The balance between too hard and too easy

photo by
photo by

Like you, I have lots of accounts for applications. And I usually remember the passwords (ok, maybe not always). To avoid this problem, I use two factor authentication whenever possible. Two factor authentication is the use of an external token (at one time the dreaded RSA token, now an app running on a device you control that’s usually in physical proximity to you).

Too easy, or too hard?

Two factor authentication is an excellent example of a “needs to be easy enough to use, but hard enough to provide protection” problem. If you make it too hard, no one will use it. If it’s too easy to subvert, it’s also easy to hack. This is quite similar to the balance you need to strike when asking someone to use any new feature in an application.

Trust is the core of using a new feature – why do you believe that it’s ok to use and what’s the potential harm of getting this wrong? In 2-factor auth, the penalty for getting the problem wrong is pretty steep. In a typical feature the danger might be quite low. In both cases you need to tell the consumer what’s going to happen, give them a means to know and validate what’s happening, and deliver a clear benefit that will drive them to complete the task.

The Nuts and Bolts of the Process

What does this look like in practice? Take two factor authentication as implemented by Twitter. The process is pretty simple: register a phone, validate a code sent to that phone, and use that mechanism to validate with a six digit code any time access is requested on that account by an unknown source. Not bad, but not a true 2-factor implementation either – that would require an external program like Google Authenticator and a code that changes every 30 seconds seeded by a program running on a remote device.

Great. So now how do you manage the strange UI of switching applications, copying an “exploding code” back to the application that needs it, and making sure that the consumer can do the simple task of logging in? Login is a constant problem even without adding these layers. Twitter probably chose the simpler approach because it’s relatively simple. I say relatively simple because explaining authentication methods is never simple to everyone.

Product Design Takeaways

The takeaway for product design is that every feature needs to be simple to explain and have a clear benefit to the consumer. The guts of the implementation might be super complex, and if you can’t say it simply, the consumer will go away. Make it hard enough and easy for the customer: hard enough to provide the value the feature promises and easy enough that the consumer sticks around.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: