"We understand that this may seem inconvenient to some, but we want to offer the best possible solutions to protect your Epic account." A campaign from the Epic Store has just ended, which should lead to the more frequent use of 2FA and thus increase security.
This last sentence in the announcement highlights the issue of security, user experience and 2FA. It is undisputed that 2FA at least suggests an additional level of protection and if implemented correctly (unfortunately, this is not always the case), it provides it.
2FA in brief
There are three categories (factors) that can be used for identification: secret knowledge, individual possession and biometrics. In a classic username-password login, only the factor "knowledge" is used. With 2FA, two factors must be in possession of an attacker to overcome a security barrier. Since each factor requires a different attack method, 2FA increases security.
Each factor has its strengths and weaknesses, but always different ones so that the needs for an attacker increases significantly.
But why is 2FA such a significant obstacle in user interfaces?
Imagine a door. And you would first have to enter a PIN code and then unlock it with the key. Or in your car, you would have to turn the ignition key and then enter a pin. Does it seem strange to you? Feel like unnecessary for this job? Many computer users feel the same way. We are used that it is enough to enter our password (or for the apps on our mobile phone not even that) and then you have to dig out your mobile phone and confirm your login?
Although the new online banking is annoying because you have to confirm all sorts of things over and over again on your mobile phone, was it more user-friendly in the past? The tan generator, which you never had at hand when you needed it, was even more annoying and I don't even want to talk about the tan lists.
How online banking was implemented in an insecure and user-unfriendly way
If I use a second app (on the same mobile phone) or even the same app on one mobile phone, I have in fact bypassed 2FA - my security feature. It doesn't help if you need the phone to make a transaction in the browser because I don't need the browser at all, I can do everything via the phone anyway. So why not just an app, with a pin, that would be equivalent in terms of security and more user-friendly. And all transactions that are started by this app are directly authenticated. If that's security, then any further barriers based on the same factors will only bring frustration to the user.
How does it get more user-friendly?
Imagine a series of doors. And for each one, you want to use 2FA. However, since it is somewhat convenient, you use the same two factors everywhere. In this case, you could also use a single secure door instead, with all the other doors unsecured behind that one door. Both methods are equivalent in terms of security, but in the second case, you only need to unlock one door.
And if you only need to remember one combination of credentials, you can use more secure (and perhaps complicated) methods there, since you only need to use them once.
A look into the future - how to make it even more secure (and user friendly)?
2FA is nowadays very good in terms of security (if implemented correctly) and should be used in many cases. Especially the possibility to achieve this protection effectively once should be applied.
However, 2FA will be a phase-out model because security and user experience are not compatible. The future will be Continuous Behaviour Verification. Because a single barrier, a single door, will no longer be sufficient in the future. Instead, methods will check the use of the program in the background, detect anomalies and intervene in these cases. Thus, attackers will not only have to overcome the entrance barrier but will have to behave like a valid user throughout, which would add further complexity to the attack.
The whole thing happens without the individual user noticing anything. The user's experience is not changed because it is exactly the user experience that security is all about. His usual usage creates a unique pattern which then serves as security against attackers.