Why 2 Factor Authentication Hinges on the User Experience
With Twitter’s recent move to “push” and public-key cryptography, we and many others were glad to see them move away from SMS-only 2 factor authentication. Not only did they add better security, but they are also providing their users with a much more appealing experience. As 2 factor offerings among service providers and platforms continue to grow and change, it’s important that the industry stays focused on the correct goals for 2 factor adoption. Without a distinct focus on how users are experiencing 2 factor authentication, the industry may be forcing a needless battle of risk vs. convenience that could lead to a negative fate for this technology -- not for technical reasons, but for aesthetic ones.
The End User Determines the Success of Any New Technology
For all security controls that hinge on end-user adoption, the decisions that go into how a technology is implemented should consider a broad range of potential user issues. When you build security for end-users, but ignore their fundamental needs, your implementation will have little worth to your potential user base. Further, because the average user is slow to forget a bad experience, they will develop a prejudice against 2 factor in general.
Take for example the cryptographic software PGP. Most of us will struggle to remember when the last time we actually utilized PGP was. Next, consider how infrequently you used PGP to handle a file encryption problem. PGP is not bad software because it's insecure or doesn't work, it's bad because nobody actually solved the end-user adoption problems in time for it to be widely adopted.
For the users who did need PGP, the idea of key servers, key rings, fingerprints, and the rest of PGP's nuances that only a security professional could appreciate defeated the viability of the software. Where some software (especially security related) fails because it doesn't deliver on technological requirements, PGP failed to be broadly adopted because its developers never answered the question "How can we make this viable for the everyday user?".
With 2 Factor Authentication, All Roads Must Lead to Convenience
Twitter and many other organizations now find themselves struggling to meet both security needs and end-user desires with 2 factor authentication. Unfortunately not many of them are considering how to quickly make this process better before end-users become jaded about 2FA. Because organizations want to provide some sense of strong authentication, they deploy the minimum level of 2 factor required to check it off their list. This approach often results in a poor user experience which builds prejudice against 2 factor authentication in general.
The failure most obvious in practice is the idea that users should be tied to one device. This is sort of ironic considering one of the chief complaints about first-generation 2 factor authentication is that you have to remember to take a single token with you at all times. This was such a complaint, in fact, that a few people would even set up a webcam pointing at their token so that they could access it without having to remember the device every time they left home. Why then do many second-generation two factor solutions repeat this worst practice?
If a user is unable to login to a service or system they care about because of a constraint with a 2 factor platform you can bet they will disable 2 factor authentication as soon as they’re able to. The convenience vs. risk trade-off equation shifts dramatically when you don't allow an end-user to do what they want. Users will continue to forget their cell phone, or have no cell signal, or no data plan, or lose a token, or have their landline unavailable. Not addressing this reality creates critics rather than fans. Information security already has plenty of critics -- we need many, many more fans.
Why First Impressions Matter
By offering users plenty of options for their second factor of authentication, the "blame" shifts back to the individual if their experience is poor. Platforms and services should offer their users the ability to determine what it will take for 2 factor authentication to increase security without impeding their life.
Whether someone wants to interact with Facebook, Twitter, GMail, or a computer game, when they want to use something, they want to use it. If large service providers and platforms offering 2 factor authentication keep pushing single device or SMS-only 2 factor, the battle for broad adoption of 2 factor will be much harder than it needs to be—a huge negative for overall information security.
The opportunity to solve many security problems simply with strong authentication is too beneficial to miss out on. It is critically important that when a service or platform offers 2 factor authentication that they provide users with a great experience and not just a checkbox. Checkbox security will continue to lead to the failure of password-only security, along with increased compromises and data breaches. None of us want to see that.