A creative app company
sparking innovative solutions for everyday life.

Secure your Accounts: How to Balance Convenience and Robust Authentication

How to Balance Convenience with Robust Authentication

Remember the days of inputting your username and password and just ... being let in to your account? It was such a simple process, yet by today’s standards, such an insecure way of authenticating yourself. In the late 90s and early 2000s, the internet was still new, so there were less threats out there. Today, “just a username and password” makes you the target, so now more than ever, robust authentication is a necessity. Let’s take a look at how modern security methods can keep your accounts secure whilst reducing common frustrations.

The Importance of Robust Authentication

Hacker on laptop in the dark — Having weak account security makes hackers' lives easier.

So much of the 21st Century is digital. Your bank, work, social life, transport, etc. probably has some digital component. Malicious actors are always trying to find a way to breach accounts, personal information or finances. If you’re not prepared, it could hit you like a brick wall.

The goal of digital security is to keep your information safe. But it can only work as well as you let it. It might seem like investing your time into your robust authentication and security might be a waste of time, but there’s a reason we lock our front door when we leave home.

It’s all about preventative steps to make it as difficult as reasonable for attackers to gain access.

The Issue with Passwords

The simplest method of authentication is settings a username and password - if you’re the only person who knows the combination, only you can login. However, user passwords are considered less secure nowadays due to users’ tendencies to reused short, insecure passwords. The moment your password ends up in data breaches, any accounts that use it are at risk.

User credentials are also a common target of phishing attacks, which are attacks where malicious actors attempt to trick you into giving them your information. A common way of doing this is to send you a fake email saying something important has gone wrong, and telling you to login to your account to resolve it. But instead of putting a real link in the email, they will put a link to their own site — which looks a lot like the real thing — in the hope you won’t notice and hand them your password.

Instead, today, you should be looking to increase the security of your accounts by adopting other authentication methods, either to strengthen or replace your password.

What are some better Authentication Methods?

Different authentication methods, including SMS codes TOTP, passkeys and more — There are many different authentication methods out there. Find the ones that work best for you.

To move away from “just a username and password” means to look at other options. Here are common authentication methods that either work alongside your password (multi-factor authentication or MFA, providing a secondary factor) or instead of it.

Multi-Factor Methods

Slack OTP email example — An example of a one-time password sent by Slack

One-Time Passwords (OTPs): One-time passwords (sometimes called one-time codes) are a common MFA method. Account providers send you a code through email or SMS which you need to input to verify yourself. However, Email and SMS protocols are both considered less secure than modern alternatives, so OTPs over these methods are not recommended.

Google app-based OPT — When logging into your Google Account, you may be prompted to tap “Yes” on a prompt on your phone.

App-based OTPs: Instead of sending codes over email or SMS, some provides who operate their own mobile apps build the functionality into them, for example Google’s phone notifications. These are far more secure than email or SMS. But, if you lose your device, you will also lose this method.

Ente Auth TOTP — Ente Auth is a modern TOPT app.

Time-Based OTPs: A common variant of OTPs swap out direct communication with time-synchronisation. The only communication is during setup, usually scanning a QR code to import the code. From there, both your device and the server and independently generate codes based on the current time, authenticating if the two match. These codes are easy to backup, don’t require an internet connection and can be used seamlessly across devices.

Password Replacements

Vercel's SSO options — Vercel gives you the option of signing in with Google, GitHub or providers which support SAML SSO — all single sign-on options.

Single Sign-On (SSO): You’ve probably seen the “Sign in with Google” buttons floating around. That’s single sign-on. These work through systems such as OpenID Connect (OIDC), allowing sites to utilise the security of more established account providers to give you higher authentication security. Be warned though: if your linked account is compromised, all other linked accounts can be too.

Google passkey prompt — Google’s prompt for adding a passkey to your account.

Passkeys & Security Keys: These are a relatively modern solution - at least in the mainstream market - using a well-known technique: public-key encryption. They work by storing a cryptographic key securely on your device, which your device uses to complete a ‘challenge’ set by your account provider. These are often hailed as the replacement for passwords, and for good reason: they are highly secure, resistant to common attacks like credential stuffing and phishing.

MyID digital id — MyID is the Australian Government’s Digital ID app.

Digital IDs: Also a replacement for passwords, the most recent step in the chain are Digital IDs, which check user identity with trusted provides such as the government. These are highly secure, but have concerns about user privacy. We’ve written an in-depth blog about Digital IDs which you can read about here.

Dangers & Frustrations with Robust Authentication

He needs verification from itself
Posted by Oussema Mejbri on Wednesday, May 14, 2025

One of the many frustrations with authentication solutions. Unfortunately, it isn’t the only one.

You often need to adapt your workflow to properly setup robust authentication. And like with any added workflow, they can cause frustrations. From flaky implementations to recursive prompts or outright lockouts, there are a lot of things to be wary of:

Danger of lockouts. Let’s be honest, this one is a bit more than just a frustration. If you setup extra authentication methods which you later lose, you risk being locked out of your account.
Complex methods and workflows. Nobody likes spending unnecessary time fiddling with things, and that’s no different when logging in. The last thing you want is to juggle methods and feel like you’re walking through airport security just so you can doom-scroll Instagram.
Sub-par app experiences. A poor user experience can taint an import process, and that’s no different here. Unfortunately, a bad user experience and dissuade users from setting up extra authentication methods to begin with.
Inaccessible methods when you need it. Most methods require your phone or other device, which can be a problem if you don’t have a smartphone or don’t always carry it with you.

Overcoming Frustrations

Person happily paying online — You should be able to be this happy using your authentication methods. Instead of frustrations and pain, they should help you relax knowing your data is more secure.

This don’t mean mean you should ditch these methods. Instead, there are proactive steps you can take to reduce or mitigate these issues to allow you to more conveniently use robust authentication.

1. Generate Account Recovery Codes

When setting up extra authentication, account providers often let you generate recovery codes. If you do nothing else, always generate and save these codes on multiple mediums. Some options include printing them out and keeping them in a locked container, or purchasing a USB dedicated to storing recovery codes.

2. Have a Plan if things go Wrong

The first step you should take is to generate account recovery codes. These are codes that account providers give you if you ever lose access. Store them in a safe place, such as on a dedicated USB for recovery codes. Some accounts also let you setup security questions, which can be a great addition provided nobody else knows the answer.

3. Set Up a Password Manager

Where passwords are still needed, a secure and trusted password manager is a great option. They take the difficulty out of remembering each long, unique password you set. Just by doing this, you reduce the risk of your password being compromised by letting you generate random passwords for each account, and won’t auto-fill credentials on phishing sites.

4. Use Better Apps

There are many great apps out there which can help make this whole experience much more bearable. Do your research, and find one that works for you (even if Reddit would shout at you for your choice).

5. Setup Methods on Different Devices:

The best way to avoid the “I don’t have my phone on me” problem is to set up authentication methods that are accessible on all your devices. If you use shared devices, you might consider a physical security token like the YubiKey.

6. Finally: Don’t Give Up

Especially in the early stages, setting up these methods can seem like it’s not worth it, and add extra steps that frustrate you. I implore you to persevere — you’ll thank yourself the moment one of your accounts is attacked.

Need Robust Authentication for your Custom App?

The best way to encourage users to take up robust authentication is to make it easy — and that’s on developers. At FONSEKA, we take security seriously. We build custom apps and can set up authentication methods that balance your users’ needs with modern security practices. If authentication security and user experience are important for your next custom app, contact us today!

Post Details

Author: Lachlan Rehder

Categories:

Daily-Life

Updated: 17 Oct 2025

Interested in one of our products?

Get in touch and let us know how we can help! 😇

Get In Touch