More and more, we live in a multi-screen world. When I sit down to watch TV (as opposed to the numerous other video options), I almost always have another device with me to supplement the TV experience. I may be tweeting about the show, or fact-checking a documentary. Studies show I am not alone - users choose multi-screen 77% of the time.
Implicit in my desire to have multiple devices with me when viewing video content is that devices have different characteristics and capabilities. While the HD TV is optimal for viewing content, it definitely isn't for user input and interaction. I search for an actor's bio or follow a Twitter account on my phone and not the TV because the keyboards on smart TVs are torture devices and I don't want my family knowing I'm searching for 'Michael Buble greatest hits' by hearing me invoke Google Now.
Sometimes the second device is used to access a completely different application than that of the first, e.g. me using my phone to tweet out the results of the hockey game. But there are many use cases where it is the same application accessed from the different devices, eg. using a native application to set the temperature of a smart thermostat, as in the above figure.
In Chapter 9 of the O'Reilly ebook 'Designing for the Internet of Things', Claire Rowland discusses the need for a cohesive user experience of a single application across such different devices.
In systems where functionality and interactions are distributed across more than one device, it's not enough to design individual UIs in isolation. Designers need to create a coherent UX across all the devices with which the user interacts. That means thinking about how UIs work together to create a coherent understanding of the overall system, and how the user may move between using different devices.
Rowland cites the work of other UX researchers:
Wäljas et al propose that the ultimate goal of cross-platform design is that the experience should feel coherent. Does the service feel like the devices are working in concert, or does the UX feel fragmented?
They define three key concepts for cross-platform service UX, which together ensure a coherent experience.
Composition - how devices and functionality are organized
Appropriate consistency of interfaces across different devices
Continuity of content and data to ensure smooth transitions between platforms
These HCI researchers coin the term 'inter-usability' to describe this sort of cross-device usability. I contend that the concept applies not only to how the user interacts with the application, but also how they interact with the identity management components securing that application - particularly mechanisms like consent and authentication. Just as critical as creating a coherent application UX is creating a coherent 'Identity UX' across devices.
Whereas for UX designers, dealing with multiple devices with different characteristics is a complication, for the purposes of authentication it actually presents an opportunity. The fact that devices differ in size, form factor, portability, user affinity, biometric capabilities, connectivity, etc. mean that we can tailor authentication models that leverage those differences. For instance, mobile-based two-factor authentication (2FA) systems are useful because there is an expectation that the phone will often be in the possession of the user - phones are 'something you *already* have'. Desktops are undeniably more useful for content creation but generally less portable.
With apologies to Karl Marx (and others) - 'From each [device] according to its capabilities, to each [device] according to its needs'.
A typical use case for mobile 2FA is to enable a user accessing a web application on a desktop or laptop. To supplement (or perhaps replace) the password the user presents via the desktop browser, they will also be required to prove they are possession of a previously registered phone. The user interacts with two separate UIs (one on the desktop, another on the phone) but, ideally, a single UX; i.e., a single consistent and cohesive experience across the two devices.
Applying the interusability principles of consistency and continuity to mobile 2FA will ensure a more secure model, and help to prevent failed authentications from user confusion.
I'm no designer but I'd suggest:
The style (colours, graphics, fonts etc) of the two UIs should be similar.
The desktop UI should indicate to the user when the 2FA authentication is underway and that they should expect to perform a separate authentication on the phone.
The phone UI should indicate to the user the context of the authentication request; i.e., that it was initiated by their attempt to login on the desktop to a particular application or website. Making this context clear is critical to preventing the user from inadvertently enabling an attacker in possession of the user's password from using it to hack the account.
The phone UI should give the user a means to cancel and report unsolicited authentication requests that might be evidence of an attack (as in #2).
Upon successful authentication on the phone, both UIs should indicate success.
Because mobile 2FA will likely be leveraged for authentication of the user into other devices beyond the desktop/laptop, e.g. TVs, smart fridges etc, we need to think about the consistency of that broader UX as well, ie the mobile 2FA UX for the desktop should not feel completely different than for the TV and other devices.
In the future the phone may lose its current primacy as an authentication device. Why always ask my phone if it's truly me when I'll also be wearing a biometric-enabled wristband and brain-sensing headband - both of which will have an opinion on the question? But while the specifics of the cross-device authentication ceremonies may change, I expect that the principles underlying the above rules will remain the same.