security – Best practice for two-factor authentication process


Perhaps due to the recent incidents behind hacking of user database and identity theft, many organizations have introduced the two-factor authentication process, in particular when users are accessing the website from more than one device or IP address.

I am wondering whether giving users the option for remembering them on the different device/access profile is counterproductive to the two-factor authentication process, and if so then why would the organizations offer the option for the sake of not annoying the user? Shouldn’t the user’s choice to use this higher level of security imply that they are willing to go through the trouble? If anything, should they be offered an option to reduce the level of security?

Also, are there particular UX design strategies that are seen as more secure or trusted compared to other strategies? The only one I have come across so far is the verification code sent to a different email address or phone number.