My wife went to a lecture last week on internet security and the expert who spoke suggested everyone turn on two-step verification, also known as two-factor authentication. It's a great idea in theory, but a terrible idea in practice.
On one hand, this is a great way to get your employees another level of security without a lot of heavy lifting on your part. The problem is that it's such a pain to implement that even a savvy user like myself ran into big problems.
The way two-step verification works is you enter your regular password, then the service sends a text to your mobile phone with a code. You enter the second code and you're in.
I tested the process on three services: Google, Twitter, and LinkedIn. All three worked just fine on my computer. But when I tried to access the services on my phone, that's where I ran into varying degrees of difficulty, all of which made me turn off the two-step verification immediately.
Unlike the other two services, which I could live without, Google services include Gmail and Google Drive, both of which are integral to my work. That's why Google gives me a bunch of temporary codes I could use in a pinch when I didn't have a signal to get a text. Google suggests keeping that paper in your wallet. I suppose it's unlikely that you would have your wallet and phone stolen, but a piece of paper strikes me as a weak link.
But it was still something I could live with in the name of an extra layer of security. I turned it on, tested it on my MacBook Pro, received my code, and it worked fine.
Then I picked up my iPhone and the trouble started.
I opened Gmail and was told my password was no longer valid. I entered it again, expecting Google would prompt me for a verification code, but it didn't. It verified my password, and when I opened Gmail again, same thing happened. I went searching online and found out there are some applications that don't support two-step verification on certain devices, including the iPhone.
I imagined a less persistent employee suddenly realizing that they couldn't get their mail on their phone. Your help desk would probably be blowing up right about now. But I was determined, so I pursued it further.
I found out it required a special password. The Google Help page assured me this was easy and not to worry. I generated the special password, which was quite lengthy and complex. It told me I only needed to enter it once, but it was at this point I started thinking twice. It wasn't clear if that one-time password meant I couldn't get at Gmail on my iPhone again without generating another one, and entering the password would be a pain anyway.
That was my stop sign. I bailed right there and turned off two-step verification, but I figured I would test it in a couple of other services to see if they implemented it better.
You could probably live without Twitter and your business wouldn't come to a screeching halt, but given Twitter that has been hacked in the past, it's not a terrible idea to turn on two-step verification. At least in theory.
Twitter starts by making you turn on mobile phone support to access the two-step verification options, which seems harmless until you realize you're actually signing up to have Twitter notifications pushed to your phone. Picture every tweet resulting in a buzz on your phone. Um, no thanks. It's hard to turn off, too, once you turn it on. I worked around the issue by selecting the sleep option and choosing from midnight to midnight as the time frame.
Once I turned two-step verification on, as with Google, it worked fine when I tried it with my home PC, but when I went to the phone, same story. It wouldn't provide me with a code and I turned it off.
LinkedIn was actually the closest to working the way I would have hoped. I signed up, tested it on my computer, and it worked as with the others. I opened the LinkedIn app on my phone and it signed me out and prompted me to sign in again, which I did (after retrieving my password because I had forgotten it). Then just as you would expect it gave me a message that I needed a code, click OK to continue. Yes, looking promising. It texted me the code immediately and gave me instructions to add it to the end of my password.
I placed my cursor at the end, excited that it was finally working...but then it didn't. Instead of letting me add the additional information, it replaced my password with the code, which didn't work. I tried it a couple of times with the same result and I shut it off.
That's oh-for-three.
How about putting the user first?
Two-step verification is a great idea, but it's designed for geeks. Normal people are very likely to be intimidated by the process. Security has to be easy and put the user first. These systems smack of ideas from engineers and produced by engineers with little thought to design. As Brian Katz wrote in a post earlier this week, we need to focus on UX, and these tools failed to do that.
The best security is when you don't have to think about it because it's built in. When it's as deliberate and clumsy as these processes, and worse, at least appears to break services on your mobile devices (even if it's only temporary), it's going to scare people off.
We need to create systems that make it dead simple and the two-step verification does not pass that litmus test as currently designed. This is too bad because everyone could use more security. But what they don't need is a slew of angry calls to their help desk because apps aren't working on mobile devices.
