By simply reading this headline, a person has two gut reactions to branding two-factor authentication (2FA) messages: “absolutely not” or “convince me why.”
A few months ago, we saw an Australian mobile carrier allegedly slip an ad into a 2FA SMS. The fallout has been incredibly damaging and even required Google to step in. On top of this, the security community annihilated the company with the ad — and deservedly so.
This incident leads to a larger question. Should 2FA messages be branded? And if so, what should they look like?
We all learned from the earlier example about the wrong way to brand a 2FA message, but there should be a larger discussion here. These messages have continually lacked innovation by simply providing a series of numbers in an SMS. It requires consumers to step out of the application to a short code that is simply numbered to copy and paste.
There are ways to innovate 2FA and help brands and end users without ruining the technology’s main purpose or customer experience.
For a number of reasons, there are times when something goes wrong. Not all of us are security professionals, and even those who are still experience faulty 2FA from time to time. If a two-factor authentication message doesn’t work, no matter the reason, the first thing that we’re going to do is look for help. Why are we leaving this help to chance, assuming our valuable customers or users will find their way to our knowledge base or help portal? We could help them right here and now.
Adding some light branding with a logo and a specific 2FA FAQ company link for end user support could help those experiencing issues. This lightweight branding is non-intrusive and trust-building. A branded support link can be highly specific to the issues related to 2FA and add real value in the moment. With this approach, those who aren’t as experienced with technology might be more inclined to stay loyal to the brands they consume. For brands, this is a win-win.
Sometimes 2FA sign-ins fail due to outages. For example, in late July we saw an outage that caused banking, airline, postal and security password websites to fail. The common theme between these websites is that they rely heavily on 2FA notifications to work and deliver on time.
With these high-profile websites, every second the website is down becomes a loss of revenue. On top of that, consumers are left with no idea why their messages aren’t getting delivered and/or why the sign-in won’t work.
During such an outage, sending a lightly branded message that says, "Our site and mobile app are currently experiencing an outage. We will notify you when our sites are working so you can securely log into your account. We’re sorry for the inconvenience," could be the difference between retaining and losing customers.
A helpful message like this accomplishes multiple goals:
- It assures the end user that the issue is not their fault and that the brand is empathetic towards their experience.
- It provides a branding opportunity that can be customized far beyond a set of numbers.
In a world where outages often happen, 2FA businesses providing transparency about issues and offering support via branded messages could reassure customers and increase retention.
From the start of the customer journey, users interface with a branded mobile app or website and end with a branded experience after the transaction. When consumers reach the 2FA part of the equation, branding disappears. Why not keep customers in the brand mindset with examples like this:
"Your login code is: 123456. [insert company tagline]."
Two-factor authentication messages are serious messages, but the transactions as they are now hinder innovation and brand-to-consumer connection and are too one-dimensional. It’s about time that brands and mobile carriers take a look at how simple 2FA messages could do more for their brand and end users.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.