Research Insights: Optimal MFA options for Web3 audiences

Web3Auth’s user research findings and insights from Token2049, 2023 in Singapore.
Research Insights: Optimal MFA options for Web3 audiences

Web3Auth’s user research findings and insights from Token2049, 2023 in Singapore.

TL; DR — A Summary

  • Participants chose Authentication App and Passkeys as the best possible pairing option for 2FA, owing to better ease-of-use. 43% chose the former, while 33% chose the latter as the best preferred options.
  • Despite the decent user experience, iCloud was perceived as a single point-of-failure because of the centralized nature of the storage solution and its parent company. Recovery Factors were compared to Email OTPs, and they were seen as ‘easy-to-save but difficult-to-use’.
  • Passwords were considered as old and that they are too hard to remember. Some participants preferred to continue to write down their passwords, because it is the safest option available. Security questions were perceived as unfavorable since they could be easily manipulated by AI and ChatGPT.
  • Although SMS OTPs may still be preferred by older generations, with cases like SIM-swapping, similar to that of the latest attack on Vitalik Buterin’s X account, the uneasy experience during overseas usage and the security concerns that come along with it, SMS OTPs were considered to be extremely vulnerable to hacking.
  • A lot of participants preferred to have at least 2FA, rather than nothing at all. 2FA options are deemed as necessary only for more sensitive assets, rather than for dApps that no longer need to manage larger monetary transactions.
  • Some developers would rather choose SMS OTP, than having no 2FA at all. Because they would rather risk the possibility of their users losing their keys than to be centralized. Some of them would choose an Authentication app and SMS OTP as the worst possible pairing option because they are worried about centralization.
  • Even though SMS OTPs are considered as bread and butter in Web2 authentication, a more Web3-native audience would rather be more conscious of their security implications and may least prefer SMS OTP to protect their digital assets or Web3 wallets.

Web 3.0 is often analogous with self-ownership or self-sovereign identity primarily because of its fundamental principles of decentralization, open-source protocols and cryptographic security. The first step that exemplifies these values lies in the core of how user authentication is done in Web3.

The authentication in Web3 allows users to have easily accessible, portable identities across different web applications and services. Having a Web3 identity, such as an Ethereum address, enables users to interact with numerous dApps (decentralized applications) without the necessity to set up individual accounts for each service.

But however, Web3 has relied mainly on seedphrases for the longest time despite the below-par user experience and the magnitude of security risks associated with them. Especially for new users who have just entered Web3, seedphrases could be extremely complex. The need for a Web2-like user experience in authentication and onboarding has been of paramount importance.

Two-Factor Authentication (2FA) comes to the rescue to solve this conundrum and acts as an effective alternative solution to seedphrases, with far superior user experience and ease of access. When one of the factors is compromised or marked as failed, users could conveniently fall back on other alternative factors, to reclaim account access. Having said that, 2FA enhances protection by introducing layers of security recoverability.

Jim Calloway, a legal expert at the Oklahoma Bar Association published an article in the bar association’s journal that exemplifies the need for Two-Factor Authentication (2FA) when it comes to both securing and accessing digital assets in storages such as Crypto wallets.

“A common shorthand way to describe the additional factor used for 2FA is something you know, something you have or something you are (biometrics). Something we have with us almost all the time is our mobile phone.”

Read more: Web3Auth Self-host SDK is now Core Kit

What do Web3 users think about 2FA?

The Web3Auth team had conducted a little user research exercise at the coveted mega Web3 tech conference Token2049, as well as at our very own side-event Wallets & UX Unconference. The objective of this exercise was to closely observe and understand what the industry preferred when it came to their preferred choice of Two-Factor Authentication (2FA) methods.

Using the dot voting method, we had a total of 478 votes, with 239 voting for best preferred, 232 for least preferred and 7 were unaccounted for. We asked the participants one simple question — which Two-Factor Authentication (2FA) options would best or least fit your use case?

Please note that the participants come from a background of comparatively higher expertise and knowledge in Web3 security and authentication methods. This is the kind of crowd that has an inherent tendency to avoid centralized technology solutions in authentication and security.

Having said that, here is what we found out —

  • Authenticator app — 43% say it’s best preferred.
  • Passkeys — 33% say it’s best preferred.
  • Recovery Factor — 10% say it’s best preferred.
  • iCloud — 10% say it’s least preferred while only 3% thought it’s best preferred.
  • Passwords — 10% say it’s least preferred while only 2% thought otherwise.
  • Security questions — 25% said it’s least preferred and 2% thought otherwise.
  • SMS OTP — 17% prefer it the least.
  • No 2FA — 32% say it’s least preferred..

Authenticator App

Since it is device-based and is widely used today, participants found it to be the most secure option in the market. This option garnered most interest during our voting and research, with 43% of participants choosing it.

However, there were some opinions that expressed disadvantages:

  • It is cumbersome to open another new app entirely, apart from the dApp that the users might already be active on.
  • It is a challenge to identify an authentication app that is one-size-fits-all, as most authenticators only allow a limit to the number of apps that can be stored.
  • Besides, if the users happen to lose their mobile devices, their authentication codes from the app can be very easily accessed and used.

Passkeys

Passkeys were a hit during the voting. It was considered to be the easiest and the most convenient option among all others. 33% of participants opted for Passkeys as one of their best preferred authentication methods.

Here is why:

  • It is far more difficult for hackers to manipulate the passkeys if a user loses his or her device, which is also why the participants thought it is a better preferred method, over Authentication App.
  • However, there were also minor concerns that Passkeys may not be very well-known for their use-cases, and that they ought to be explored better.

Recovery Factors

Recovery factor here refers to an extra phrase that acts as a backup to recover a user’s access credentials when the default option is compromised or lost or forgotten. To ensure ownership, users would need to download, copy and paste a recovery mnemonic phrase, to be able to recover their accounts back.

Easy to use but difficult to save — is what recovery factors were perceived as during the research. Only 10% chose them to be best preferred.

  • A participant felt it is quite similar to that of an OTP sent via email.
  • Another participant mentioned that it is still a single point-of-failure, and not as safe as it feels. His assumption was that those who thought it was better preferred were perhaps power users in Web3 or experienced developers.

iCloud

Since it is owned by a centralized tech conglomerate, the feedback at our research was that there is always a risk of single point-of-failure, although the cloud storage is considered to offer a decent user experience. Besides, iCloud has fewer use-cases in the market today, specifically pertaining to Web3.

During the voting, only 10% opted for iCloud to be the least preferred form of authentication.

Passwords

Passwords have been around for more than a couple of decades now, and come with a negative connotation to many because they are hard to remember. 10% of our participants voted them to be the least preferred while only 2% thought otherwise.

However, we also had some participants who opined that they would still prefer and continue to write down their passwords, since they find it to be the safest option available.

Security questions

In the age of artificial intelligence and ChatGPT, security questions were considered that they could be easily manipulated by AI. Participants felt that they are quite the unfavorable option, because these questions could be very common among different users, and so are the responses. 25% said it’s least preferred while 2% thought otherwise.

  • Almost everyone hated security questions. Because they rely on human memory, and these responses could easily change from time to time.
  • For example, your favorite color can change over a period of time. This infers that the developers feel that it might be worse than passwords, in a few cases.
  • Some participants found security questions to be annoying, and nobody wants to use them anymore.

SMS OTP

We are all aware that Vitalik Buterin, the Ethereum cofounder, had his X account hacked recently. The reason? It was a SIM-swap attack.

He said, “I didn’t know Twitter had OTP. Always thought 2FA was good enough. Lesson learned.”

With this incident taken into account, 17% of our participants felt SMS OTPs are the least preferred and that they are no longer secure, trustworthy or safe.

Here is why —

  • Cases like SIM-swapping, overseas usage and the security concerns that come along with it, makes this option vulnerable to hacking.
  • SMS OTPs can have outages very easily, similar to email OTPs. During overseas travels especially, SMS OTPs are far from reliable.
  • However, SMS OTPs could very well be most preferred for older generations, and they would still prefer this option over any others. The reason being, there is a steeper learning curve for newer forms of 2FA options and concepts, which could be very technically challenging.

Recommendations for pairing 2FA options

The research suggested that Authentication App and Passkeys are considered the best possible pairing option for 2FA.

  • Participants felt that this combination is easier to use, solely attributing it to superior user experience.
  • This option is considered to be a common preference among some agencies, Intellectual property companies, social media platforms and crypto exchanges.
  • Sometimes, authentication apps could be paired with passwords, if the users preferred it.

Conclusion

It is established by now that involving seedphrases in wallets is a complex and tedious process which takes the user anywhere from 10 to 15 minutes. This timeframe has churn written all over it, and it is quite significant in web3 user adoption standards. But this has been the standard practice over the years.

While we could agree that having a Two-Factor Authentication (2FA) setup could effectively negate the security risks and user experience concerns associated with seedphrases, it is also equally important to empower users to fully and truly own their wallets with absolute self-custody.

Being a non-custodial solution, Web3Auth does not store any user data, or any keys on its servers. This means that the user is in full control of their data and wallets. This also means that the user can lose their account if they are not able to provide the correct shares to reconstruct their private key. Instead, Web3Auth also supports a one-click login flow, which is the simplest possible flow to onboard new users. The user only needs to click on the login button, connect to a favorite social account (OAuth) or any passwordless flow — such as email passwordless or biometric authentication.

Voila, a new Web3 wallet is generated.

Depending on your own audience and use-cases, Web3Auth offers different multi-factor authentication flows that includes the likes of options like SMS OTPs, passwords, security questions, iCloud and Authenticator App. which includes all these options. The Web3Auth Wallet-as-a-Service (WaaS) stack empowers Two-Factor Authentication (2FA) tremendously such that it compels end-users to securely and intuitively manage the user keys by using multiple authentication factors, instead of having to rely on a seed-phrase.

After having started using Web3Auth’s wallet infrastructure, several consumer-focused applications have seen a 3x increase in conversion rates, from 24% to about 63%, as opposed to conventional seedphrase wallet solutions.

Read more: What Game Developers Want from the Next Generation of Web3 Games? — Insights from GDC 2023

If you are building a Wallet or a dApp and you are looking to onboard the next billion users on to Web3, sign up here to try out our SDKs.

Frequently asked questions (FAQs)

  • What is Two-Factor Authentication (2FA)?

Two-Factor Authentication (2FA) is an added layer of security that requires not only a password and username but also something that only the user has on them, such as a piece of information or a physical device. This additional layer ensures that even if a malicious actor obtains a user’s password, they will still be unable to access the user’s account unless they also possess the second verification factor.

  • What is self-custody?

No parties or subsets of parties can access the user’s public and private key pair. The user has full access over their public and private key pair. Self-custody represents that a user has full control over their key and their assets and custodial means that a third party handles a user’s key and assets on their behalf.

  • What is Multi-Party Computation (MPC)?

In Multi-Party computation (MPC), a user’s private key is divided into multiple different parts and stored across multiple devices. When a transaction needs to be signed on blockchain, these devices are dynamically called to ‘partial sign’ the transaction, which is taken to the frontend, to be able to reconstruct the final signature. This means the entire private key is always available to use but never stored in a single location. In today’s Web3, MPC empowers Two-Factor Wallets (2FW) and Multi-Factor Authentication (MFA) tremendously. It compels end-users to securely and intuitively manage the user keys by using multiple authentication factors, instead of having to rely on a single seed-phrase. The solution is to offer a familiar, web2-like login experience to both web3 and web3 users, by allowing them to login via their social logins via multiple factors (Multi-Factor Authentication) like email, social media accounts, telegram, discord, among others.