Is Multi-Factor Authentication (MFA) a Barrier to Access?

Multi-Factor Authentication (MFA) has become a standard security measure across many online services. From banking and e-commerce to social media and even public services, MFA is touted as the best way to protect user accounts from unauthorized access. 

But while it undoubtedly enhances security, does it also create unnecessary barriers for users? Is it always necessary, or are some services forcing it upon users purely for their own convenience, without considering the impact on accessibility and user experience?

When MFA Makes Sense

There are clear scenarios where MFA is beneficial, if not essential. Any service involving financial transactions, personal data, or sensitive information should implement some form of MFA. Online banking, payment processing, and cloud storage services are prime examples. In these cases, an extra layer of authentication—whether a text message, an authenticator app, or biometrics—protects users from fraud, identity theft, and account takeovers.

For these services, the inconvenience of MFA is outweighed by the need for security. A compromised banking account can lead to financial ruin, while an exposed cloud storage service could mean loss of private or business-critical data.

When MFA Becomes a Burden

However, there are many instances where MFA feels excessive or even user-hostile. Imagine signing up for a public forum, a government website to download a form, or a simple app where security isn't a primary concern. Yet, users are often forced to verify their email, receive a one-time passcode (OTP) on their phone, or even authenticate every time they log in. For some users, this creates friction that can turn them away from the service altogether.

Older adults and less tech-savvy users can struggle with MFA. They might not have a smartphone, may not know how to retrieve an OTP, or simply forget their authentication method. This frustration can push them towards alternative, often more expensive, in-person or phone-based support channels, defeating the purpose of a digital service.

Different Types of MFA & Their Challenges

MFA can take various forms, each with its own pros and cons:

• SMS-based OTPs – Convenient but vulnerable to SIM swapping and interception.

• Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) – More secure but require setup and reliance on a single device.

• Biometric authentication (Face ID, fingerprint scanners) – Secure and user-friendly but limited to modern devices.

• Hardware security keys (YubiKey, Titan Security Key) – Extremely secure but costly and impractical for average users.

For a tech-savvy individual, these options may not seem like a problem. But for someone who rarely uses technology, requiring MFA can feel like an impossible barrier.

Who Really Benefits?

While service providers claim that MFA is for the user's benefit, in many cases, it’s more about reducing their own liability and costs associated with fraud and account recovery. A locked-out user means fewer support calls for a compromised account, but it can also mean losing customers who simply give up on the service.

Companies should consider whether MFA is truly necessary for their service or if they are implementing it just to shift the burden onto users. If security is critical, they should at least offer user-friendly alternatives and ensure that their support systems are equipped to assist those who struggle with authentication.

The Balance Between Security and Accessibility

Security and convenience are often at odds. While MFA undeniably enhances protection, it should be implemented with the user in mind. If a service deals with money, sensitive personal information, or confidential business data, MFA is a must. However, for a simple public registration system with no real security risks, forcing users to go through extra steps every time they log in can feel unnecessary and exclusionary.

Instead of taking a one-size-fits-all approach, companies should:

• Allow users to opt into MFA where appropriate.

• Offer alternative verification methods tailored to different user needs.

• Provide clear, accessible guidance on using MFA effectively.

• Avoid making security measures so frustrating that they drive users away.

At the end of the day, security should not come at the expense of accessibility. Users are not the enemy—poorly implemented security measures are. If a service forces unnecessary barriers on users, it’s not protecting them—it’s just making their lives harder.

Software Quality: What You See and What You Don’t

When clients review a software implementation—whether a website, a mobile application, or a complex enterprise system—they focus on what they can see. The user interface is their window into the software: the graphics, colours, buttons, and alignment of elements. They also experience usability issues firsthand—if a button does not work, navigation is unclear, or the system does not fit their business needs. In short, they can easily judge what is immediately visible.

The client will raise concerns if the software looks unfinished—if screen elements are misaligned, fonts are inconsistent, or colours clash. These visual issues are easy to notice and relatively simple to fix. However, what about the parts of the software that remain hidden beneath the surface?

The Hidden Depths of Software Quality

Beneath the surface of a sleek user interface lies the true foundation of any software: its underlying code. Clients do not see this, and yet, it is where some of the most serious problems can lurk.

Software that appears polished on the outside can still be a mess underneath—filled with rushed fixes, careless hacks, and neglected structural integrity. What they don’t see can be far more damaging than what they do:

• Messy, Unstructured Code – If the code is chaotic and lacks a clear structure, making changes or fixing bugs becomes a nightmare.

• Lack of Documentation – If the original developers fail to document their work, future teams will struggle to understand how the system functions.

• Poor Error Handling – A program might appear fine until an unexpected action causes it to crash because no one accounted for error scenarios.

• Hidden Loops and Inefficiencies – Poorly optimized code may lead to slow performance, excessive resource usage, or system crashes as the workload increases.

• Security Gaps – A lack of attention to security best practices could leave the software vulnerable to data breaches, even if it looks perfect on the surface.

What Poor Visible Quality Says About The Hidden Code

There is a simple but unsettling truth: if the software looks bad on the surface, the chances are high that the underlying code is even worse. A team that ignores visual consistency might also ignore proper security measures, performance optimization, and long-term maintainability. A broken button can be fixed in minutes, but a broken foundation can haunt a business for years.

Imagine a house with peeling paint and broken steps. These are surface issues, but they make you wonder: if this is how they handle the outside, what horrors lie in the wiring, plumbing, and foundation? The same logic applies to software. If a website’s buttons are misaligned and the fonts are a chaotic mix, what are the odds that the backend is filled with rushed fixes, untested functions, and hidden vulnerabilities?

How This Hurts Clients

Clients who only judge software by its visible appearance might not realize the problems they are inheriting. The real damage happens over time:

1. Rising Maintenance Costs

When software is built with shortcuts and sloppy code, future updates become expensive. A simple feature change can take weeks because developers have to untangle the existing mess first.

2. Unexpected Failures

A system that looks fine today might suddenly start failing under real-world conditions. A small data spike, a minor software update, or an overlooked error scenario could bring the entire system crashing down.

3. Security Risks

Poorly structured software often contains security vulnerabilities. A minor oversight in data handling can lead to serious breaches, putting customer information and business integrity at risk.

4. Scalability Nightmares

A company may grow, but a poorly designed system will not grow with it. What works for 100 users might break completely when stretched to 10,000 users. The business then faces expensive rewrites and lost opportunities.

5. Damage to Reputation

A slow, buggy, or unreliable platform can lead to frustrated customers, negative reviews, and lost revenue. In many industries, trust and reliability are everything—once lost, they are hard to recover.

Ensuring Quality from the Inside Out

While clients may not see the code, it is the responsibility of development teams to uphold quality standards at every level. The key to avoiding the dangers of hidden software rot lies in discipline and best practices:

• Code reviews ensure standards are maintained and prevent bad practices from taking root.

• Comprehensive testing helps catch issues before they reach production.

• Clear documentation allows future developers to understand and maintain the software.

• Security-first development prevents costly vulnerabilities and breaches.

• Performance optimization ensures scalability and efficiency over time.

Final Thoughts

When evaluating software, it is easy to focus on what can be seen, but true quality goes much deeper. If the surface appears neglected, there is a strong chance that the underlying software is full of quick fixes, rushed patches, and hidden problems waiting to surface.

A reliable and long-lasting software product is one where both the user experience and the underlying structure are given equal care. Clients should demand quality beyond the visible, and developers should take pride in crafting software that is solid from the inside out. Because if left unchecked, the unseen problems will one day come to light—with costly consequences.

The Hidden Cost of Rushed Development

In software development, as in gardening, laying the proper groundwork is key to long-term success. A well-prepared foundation ensures stability, scalability, and maintainability. 

However, when shortcuts are taken in the name of speed, it leads to technical debt, inconsistencies, and a maintenance nightmare down the line.

Many inexperienced or rushed suppliers often cut corners, making small decisions that seem harmless at the moment but snowball into major issues. Let’s explore some poor software setup practices and contrast them with proactive, experienced development approaches.

Sloppy and Smart Development

1. Styling Without a Centralized CSS

Lazy Supplier Approach:

• Embed styles directly within pages rather than using a central CSS file.

• Creates multiple button classes with slightly different styles because they forgot the existing ones.

• Hardcodes colours, fonts, and margins directly into HTML elements instead of using reusable styles.

Proactive Supplier Approach:

• Uses a structured CSS framework where styles are centrally managed.

• Defines global classes for buttons, headers, and other UI elements to maintain consistency.

• Implements variables in CSS (or a preprocessor like SCSS) for colours, spacing, and typography, ensuring a single source of truth.

Why It Matters: A centralized approach ensures that a change to a button style reflects across the entire site, eliminating inconsistencies and reducing the time spent hunting for rogue styles.

2. Poor Management of Data Validation and Regex

Lazy Supplier Approach:

• Defines regex validation rules individually in each form field.

• Hardcode validation rules directly into multiple places in the code.

• Fails to document regex patterns, leading to inconsistencies and hard-to-debug validation issues.

Proactive Supplier Approach:

• Stores regex validation rules as global constants or reusable functions.

• A single validation method is applied across all relevant fields to ensure uniformity.

• Documents and maintains a validation standard to prevent inconsistent rules across different parts of the application.

Why It Matters: Defining validation rules in a central location makes updates easy and ensures consistency across all forms in the system.

3. Magic Numbers and Hardcoded Values

Lazy Supplier Approach:

• Hardcode prices, tax rates, or other business-critical numbers directly in multiple locations.

• Uses fixed numeric values in calculations without clear documentation.

• Requires developers to search the entire codebase when a value needs updating.

Proactive Supplier Approach:

• Stores all key numbers in global constants or configuration files.

• Implements environment variables for values that may differ between testing, staging, and production environments.

• Uses a configuration management system to control price updates from a single location.

Why It Matters: If a tax rate or price structure changes, updating a single value should be all that’s required rather than combing through an entire application to find and update hardcoded values.

4. Inconsistent HTML Structure and Headings

Lazy Supplier Approach:

• Uses <div> elements for all text without defining proper <h1>, <h2>, or <h3> tags.

• Resize text manually on each page instead of using CSS styles.

• Creates accessibility issues by not structuring content correctly.

Proactive Supplier Approach:

• Uses semantic HTML, ensuring proper hierarchy with <h1>, <h2>, and <h3> tags.

• Defines text styles in CSS so heading sizes and spacing are uniform across the site.

• Follows accessibility guidelines, improving SEO and user experience.

Why It Matters: Proper heading structure improves readability, accessibility, and SEO, while ensuring a consistent look and feel across the site.

The Slippery Slope of Quick Fixes

A lazy or rushed supplier might justify their choices by saying, “I don’t have time to structure this properly—I just need to make it work.” While this approach may show quick progress in the short term, it creates major problems as the project scales.

When corners are cut:

• Bugs multiply because different elements that should behave the same begin behaving differently.

• Making changes requires updating multiple instances instead of a single location.

• The project becomes difficult to maintain as inconsistencies grow.

• Expansion and feature additions take longer due to poor groundwork.

Conclusion: Laying the Right Foundation Saves Time and Effort

A proactive, experienced supplier understands that good groundwork leads to efficiency, easier maintenance, and a scalable product. Taking the time to plan, structure, and centralize the core elements of an application is an extra step. Still, it ultimately saves time, reduces errors, and ensures a more polished and professional final product.

In software development, as in gardening, taking shortcuts at the beginning will only lead to more work later. Lay the foundation properly, and you’ll build something that grows and thrives rather than something that constantly needs fixing.

When Is a Bug Really a Bug?

In software development, few topics create as much debate as defining a "bug." From a client's perspective, a bug is anything that doesn't work as expected. 

From a supplier's perspective, however, a bug is often dismissed as a missing requirement, conveniently reframed as a change request to avoid responsibility. This discrepancy leads to frustration, delays, and a growing sense of mistrust between the two parties. 

So, where do we draw the line?

The Client vs. Supplier Perspective

Clients rely on software to function intuitively and predictably. When something disrupts their workflow or doesn't meet reasonable expectations, they rightly label it as a bug. Conversely, suppliers frequently hide behind vague requirements, using loopholes to avoid fixing issues unless explicitly documented.

For example, consider an online form designed to collect UK phone numbers. Is that a bug if a user can enter letters instead of numbers? The client would argue yes—it prevents valid data entry and should have been accounted for. The supplier, in contrast, might claim that since validation rules were not explicitly stated, they are not responsible. This kind of evasiveness only serves to frustrate clients and degrade trust in the development process.

The Implicit vs. Explicit Requirement Debate

Software inherently includes implicit requirements. Much like a cookbook doesn’t instruct the reader to fetch a pan before cooking, some aspects of functionality should be assumed. However, suppliers often exploit ambiguity to deflect responsibility, insisting that anything not meticulously spelt out is outside the scope.

Taking this a step further, consider high-level system-wide requirements, such as accessibility compliance. If a client states that a website must adhere to Web Content Accessibility Guidelines (WCAG), does this mean they need to specify every single place it applies? No reasonable supplier should need such micromanagement. Yet, when accessibility issues arise, suppliers often attempt to classify them as change requests rather than take accountability for meeting industry standards.

The Risk of Cloudy Boundaries

When suppliers dodge responsibility by blurring the distinction between a bug and a change request, projects slow down, costs rise, and clients are left with a system that doesn't meet their needs. This kind of behaviour not only undermines collaboration but also erodes confidence in the supplier’s ability to deliver a quality product. Clients expect professionalism, not excuses.

A Practical Approach to Resolution

So, how do we navigate these challenges and hold suppliers accountable? Here are some guiding principles:

1. Clients Shouldn't Have to Spell Out the Obvious: Suppliers should apply industry best practices and anticipate common-sense expectations.

2. Refusing to Fix Clear Issues Is Bad Faith: If a reasonable user would expect certain functionality to work in a certain way, the supplier should address it without excessive debate.

3. Minor Fixes Should Be Resolved, Not Argued Over: Simple fixes, like adding basic validation, should not become lengthy discussions about scope.

4. Transparency and Accountability Matter: Suppliers should not weaponize requirements documentation to avoid doing the right thing.

Conclusion

The line between a bug and a change request isn’t always clear, but clients shouldn’t have to fight tooth and nail to get a functional product. Suppliers who play games with definitions to dodge responsibility only harm their own credibility. Instead of hiding behind technicalities, suppliers should prioritize collaboration, efficiency, and above all, delivering software that works as expected.