Designing a Smooth Multi-Factor Authentication Experience

A recent string of high-profile cyber-attacks in Australia has made cyber-security front of mind for many of us. In a recent letter by the Australian Prudential Regulation Authority (APRA), it has been suggested that APRA-regulated entities (i.e. organisations working in insurance, banking or superannuation) must implement multi-factor authentication (MFA) in order to comply with cyber-security standards. However, implementing MFA comes with its own hurdles — in this article we’ll break down what MFA is, look at some of the associated challenges and suggest principles you can follow to design a smooth MFA experience for customers.

What is multi-factor authentication (MFA)?

Authentication can be broken down into three different factors:

1. Something you know (e.g. password, PIN)

2. Something you have (e.g. a One Time Password (OTP) or smartphone authenticator)

3. Something you are (e.g. biometrics like your fingerprint or iris)

Generally, online authentication used to only require one form of authentication — your username and password. Many products and services now require two or more different forms of authentication, which is known as Multi-Factor Authentication. MFA is suggested to be an essential mitigation strategy against malicious actors and cyber threats.

(You may have also heard of Two-Factor Authentication, also known as 2FA. This is simply a subset of MFA as there is still more than one authentication factor.)

Challenges of implementing MFA

As a customer, MFA can feel like an unnecessary obstacle when all you want to do is log in and complete your actual task. In the worst-case scenario, you may not be able to authenticate at all if you’ve lost access to one of your authentication factors.

Frustrating MFA experiences can result in unhappy customers and place undue stress on your organisation’s support team. To help mitigate this, we’ve provided some guidelines for designing a smooth MFA experience.

Principles to help design a smooth MFA experience

We’ve selected seven of Jakob Nielsen’s 10 Usability Heuristics to help explain how you can design for an efficient and usable MFA experience. Following these principles will help keep your customers and support team happy without compromising on your cyber-security. 

1. Visibility of system status

It’s important to let customers know what’s happening during the authentication process. For example, it should be clear when a prompt or SMS has been sent to the customer’s phone. Feedback for interactions and updates should be shown as quickly as possible so that customers feel in control.

2. Consistency and standards

Many customers will already have experienced MFA on other platforms. Keeping your MFA experience consistent with existing conventions (e.g. interactions or layout) will make it more learnable. You should also keep your MFA experience internally consistent within your product or family of products for the same reason.

3. Recognition rather than recall

Remove barriers that require customers to recall knowledge from memory. For example, you might show the name of the device that a prompt has been sent to, or the (partly censored) phone number that a code has been sent to. This provides customers with a clear, actionable step. This is useful in scenarios where someone either has an old device registered or owns multiple devices.

4. Flexibility and efficiency of use

Provide multiple ways for customers to authenticate themselves. Customers may be able to authenticate themselves via SMS or another method that they have set up. This will help mitigate instances where someone is unable to authenticate and must resort to contacting support.

If customers are entering a One Time Password, validate their input as soon as it’s completed so that submitting it does not require an additional action. This will help streamline the authentication process and reduce the user effort required.

5. Aesthetic and minimalist design

Keep the interface minimal. Customers should only see what’s directly relevant to them at each step. Excessive or redundant content will make it harder for customers to understand what they need to be focusing on.

A visually appealing and well-designed interface can make the process easier to follow. According to the Aesthetic-Usability Effect, customers also perceive aesthetically pleasing interfaces to be more intuitive and usable.

6. Help users recognise, diagnose and recover from errors

When providing error messages, you should use plain language to indicate the issue and then provide a solution. Use conventional visual language like red text and borders to clearly highlight where the error is.

7. Help and documentation

Ideally, setting up and using MFA should be self-explanatory to customers. However, if necessary, additional documentation should be available as online articles to help customers resolve their issues. Documentation should be concise and clearly worded with specific and actionable steps. As a last resort, customers should be able to contact support if they can’t progress any further.

Tailoring MFA to your organisation

Although these usability heuristics are a great reference to have, the ideal MFA experience may look different for every organisation and its customers. Customers may be required to authenticate within different contexts and platforms, and the level of authentication required may differ. When possible, we recommend conducting user research to best understand what your customer’s needs, goals, and journeys look like. This will help you design for an experience that’s tailored to your customers while meeting all your organisation’s security needs.

Once the experience has been designed or implemented, we also recommend conducting usability testing to monitor how usable customers are finding it. There are likely to be missed opportunities and edge cases that can be refined — ongoing iteration is key to creating successful outcomes.

Despite its challenges, MFA is an essential cyber-security control to keep your organisation protected and compliant. We hope that this article has helped demystify what goes into creating a smooth MFA experience for your customers.