Project: I am working on improving the 2 factor authentication (2FA) user experience for end users.
Problem: 2FA is an east way to drastically improve one's security posture with many sites (e.g. AWS, Github, Google, Stripe, etc), but it is still an incredibly annoying user experience that gets worse the more sites you use it with.
- When I pick up my phone to enter a 2FA code, I often get distracted by an email, text, or other notification. I'll put my phone down a minute later and think "what was I doing? Oh right, I need that 2FA code".
- It is also annoying to visually identify the correct site/account combo in my list of 2FA codes because I use many online services and may have multiple accounts at each one (e.g. AWS).
- Though some apps have a better UI presentation of 2FA codes, the classic Google Authenticator app shows all of the codes in a single list and I would often put in the incorrect code from a row above/below what I intended because it was difficult to visually keep track of the correct row as I transcribe the 2FA code into my desktop browser.
- It is annoying when the 2FA code changes while I am entering it in my desktop browser. Often, sites will accept the previous 2FA code as well, but if I only entered the first 3 digits and don't recall the last 3 digits, then I have to start over entering the new 6 digit 2FA code.
I am working on a new user experience which replaces these pitfalls and annoyances with the ability to simply click a button on your phone as your second factor of authentication. This workflow is compatible with any site that currently implements 2FA (e.g. AWS, Github, Stripe, etc, etc) and provides the same level of security as using another 2FA app such as Google Authenticator, Authy, etc.
It would be really encouraging/useful if you could leave a comment explaining why you might find this new 2FA UX useful or not! Thanks.
As johnmaguire2013 guessed, we will have a browser extension which will request a 2FA code from the mobile app. The mobile app will receive a push notification and ask the user whether they would like to allow or deny the request for a second factor of authentication. The user only needs to click one button on their phone and the 2FA code is securely sent to the browser where everything else related to submitted the 2FA code can be automated.
The browser extension can integrate with any site that currently supports 2FA without any integration or changes required on the part of the sites.
Let me know if you have any more questions! Do you think you be willing to change your 2FA workflow to the one described above? If no, what are some of your concerns, thoughts, etc? Any and all feedback is appreciated!
Yup, you nailed it. That is exactly the plan. Any thoughts on that approach? Do you think you might be willing to update your current 2FA workflow to the one described above?
I think it's a very cool idea! The other big UX issue with 2FA (in my opinion) is backup & restore -- nail both and you'll have a pretty solid product.
For disclosure, I work for Duo, so I'm a big believer in push-based 2FA. (Consider applying if you're interested in usable security!)
Ah! Duo is definitely one of the incumbents in the space that we looked at during our competitive analysis. As far as I understand it, your push based 2FA solution only works for sites which use Duo as the 2FA provider. Is that correct?
I am hoping to build a solution which has a similar sounding UX to Duo Push, but works for any site that currently implements 2FA without requiring the site to make any changes at all. I think that this will provide more comprehensive coverage of sites that developers and other users interact with on a regular basis. For example, Github will not update their backend to use a 2FA service that I write because they already have a good solution in place, but by using a browser extension I can build the UX that I want without any changes required on Github's end.
Admittedly, I had some trouble getting started with actually trying out Duo to get a feel for the UX, but I will definitely have to check out the features that you provide to see what competitors in the space are already doing.
I agree that Backup & Restore is another prime part of the 2FA UX that needs some TLC. We've got some thoughts on improving that as well, but the first step is to nail the UX of actually being productive with 2FA and then come back to add enhancements.
Yep, we have integrations for many services, but software must integrate or support SAML (as Github Business/Enterprise does) for us to do 2FA. Our core product isn't really 2FA however, and we have different target markets: Duo primarily targets businesses looking to protect the services their employees access, while it sounds like you're trying to provide better UX for any consumers of 2FA.
I completely understand your approach and think it's a really neat idea. Looking forward to seeing it. :) Feel free to connect with me via email, I'd love to beta your product.
Problem: 2FA is an east way to drastically improve one's security posture with many sites (e.g. AWS, Github, Google, Stripe, etc), but it is still an incredibly annoying user experience that gets worse the more sites you use it with.
- When I pick up my phone to enter a 2FA code, I often get distracted by an email, text, or other notification. I'll put my phone down a minute later and think "what was I doing? Oh right, I need that 2FA code".
- It is also annoying to visually identify the correct site/account combo in my list of 2FA codes because I use many online services and may have multiple accounts at each one (e.g. AWS).
- Though some apps have a better UI presentation of 2FA codes, the classic Google Authenticator app shows all of the codes in a single list and I would often put in the incorrect code from a row above/below what I intended because it was difficult to visually keep track of the correct row as I transcribe the 2FA code into my desktop browser.
- It is annoying when the 2FA code changes while I am entering it in my desktop browser. Often, sites will accept the previous 2FA code as well, but if I only entered the first 3 digits and don't recall the last 3 digits, then I have to start over entering the new 6 digit 2FA code.
I am working on a new user experience which replaces these pitfalls and annoyances with the ability to simply click a button on your phone as your second factor of authentication. This workflow is compatible with any site that currently implements 2FA (e.g. AWS, Github, Stripe, etc, etc) and provides the same level of security as using another 2FA app such as Google Authenticator, Authy, etc.
It would be really encouraging/useful if you could leave a comment explaining why you might find this new 2FA UX useful or not! Thanks.