Our application (investment solution) asks users to set up a 2FA method after setting their password during onboarding.
We offer multiple methods of 2FA; memorable questions, text message security, authenticator app (Google Authenticator, Authy, etc.) and our own mobile app.
Our average demographic is investment professionals over 40.
I’ve been trying to find out what the best default 2FA method to offer is during the onboarding process. I have recommended text message security as the default as it’s the most widely used and understood, with the option for the user to choose an alternate method from our available options if they want to.
However our tech team wants to use an authenticator app as the default as it cuts down on SMS costs—which I have conveyed may confuse our demographic as it’s much less widely used, even though it may be more secure when active.
Does any one have any opinion or data to back up a decision here? Should one be defaulted to over the other? Or should we just give the user the choice to begin with (my concern here being we’re increasing cognitive overload)?