Secure Doesn't Have to Mean Inaccessible

Consumer Attitudes on Multi-Factor Authentication (MFA) a UX Research Case Study

After requiring MFA for business users, the client lost one-third of its mandatory users. Concerned this trend could repeat with consumer complaint filers—whose portal sees over 205 million users annually—the client sought research on consumer attitudes toward MFA, preferred methods, its impact on vulnerable populations, and reasons for business user drop-off.

Key Findings

What Business Users Experience with existing MFA: 

  • 1/3 of mandatory users abandoned the portal after MFA implementation due to confusion and frustration.
  • One user paid $20 for an invalid authenticator app.
  • Customer service spent 5+ hours unsuccessfully helping a single user navigate MFA setup.

What the Public Expects from MFA:

  • Users find MFA annoying but accept it for added security.
  • Prefer text-based MFA but expect multiple options.
  • MFA can create access barriers for vulnerable populations.
  • Clear instructions and user-friendly design improve adoption.
Suggested Next Steps:
  1. Pause on implementing MFA for Public consumers.
  2. Begin the process of MFA redesign and user testing, for both business facing and public facing interfaces.
  3. Launch new MFA for both user groups.

Testing Audiences:

One of the goals of this project was to make sure that the MFA that was implemented was accessible to vulnerable populations, so multiple populations were interviewed. 

 

Conclusion: Secure Doesn't Have to Mean Inaccessible

As agencies work to strengthen cybersecurity, it’s clear that security measures like MFA must be designed with people—not just policy—in mind. This research shows that while users understand and even value MFA, their experience depends entirely on how intuitive, inclusive, and flexible the process is. By offering multiple and clear  authentication options, prioritizing usability, and designing for the most vulnerable users, we can protect sensitive data without locking anyone out. A secure system is only successful if everyone can use it—and that’s where great design meets real impact.

Supporting Project Documentation can be viewed during in person meetings.

Due to the confidential nature of the project supporting documentation is not provided within the case studies, but can be viewed during an in person interview upon request.