How do you make 2FA more user-friendly?
To keep up in today’s competitive consumer technology market, perfecting the user experience is a must. This makes it hard for brands to add extra security measures that can potentially disrupt the user experience. We consistently see brands sacrifice security for an optimal user experience, adopting the attitude, ‘it won’t happen to me’. But when it does, brands are unprepared and scrutinized for their lack of foresight. To solve this problem, striking a balance between usability and security is key in product design and security implementation.
The best solution is getting security integrated into the product design cycle early. Meaning security measures should be part of usability testing for every product, and, we, the security community, should strive to implement easier to use security measures.
I agree that if 2FA integrated as part of the solution design, the chance for disruption is much smaller. Beyond that, I believe that we can make 2FA easier by balancing the various authentication methods at our disposal (e.g. SMS, push, mobile app, email, etc.) and still provide a consistent experience throughout the steps of the customer journey that require some form of authentication, such as user verification upon registration, transaction, password reset, and continuous authentication.
It’s very important that an enterprise maps its own customer journey, understands and integrates 2FA where needed from early on, sticks with continuous authentication throughout the customer life cycle, and provides a consistent flow for users for each of these steps. An inconsistent experience would be, for instance, that the enterprise verifies the user’s phone number via an SMS but performs password reset via email only, and on top provides continuous access authentication via a mobile app. Of course all of these could be offered, but they should be used according to different situations (e.g. user is roaming), fallback cases (e.g. text-to-speech for landline verification), user’s preference and even cost.
Do you believe 2FA should be mandatory or turned on by default? Why/Why not?
The majority of consumers keep most defaults – that’s a rule for usability that’s been known for a long time. If it were mandatory to set 2FA as the default, more consumers will use it and will be more secure. That being said, in the US, it’s very unusual to require security as a matter of law for commercial entities, particularly for specific solutions like 2FA. I don’t think that will change any time soon.
I believe making 2FA optional is a no-go, authentication should be an intrinsic part of the customer journey. When thinking about the customer interactions, you’ll notice an inconsistency in how authentication measures are integrated. For example, look at the recovery of passwords from an app after a user downloads and down the line forgets their password. There are multiple ways to retrieve the password, including recovery emails, SMS, etc., challenging the way authentication is used initially versus in the recovery method. The harder it is to recover a password, the more intrusive it is to a customer’s experience, making it harder for companies and users alike. This further challenges the idea of creating a balance between customer experience and security.
What’s your suggestion to solving the security vs. usability challenge?
Security is an investment that takes a lot of discipline for brands because it’s invisible until something goes wrong. Brands prioritize getting products to market, pushing features, and increasing sales more than adding in authentication processes. Because of this, we need to make it easier to implement secure authentication and it is critically important for the industry as a whole to address this pressing issue: balancing usability and security to protect our consumers, employees, networks and brands.
Striking a balance between convenience and security is vital for long term success but it’s up to both the security industry as well as brands to make this happen. The security industry is so focused on creating the strongest technology, but fail to see anything beyond the tech phase or social engineering to build security products with usability in mind and ease to integrate into product design. It’s also a company’s own responsibility to integrate the best security measures available into their products.
What are the most promising advancements in 2FA that you think will be game changers in 2017?
There’s a lot of new innovation coming out around 2FA. There are mobile authenticators, apps, push authentication – a lot of game changers that will help with the security versus usability argument, as well. Apple has done a good job at implementing this with their touch ID and I believe more people will start to use these types of systems. Mobile 2FA is here to stay and people are finding more ways to implement it.
Indeed, mobile authentication is the future, and authentication methods that are able to balance security and customer experience are probably going to be winners. In addition, I see a lot of movement in IoT as well as artificial intelligence and chatbots; both communication areas are growing in importance and user uptake, and as a consequence hackers will also pay more attention at these services. Right now we are at an innovation phase that doesn’t pay much attention to security, but as risks have been already pointed out it’s more likely that technologists will start integrating security earlier in product designs, as Isaac mentioned. If so, it’ll be a win-win for enterprises and consumers alike.