Imagine: Two-Factor Authentication for Twitter
TL;DR: What if your favorite websites used Duo? A design exploration of Duo Push authentication applied to Twitter.
Who knows your password right now? Probably “Just me.” Or maybe “Me and two coworkers who help manage our shared corporate account.” Or even “I don’t even know it off the top of my head — it’s long and complex and I store it in my password manager.”
As long as your password isn’t “password” and you’re not sharing it, then you’re all set, right?
Here’s the thing: I’m sure Burger King and Jeep had reasonable passwords and kept them secret. (And Donald Trump. And Mat Honan. Etc.) But passwords fall into the wrong hands, and damage is done to brands and reputations before anyone has time to react. Bad for business, and frustrating for users.
So how could the online services you trust with your reputation, privacy, and money increase the security of their accounts? They could hand out 80’s-style hardware tokens to every user, and make them type a dynamically-generated number to log in. Or send one-time passcodes via SMS every time. But we all know that consumer websites can’t afford to put roadblocks like this in the path of their users. Even swiping through screens of apps to find and launch Google Authenticator and then transcribing a six digit passcode into a second password field seems kludgy and silly. A modern, consumer-friendly company deserves modern, respectful methods of authenticating its users.
Here’s how we do it.
You type in your username and password. Immediately a notification alert arrives on your phone. Swipe to reveal a simple login verification dialog. Tap “Approve” and you’re logged in by the time you look back at your laptop.
We call this Duo Push, and our customers use it seamlessly every day. It’s fast and frictionless. It doesn’t feel like an interruption, so you can stay focused on your task instead of worrying about logging in. And while it’s clearly the easiest out-of-band authentication method, it’s also the strongest — we originally invented this patent-pending technology over three years ago to protect high-risk banking transactions.
What’s even more exciting is that we’ve published a set of APIs that enable SaaS and web applications to integrate Duo Push into their authentication flows. Check out our Auth API and Two-Factor Authentication for SaaS Apps solution guide to learn more. We’ll also be offering mobile SDKs to build this functionality into third-party iPhone and Android apps soon (contact firstname.lastname@example.org for more on that).
As Google says, “The age of the password is over and never coming back” as attackers mass-hack users, and companies find themselves vulnerable to user password reuse across sites. Our goal has been to develop two-factor authentication worthy of the sites we love, and hope that our work has helped make security suck less!
What do you think? Are there sites that implement two-factor in ways you like better? What other services would you want to see Duo applied to? Any complicated use cases to consider? We'd love to hear your experiences and insights below!