How to Improve the 2FA User Experience
Two-Factor Authentication (2FA) is one of the most time-tested methods for increasing your website’s security. Using a 2FA plugin can make your site more resistant to attacks and help secure user data. The “problem” is that many sites don’t try to improve the WordPress 2FA experience.
Improving the 2FA user experience makes it easier to convince visitors to take advantage of your authentication method. The more registered users that activate 2FA, the less likely you have to deal with security breaches on your website. That’s a significant benefit, and you can take advantage of it by encouraging visitors to opt into 2FA.
In this article, we’ll review some statistics about 2FA usage and discuss ways to improve the user experience. By the time we’re done, you’ll have enough information to help increase 2FA adoption among your user base. Let’s get to it!
How Widespread Is 2FA Adoption?
2FA is hardly a new technology. Multifactor identification, in general, has been around since the 90s. However, the technology didn’t start to see real adoption until the early 2000s. Nowadays, it’s pretty rare to find popular websites that don’t offer 2FA to their users.
With the technology being so widespread, it would make sense for adoption rates to be sky-high. After all, 2FA is easy to use.
However, in practice, 2FA (and multifactor authentication) adoption, in general, is abysmally low. In its latest transparency report, Twitter made it public that only 2.6% of active accounts use 2FA. That number barely increased by 6.3% from 2020 to 2021.
The numbers aren’t all that better among businesses. A DataProt report from 2022 shows that only 26% of companies with online operations use multifactor authentication. Even then, the sites may not actively enforce the usage of these tools.
If you think these numbers are bad, take a moment to think about how many accounts you have with 2FA enabled. Chances are you don’t use the authentication method for all accounts, but only in specific cases, and you wouldn’t be alone. Even though many of us know how much safety 2FA offers, we sometimes skip using it because it adds an extra step to accessing a website.
As a website owner, you need to understand that most users may prefer not to enable 2FA, even if you offer it. Simply using a 2FA plugin isn’t enough. You’ll need to take active steps to make 2FA as user-friendly and frictionless as possible to maximize the number of people that opt into it.
3 Ways to Improve the 2FA User Experience
The term “user experience” can have a lot of meanings. In the context of 2FA, improving its experience means making it easier to use.
Simply put, you want to minimize any potential frustration that users might feel while interacting with 2FA. Fortunately, there are several ways that you can achieve this goal!
1. Offer Multiple One-Time Password (OTP) Channels
One of the main reasons why many users don’t enable 2FA is that websites and apps might not offer the OTP channels they prefer. If you like to receive OTP messages over text, you might not appreciate it if a website forces you to install an app such as Google Authenticator or receive codes via email:
Offering just a single OTP channel is unlikely to make all users happy. With that in mind, your best course of action is to provide several channels, including the following options:
- Email (both codes and links over email)
- SMS texts
- Authentication apps (such as Google Authenticator and Authy)
As far as OTP channels go, those are the “basics”. Many popular 2FA plugins, such as Two-Factor and WP 2FA, offer access to some or all of these OTP channels. The premium version of WP 2FA also provides OTP channels such as WhatsApp, push notifications, and phone calls.
Ideally, you’ll want to use a 2FA plugin that offers as many OTP channel options as possible. That way, you’ll be able to provide users with more options, increasing the chances they’ll want to enable the feature.
Furthermore, you might consider enabling 2FA backup methods, or backup codes. That means if a registered user loses access to a channel (such as by forgetting their email password), they can switch to a backup and get the OTP they need without further delays.
Simply assuring users that they’re not limited to a single channel can ease their anxiety about getting locked out. With backup channels, it should be extremely rare that users can’t access your site.
2. Save Trusted Machines
Even if you make 2FA as easy to use as possible, many people might chafe at having to enter codes every time they want to access their accounts. This annoyance can increase exponentially if they have to use 2FA for accounts they use often. In some cases, the frustration can lead to users deactivating 2FA altogether.
The easiest solution to this problem is to use 2FA plugins that offer a “trusted machines” feature. Websites with access to this feature recognize the computers that visitors use to log in to their accounts. Then, recognized devices won’t have to enter OTP codes every time they try to log in.
Depending on the tool, you might even be able to review a list of authorized devices:
If you use a 2FA plugin that enables users to save trusted machines (such as WP 2FA), make sure that the tool includes expiration settings. These settings force users to re-confirm trusted devices periodically for increased security.
Depending on the 2FA plugin you use, it might automatically ask for device confirmation if it detects a new IP or can’t find the corresponding cookies. That means even less work for you when configuring the tool. Plus, users won’t need to “certify” devices as often.
3. White Label the 2FA Process
A significant challenge in improving the 2FA user experience is that most websites use third-party tools to implement this functionality. Coding a 2FA solution from scratch is outside the scope of most sites (even large enterprises).
With WordPress, you can set up a 2FA solution for free and, in some cases, in a matter of minutes, all thanks to plugins. The only downside is that many WordPress 2FA plugins include branding that lets users know they’re engaging with a third-party product.
For some users, working with third-party tools might be a dealbreaker. They might not understand how 2FA works. Plus, dealing with another service when logging in to a website may be too much.
Explaining how 2FA works after users have registered is a great start. However, if you want to go the extra mile, you can white label the 2FA authentication page that users see when they try to log in to your website.
White labeling means using your website’s logo, removing any mention of visitors using a plugin, and customizing the authentication page in any other way that you see fit:
When customizing the authentication page, you can include instructions on how to use 2FA. This can minimize confusion among users. Depending on which 2FA plugin you use, you might even be able to redirect users to custom pages after they go through the authentication process.
Ideally, you want to use a plugin that makes the 2FA white-labeling process as easy as possible. Most plugins let you customize them in any way you see fit, but that process often requires dealing with code. Other WordPress plugins, such as WP 2FA, offer built-in tools for white labeling, which is precisely what you should be on the lookout for.
Every website with registered users should offer Two-Factor Authentication (2FA). It’s an elegant tool that significantly increases your website’s security, making it harder for attackers to steal user data. Unfortunately, many users prefer not to use 2FA because of simple inconvenience. In many cases, they don’t understand how 2FA works, or your website doesn’t offer the best user experience.
If you’re looking to improve the 2FA experience on your WordPress website, here are three ways to help you get there. Implementing all of these methods should increase the percentage of accounts that use 2FA on your site.
Do you have any questions about improving the 2FA experience on your site? Let’s talk about them in the comments section below!
No comments yet. Why don't you kick off the discussion?