Talking about 2-factor authentication in my previous post we can look more into verifications on mobile apps.
Password is the usual one, a lot of them (especially financial ones) use PIN. But how many use both?
Is accessing your phone and verification to enter the app already 2-factor verification? Not really, right?
We are used to passwords by now. This behaviour was brought over from the web.
Let’s look at some of the usability issues PIN has:
- Security logic:
- usual pins are 4 or 6 numbers — use 5?
- don’t allow horizontal sequences like “12345" or “54321”
- don’t allow vertical sequences like “14725”
- don’t allow dates of birth (if the user needed to add it in Sign Up process you’ll have that data)
2. User perspective:
- users need to remember custom pattern — forgot pin actions is going to be higher
- A lot of PIN designs looks like iPhone lock screen. Similarity is making iPhone users setting the same PIN
Of course touch ID helps a lot in this case as it’s a perfect PIN replacement that still has PIN as a fallback. And it’s visually enough distinctive to PIN or password.
The problem I bumped into is how to point out to the user that he is setting up 2 different things. Passwords are usually set in Sign Up process and many users do it automatically. When setting up PIN they remember the numeric keyboard and pattern they were creating. Going trough the process using both they usually get stuck on the password. Except you were forcing them to set up a custom PIN too. In this case you better prepare nice recovery processes or you will probably lose the user.