Designing Two-Factor Authentication Using WeChat: Balancing Security and User Experience

Secondary authentication may seem like a minor addition for many users, but in an era where user experience is increasingly important, it becomes a key factor for product reputation. Using WeChat to push secondary authentication codes avoids delivery‑rate issues and does not require users to install an extra token app, while the massive user base of WeChat helps solve coverage problems. How can we design secondary authentication based on WeChat?

In the Internet age, hackers are aggressive; today, the number of publicly disclosed vulnerabilities on the WuYun platform has reached 18,791. In enterprise software, security is a top concern because users constantly submit sensitive data that, if leaked, would be disastrous for both users and software providers. Consequently, many security‑related techniques—SSL encryption, remote real‑time backup, digital certificates, third‑party security platform integration—are applied to enterprise software, and the quest for ever‑greater security seems endless.

However, security sometimes conflicts with user experience, such as the infamous Alipay security certificate or many online banking systems that only work in Internet Explorer. For Internet‑based enterprise software, security is not just a technical issue but also a product‑experience challenge. Balancing security and usability is a direction every Internet product explores. Below is an alternative design approach for login secondary authentication.

What is secondary authentication

On the Internet, many accounts eventually fall into the hands of attackers, who collect usernames and passwords to build large credential databases. Unless each account uses a unique password, attackers can log into at least one of the services you use. To prevent this, high‑security, data‑sensitive Internet products (e.g., Evernote, QQ Enterprise Mail, GitHub, Alipay) introduce secondary authentication.

Figure 1: Products that support secondary authentication

In simple terms, secondary authentication adds an extra protection layer on top of the usual username/password login, so that even if a hacker obtains the credentials, they cannot access the system.

Common secondary authentication methods

The most widely used method today is SMS. For example, GitHub allows users to enable two‑factor authentication by entering a mobile number in their personal settings. After a successful username/password login, GitHub sends a 4‑digit code via SMS, which the user must enter to complete the login.

With the rise of mobile Internet, another method emerged: mobile token apps such as Alipay Token. Users download the Alipay Token app, enable the token for their account, and each payment triggers a 4‑digit code generated by the app, which the user must retrieve and enter.

Because SMS delivery rates can be unreliable, mobile tokens are convenient on smart devices. Google also released an open‑source solution, Google Authenticator, which Evernote uses for its secondary authentication (see Figure 2).

Besides these two methods, Tencent Enterprise Mail offers a “different” approach. Leveraging WeChat’s 600 million users, the service binds secondary authentication to a WeChat account. When authentication is needed, a random code is sent via WeChat, eliminating the need for a separate token app (see Figure 3).

How to design secondary authentication based on WeChat

After evaluating common industry methods, we concluded that using WeChat is superior to SMS and token apps. WeChat push avoids delivery‑rate risks, requires no extra app installation, and its massive user base solves coverage issues. However, the ideal design faces several practical challenges.

First, we need to bind a WeChat account to a web application. The natural solution is to use a WeChat Official Account as the binding carrier. For example, in the “Tower” product, users click the “Enable” link next to “Double Insurance” in their personal settings, enter their login password, and a QR code appears (see Figure 4).

Scanning the QR code with WeChat automatically links the WeChat account to the web account, and the user receives a binding‑success message in the official account and sees a confirmation on the personal‑settings page (see Figure 5).

When a user logs in with “Double Insurance” enabled, the system should push a verification code to the user’s WeChat. The first obstacle is that a WeChat Official Account can only push one proactive message per day to a user, which is insufficient for our needs.

To work around this, after the user logs in we display a QR code. The user scans it with WeChat, and WeChat sends a verification message to our server indicating, “WeChat user X is trying to log in.”

The server checks whether this WeChat user is already bound to the current login session. If so, the secondary authentication succeeds and the browser automatically redirects to the logged‑in state.

Mobile clients introduce another challenge. Scanning a QR code on a desktop is convenient, but it is impossible for a user to scan a QR code on a mobile device with another mobile device. Users cannot realistically open a phone, log into WeChat, and then scan a QR code displayed on the same phone (see Figure 7).

Our second workaround leverages the fact that a public account can push a message only after the user initiates contact. After the user logs in on a mobile device, we display an input box prompting the user to open the corresponding WeChat public account and click the “Double Insurance” button. This action sends a message from the user to the public account, unlocking the ability for the account to push a verification code back. The user then enters the received code in the mobile client to complete authentication. For fun, we also added an Easter egg: sending the phrase “Open sesame” to the public account instantly returns the verification code (see Figure 8).

Conclusion

Secondary authentication may appear to be a small embellishment, but as user experience becomes ever more critical, providing a cross‑platform, high‑quality detail can be the difference between winning or losing user trust. Security is never a trivial matter, nor is experience; every feature’s design and implementation deserves careful refinement.

As WeChat Service Account APIs continue to evolve, even better integration possibilities will emerge. This article is intended as a starting point, encouraging product teams to consider leveraging platforms like WeChat in their security‑experience designs.