How to Optimize 2FA for Better User Experience
There are many factors that help build good user experience on a website. Improving the website navigation is the obvious starting point, along with properly chosen content layout, certain accessibility practices, color palette and typography, and so on. However, security is equally important for UX as the visual aspects. And one security aspect that you should consider improving in order to offer better UX is your two-factor authentication (2FA).
We’ve already written extensively about what two-factor authentication is and how to add it to your WordPress website. In short, it’s a type of login authentication or verification where instead of providing one proof of identity, the user needs to provide two. It’s usually a combination of a password or pin and a security code sent via SMS or email, or a fingerprint, or credit card number.
Now, a lot of websites offer 2FA not as a must but as an option. Obviously, you want as many as possible of your registered users to use 2FA. This improves the overall security status of your website, minimizes the breaches and ultimately improves your UX security-wise.
Today, we’re going to discuss a few things you can implement in order to optimize 2FA in WordPress. The key is to make it as easy and as appealing to users to opt for 2FA by:
Since multifactor authentication has been around for a while, chances are most of your visitors won’t encounter it for the first time ever on your website. They will already have some experience with it, and they will probably have their preferred verification channel or method. These channels, which we also call One-Time Password (OTP) channels, may include:
-
SMS – Since most people have access to SMS, this is a very popular method. The code is sent via email and then the user inputs it in the appropriate field.
-
Email – This is a great solution in that most people have email and don’t have to install anything extra. The downside is that since passwords can generally be reset via email so if this channel is compromised, it will be compromised as the second 2FA step, too.
-
Voice – This method assures there’s a live user on the other end and it’s a great solution for users who don’t have smartphones. It usually works by verbally prompting the user to enter a keypad digit before providing them with a token.
-
WhatsApp – As a widely used messaging app, WhatsApp is a good choice as a channel as it’s independent from phone carriers.
-
Silent Network Authentication – This is a quick method that doesn’t require any action from the user as it verifies the phone number in the background, using the built-in connectivity to the operator/carrier.
-
Silent Device Approval – This method works by registering trusted devices and using them as authenticators.
-
Push – With this channel, a push notification is sent to the user device prompting them to approve or deny a login request. It is a very fast method, and also very secure, as it may protect against phishing, bulk phishing, bot attacks and such.
-
Time-Based OTP Apps – There’s a number of applications users can download to generate time-based one-time passwords created using the current time as an input. Since the tokens automatically expire, the security level is significantly higher, plus the user doesn’t even have to be online, as long as their device is time-synced.
The most popular verification methods include email and SMS. However, since they’re not the most secure or even the most convenient methods, it is recommended to implement other channels to and widen the choice. Offering multiple options to users is crucial for good UX, and it’s not that difficult to do, either.
For instance, a plugin that can significantly help you optimize 2FA in WordPress is Two-Factor, a neat little solution that allows you to add multiple verification channels. You can send email codes, time-based one-time passwords (TOTPs) via Google Authenticator, FIDO Universal 2nd Factor, and there’s even the dummy method for testing. The plugin is completely free.
For a more advanced solution, you can check out WP 2FA, a premium plugin that, in addition to multiple authentication channels, also provides fully configurable 2FA policies, registration of trusted devices, support for custom login pages (e.g. WooCommerce custom login), and white labeling.
Speaking of white labeling, let’s see why this is important for improving 2FA user experience.
Sometimes people find it a bit off-putting or suspicious when they realize they have to deal with a third party agent in a process. When it comes to 2FA, it may be even more of an issue, since it’s a process related to security, and people are obviously a bit more suspicious, especially if they don’t quite understand how 2FA works.
It’s generally very easy to set up two-factor authentication in WordPress – you can do it very quickly, effortlessly and often for free. However, what this often entails is third-party branding. Plugins, especially the free ones, are designed in a way that lets visitors know what solution was used for the authentication, and which developer created it.
One way to overcome this issue is to explain what 2FA is and why it matters right from the get-go, as soon as a user registers. When presented with a transparent explanation that assures them 2FA is for mutual benefit and security, users will be more likely to use it.
However, sometimes this isn’t enough. If you want to really perfect the 2FA journey for your users, you may want to remove the third-party branding. This is called white labeling, and it means using your own logo, customizing the verification page to fit your branding and style, and generally removing any mention of a plugin that actually makes the authentication possible.
Not all plugins allow this, especially not with the free version. We already mentioned WP 2FA, a plugin that allows you to control the look and the message of your two-factor authentication process, and it does so out of the box.
Another trait of human nature is that we’re easily annoyed. If we have to go through the 2FA process every time we want to log into an app or a website, we’re likely to lose our patience, especially if it’s a website or app we use very frequently. If given the option of skipping or turning off 2FA, people will definitely use it, and that’s something you want to avoid, for the sake of your website’s security.
Certain plugins (like WP 2FA, again) have the option of saving trusted user devices. This means that once a device has been identified, it can be selected as a “trusted device” that doesn’t require two-factor authentication for every login. Ideally, if the plugin allows it, you can specify a certain expiration period for trusted devices. That way, after that period, the users from that device will be asked to go through 2FA once again, making sure no breaches occurred in the meantime.
Wrapping It Up
As we saw, simply introducing two-factor authentication to your website isn’t enough for achieving optimal user experience. As it’s always the case, you need to be receptive to your users’ needs and opinions, and adjust the UX accordingly. In the case of 2FA and security, this means providing ways to make the process as smooth and streamlined as possible, and to make your visitors and registered users feel you can and should be trusted. The methods we described above should do the trick and effectively help you optimize 2FA in WordPress with minimum effort.