users ever visit your site, they have succeeded in their task with no effort required.

When they do turn up however, users do silly things like making their passwords ‘password1’ or similar. Bearing this in mind, it’s easy to see why security teams may come to see users as the enemy and why there might be tension with UX teams, who advocate for the user.

In the worst cases, UX and security teams work against one another, each trying to undermine the other’s hard work to achieve their goals. As a UX specialist however, you need to accept that security is important, whether you like it or not.

Doing away with passwords and identity protection may make your site more user-friendly, but if anyone can steal your customers’ information, you’re hardly offering a good user experience.

Securing the user journey may often require a compromise on ease of use, but a talented UX specialist should be able to optimise the UX of security features.

At the very least, working together with security teams, you can minimise the disruption to the user journey that data protection can cause, and there are numerous ways you can do that.

Does everything really need to be secure?

If you open up Amazon, you can browse the items available and see recommended purchases as if you were logged-in from the start. It’s only when you try to actually complete your purchase or access your account information that it stops and asks you to log-in, because nothing needed security up until that point.

It’s easy for security to act like a guard at the gate shouting “who goes there!?” to everyone who walks past. In fact, there are only ever certain parts of the information on your site that actually need to be secured.

Go through your site and rank the content and features as public, personal and secure. Your service catalogue would, like Amazon, be public; your user’s wishlist and profile would be personal; and their credit card details would be secure.

Make sure that only the latter two items require a login and only the secure things require full encryption. That way, you’re never asking your user to go to the effort of re-entering their password details if they just want to check the price of your service.

A secure path

Ever the innovator, Slack offers users a “Magic Link” to access their accounts. When a new login is created, Slack sends an email to the user with an access link. They can get into their account from the same device with a simple click at any time, but the link is still safe behind their email login.

It can even be sent by text message; and if their phone and email are compromised, they have bigger problems than just your site. It’s a simple solution that I’m surprised more sites haven’t implemented.

New tools

The majority of high-end smartphones have fingerprint scanners nowadays. Facial recognition remains unreliable, but finger print access is relatively secure and simply requires the user to tap their finger on their phone when logging in as an extra step of security.

You could even combine this with a Magic Link like Slack’s – open an email on your phone and it opens a fingerprint verification interface that unlocks your account – barely any hassle and still safe.

Safe space

Running along these lines, Android is currently trialing a feature they call ‘Trusted Place’. This works along the same lines as the Magic Link. If you’re accessing your account from your email, which only you have the password for, it’s probably you; likewise, Android reasons that if you’re accessing your device from your own house, which only you have a key to, you’re probably who you say you are.

As such, you can now set your Android phone to track your location so that when you unlock it in your own house, it will remain unlocked until you leave. Once your phone tracks you leaving your house, it switches back to a more-secure setting and starts locking itself when not in use.

This is, of course, reliant on your user trusting everyone they let into their house, but that option and the choice to manually lock their phone when strangers are around, is up to them. Perhaps not one for the most secure of features, like payment details, but certainly an option for personal information.

Chromebooks and Apple Macs are using a similar feature, whereby they remain unlocked so long as your phone is also unlocked nearby, assuming it will be on the desk next to you whenever you’re working at your computer.

Of course, this has many of the same drawbacks as two-factor authentication, but at least you don’t have to deal with entering random numbers constantly.

How secure can you get?

This ultimately is the key: no matter what anyone tells you, there is no possible way to make any system completely secure.

Does that mean you should leave all the doors to your home open and spray paint “help yourself” on the side of your house? No, but nor do you put 17 locks on your door, each requiring a separate key that you keep in different places so they don’t all get stolen at the same time.

You make it as difficult as feasible for anyone to break into your home, while still making it practical for you to go about your business, in the hope that thieves will choose an easier target.

Cyber security is just the same. Make your site as simple and user-friendly as possible, while still making it difficult for hackers to access user accounts and information. You can only achieve that balance by working with security teams on the UX of your security features as much as that of your UI.

So take your security team out for a beer and remind everyone that you’re working together to produce the best UX possible. After all, getting robbed is never a good user experience.