Gregory's ServerPeople building apps and web services: I feel like we need to talk about two-factor authentication terminology.
Here are some of the things I always think and then realized I've never written down. 🧵
 11 comments
2. Authenticator apps don't just run on phones, you know. This one's pretty universal; Mastodon, Fastmail, and more services I use daily tell you to get your authentication code "from your phone". That's just inaccurate in the age of browser plugins, password managers, tablets, desktop apps, and keyring syncing. Authenticator codes are not tied to a phone, even if mobile apps are a common way to use a second factor. Instead, ask for the code from their "authentication app or password manager". 3. Get over the abbreviated technical terms, please. 2FA, TFA MFA, OTP, TOTP, HOTP... no. Those are technical implementation details that are important, but are not easily-understood terms. Don't use those in prominent user-facing strings! The widely-accepted terms are "two-factor authentication code" and "one-time password". I suggest using those terms, and if needed, mentioning the technical implementation less prominently. Those are the big three that I always think when I come across them. I thought there were more, but can't think of them at the moment. :) Did I miss any that trip you up or annoy you?  @cassidy Yes please! Let's drop the technical acronyms in all user facing flows. Another place this shows up is credit card forms: CVV, CSC, CVC, CVD, SPC. I don't have a great replacement name but can we at least pick something?  @cassidy I agree completely, although tend to use Aegis. Minor caveat: they've enabled Microsoft Authenticator for our work accounts and it very much requires a phone. It uses the "enter the number on the screen" UX flow. I know that's not the OTP codes you're talking about in this thread, though. @tehstu yep, if your flow is tied to a specific app instead of a standard, sure. But if you're implementing a standard, don't pretend it's your own proprietary thing. :) Of course you can always recommend someone uses your own app, but that's relevant *when setting up* two-factor, not when prompting for a code. You don't need to advertise your own services here. At most, you could say "Enter the code from your authentication app or password manager, e.g. Microsoft Authenticator."  @jsit yeah... that's just giving one of the largest corporations in human history free advertising! Stop it! :) This differs a bit when *first registering* two-factor authentication; in that case, sure, tell people they can use Google Authenticator (but I'd recommend listing multiple options including popular password managers if you're gonna list them by name).  @cassidy unfortunately my university forces me to use Duo Authenticator, which is nonstandard from what I can tell |
1. Your company's two-factor app is NOT the only choice; carefully consider how you refer to it!
For example, every Google login *still* says to get a code "from the Google Authenticator" app. I've never used that app, and yet I can sign in just fine; because I use a different authenticator. But you'd never even know that's an option, which could trip some folks up.
In Google's case it also smells anti-competitive, but this advice applies to everyone.