Two-Factor Authentication

Recently I found myself forced to use two-factor authentication (2FA). The change took place with a bank account online web portal. The web site changes were new and 2FA had not been used previously. On the first day of the 2FA going live I immediately ran into usability issues with the new interface.

  • The web browser options were limited to four brands with explicit minimum versions. Firefox ESR is not one of the options, which forces Firefox users to update every few weeks.
  • The 2FA QR code text box limited entry to 8 characters. Customers could not enter the full QR code secret.
  • When using voice phone to receive the 2FA code, the incoming calls came from different phone numbers. My guess is the non 800 numbers were phone numbers from developers used during testing and those numbers were not removed before going live.
  • When using voice phone the web browser pop-up did not inform the user of the expected incoming phone number. Without that information in the pop-up the customer does not know if the phone number is legitimate and trustworthy.
  • When using voice phone and the number is from one of those developer numbers, the call disconnected immediately upon answering the call.
  • When using voice phone the beginning of the recorded message was clipped and the user did not receive the entire 2FA code.
  • The voice phone message was not repeated to help people learn the 2FA code.
  • The web browser pop-ups do not inform the customer of the length of the 2FA code. Knowing the length of the security code would be a helpful way to confirm the code.
  • There is no option to receive the 2FA code by traditional email to facilitate copy and paste.
  • The web browser 2FA options seem to be focused narrowly on a presumption of using a smart phone rather than desktop computers or laptops.
  • The 2FA code is valid for 5 minutes. A 10 minute period would be more helpful.

I successfully tested the SMS option with my (flip) cell phone, but I live in a cell phone dead zone. I cannot be confident of receiving an SMS message with a cell phone. Often I do not have any signal at all. To have any hope of connecting at home I have to use the cell phone only in certain places in the house and sometimes outdoors. When visiting, other people have the same experience with their phones. The office computer is located in a room in the house that does not receive cell phone coverage. The 5 minute limit for the 2FA code validity is a short period to travel from one location of the house and return to the computer.

The home phone voice message option is welcome, but the unrepeated clipped voice message is useless. Three straight times I did not receive the full code when using this method.

The phone voice message was rapid and abrupt. Although a recording the voice sounded rude and annoyed.

I informed the folks at the bank about the issues.

Software is too complex. Poor presumptions and sloppy testing further exasperate these issues.

Posted: Category: Usability Tagged: General

Next: VBoxManage Error

Previous: Broken rsync