The Necessary Friction of Multi-Factor Authentication
The tradeoff between increased security and a seamless user experience
One of the biggest conundrums in UX design is how seamless your app’s identity access management should be.
Get it right and watch as users sing your praise to the high heavens and shun your competitors.
But get it wrong — oh, get it wrong — and watch those same users suffer, and potentially cost your company the kind of reputational damage that is difficult to recover from.
In this regard, two recent cases come to mind:
1. Cowries and Piggies
Nigeria-based wealth management app Cowryrise is still cleaning up the mess left after a popular Twitter user, Funmi Oyatogun says “millions” of Naira went missing from her account.
When breaches happen at the user level, there’s an uncomfortable conversation about user responsibility that needs to be had.
That said, by its own admission, there were gaps in the way Cowryrise communicated with Oyatogun initially.
The company has since remedied the situation and helped to recover Oyatogun’s funds. After which, they announced the following updates to their app:
- Withdrawal options have been limited to accounts associated with a user’s BVN details.
- Multi-factor authentication is enabled for cash withdrawals, users can only disable it via a token or customer support.
Cowryrise’s competitor, Piggyvest, was busy taking notes as well and quickly announced security updates of their own.
2. Zimbabwean Zoombomb
The Zimbabwean government recently announced plans to ditch Zoom and trial its own virtual conferencing platform called TrueConf. This was after a virtual meeting had to be halted after pornographic images suddenly appeared on the screen.
While it makes sense for African governments to want to keep communication systems in-house (especially for high-level meetings) user responsibility, once again, seemed to be glossed over.
Zoom’s security issues are well-documented, but breaches like zoombombing almost always happen at the user level.
What’s more, they won’t go away just because you move away from the platform.
If anything, building your own technology from scratch introduces new security complexities like backend management, just ask the Nigerian government who had to explain why its videoconferencing systems seemed to be running on an outdated operating system.
In a move to assuage concerns over its platform’s security, Zoom recently announced that 2-factor authentication can now be enabled on both the web and mobile versions of its app.
These are welcome developments.
In designing user access to sensitive activities like withdrawals and government communication, multi-factor authentication is becoming less of a nice-to-have and more of necessity.
Even if not fully waterproof, MFA greatly reduces the chance that an attacker can steal a user’s credentials and reuse them.
The penalty on user experience might be high but when compared to the potential cost, it might be worth it.
To read more, subscribe to the get.Africa newsletter, a weekly roundup of African tech in a language you’ll understand. New email drops every Monday morning.
