1. Send the code fast
The obvious most important principle, which is the authentication code must arrive very fast.
2. Group the characters
The six-digit code is grouped into two three-digit strings separated with a dash. This makes it easier to remember as it is entered.
3. One character per box
There is one entry field per character. This makes it very obvious where you are when entering the code, and helps guide you along to ensure you do not make a mistake. Connected to this idea, the curser should auto-focus into the first box on the page so you can just start typing. The enter section should also permit the ability to 'paste' the authentication code, and for it to automatically distribute the characters throughout the field.
4. Auto-submit when ready
When you have finished entering the code, it automatically submits the code for verification. There is no need to move to the mouse and press 'enter' or 'submit' to send the code.
5. Letters?
5a. Auto-Capitalization
If the code that is received is an alphanumeric. When one starts to type in the letters, they should auto-capitalize on entry to match the code received. This is a nice feature and removes any worry or extra time people may have trying to match the case of the code as they enter it.
5b. Remove confusing alphanumeric characters
If the code uses alphanumerics it is easy to mistake a 0 and a O or potentially a l and a 1. We likely should also exclude D as depending on the font it can be mistaken as 0 or O.
A good font hopefully would eliminate other common confusions, such as B and 8. More on alphanumeric confusions in another post.
5c. Do we even need letters?
Alphanumerics are annoying to key in on a mobile device. It involves having to switch the keyboard type. In contrast, a number-only code permits a number pad keyboard, which is faster to use.
If the reason that an organization doesn't use a 6-digital number only code as the two-factor authentication is because it is not secure enough (even though that is 1 million permutations, which seems like enough for a temp code on a page which could lock-out after too many attempts..anyway I don't really know about security, so there must be a reason large companies use this) ...nonetheless, if the reason that the temp-code sent is alphanumeric is to increase the security, could a sufficient level of security improvement be brought about by lengthening the numerical code.
I wonder if users would prefer, and if it would be faster, to enter a 9 digit number-only code (group into three three-digit numbers) rather than an alphanumeric. I suspect a certain limitation is if the user has to remember the character in their mind between switching between how they recieved the code, and where they are entering it.