Sign in
Multifactor
authentication
I worked with a client managing financial information, identity documents, and immigration records for millions of active users. My role was to design a sign-in authentication flow that ensures both high security and accessibility for users with varying levels of technical expertise.
Platform
Role:
Web app, Mobile app
UX designer
Tools used:
Duration:
Adobe XD
April - June 2022
Overview
Building user trust with account security
Relying on usernames and passwords for account security is no longer sufficient in today’s digital landscape. Sign in credentials are frequently compromised in data breaches, making it essential for businesses that handle sensitive information to implement additional security measures.
Between April 2022 and June 2022, I worked with a client managing financial information, identity documents, and immigration records for millions of active users. My role was to design a sign-in system that ensures both high security and accessibility for users with varying levels of technical expertise.
Note: All identifiable client branding has been removed and replaced with a fictional “Purple brand” design system. Likewise, any identifying language/terminology has been removed or replaced with lorem ipsum.
The challenge
Accounts and data are vulnerable to attacks
Purple’s sign in experience relies on usernames and passwords and does not implement two-factor authentication. The current state is insufficient for safeguarding sensitive financial and personal data against common cyber threats, including phishing attacks and credential stuffing.
Additionally, the current state incorporates Facebook as a secondary sign-in method, posing additional risks related to data privacy and security. Relying on a third-party service for authentication could compromise control over customer data and potentially expose it to breaches or misuse.
The existing sign in screen.
The solution:
Design for security without ever compromising accessibility
Push authentication to a trusted device
I created a push authentication flow to allow members signing in on a new device to approve sign in from a trusted device with the Purple app installed.
In addition to being secure and difficult to hack, push authentication is an low-friction experience because the member simply has to open their phone, whether that be by facial recognition, fingerprint or pin code.
Block a sign in attempt
More importantly, push authentication allows members to easily block unauthorized sign-in attempts from their mobile device, keeping their Purple account and sensitive data safe, and giving the member the sense of feeling of being in control.
Email two-factor authentication
In order to meet the needs of technology-averse users or users without the Purple app installed, I designed an email two-factor authentication flow as a secondary authentication method. Email two-factor authentication only requires the member to have an email address, and is an authentication ritual that most people are already familiar with.
With two authentication methods available to Purple members, they can choose that which is easiest for them to use and best suits their needs.
The process
Competitive analysis and initial research
Research kicked off with a competitive analysis of how other companies were handling sign-in security. I looked at banks, investment platforms, airlines and email services - all businesses that handle sensitive information and whose customers count on security - in order to gain an understanding of which solutions already existed and if they may be appropriate for the client.
As I am not a security expert myself, I interviewed IT experts at the client company to hear their professional opinions about the efficacy of each authentication method. For each method, they explained the strengths and weaknesses and assigned a score out of 5 ranking its effectiveness.
Gmail - Push authentication
Gmail uses push authentication to verify account sign-in. Push authentication is a technology that sends a real-time notification to a user's registered device upon an attempted login.
IT security score: 4/5
TD Canada Trust - SMS and phone call 2FA
TD Canada Trust uses the familiar SMS/phone call two-factor authentication method.
IT security score: 2/5
Wealthsimple - Authenticator app
Wealthsimple uses an authenticator app (such as Microsoft authenticator) to verify sign-in. Authenticator apps generate time-sensitive, one-time passcodes which are sent to an already-registered device.
IT security score: 5/5
BMO - Biometrics
The BMO mobile app uses the built-in facial recognition technology in iOS to verify users’ identities. A positive face match triggers the device to auto-populate the user name and password fields with saved data in the password keychain.
IT security score: 5/5
The process
Journey mapping possible authentication solutions
I had gathered a lot of information about available authentication options as well as diverse professional perspectives. In order to communicate my learnings to a stakeholder group with varying levels of UX understanding, I created 14 journey maps illustrating both positive and negative user experiences.This case study highlights a selection of those 14 maps.
The goal of the mapping was to storytell the emotional experiences of users to a broad group of stakeholders. For IT professionals focused on security, it emphasized that the most secure solutions may not always offer the best user experience. For product managers, it demonstrated that adding some friction to the process can actually be beneficial and acceptable to users. Most importantly, the journey maps showed that no single authentication method is ideal for all users.
Push authentication - Happy path
This happy path demonstrates how push authentication is a low-stress authentication option for users with the Purple app installed. It requires minimal cognitive effort, creates minimal disruption in the sign-in experience and is generally a positive experience.
Click image to enlarge
Push authentication - Unhappy path
This unhappy path examples demonstrates how a negative experience - i.e. realizing your sign in information has been compromised, is mitigated by push authentication sign in verification.
Click image to enlarge
Phone call 2FA - Happy path
Phone call 2FA is a popular method with older users and technology-averse users. This journey map shows why it is also a good option for users with permanent and temporary visual impairment.
Click image to enlarge
Email 2FA - Happy path
Email 2FA is a familiar method of authentication to most users. It can be difficult for some users because it requires switching browser windows, but it is overall a positive experience because the barrier to entry is low.
Click image to enlarge
Making decisions
Security and good UX can co-exist
Having conducted interviews with IT security professionals, analyzed how other organizations secured member accounts and synthesizing the findings into journey maps, I worked with the product team to take decisions about which authentication methods we would be moving forward with.
Decision-making principles:
1.
Users deserve flexibility to choose a sign-in verification method that works best for them.
2.
Rather than designing a one-size-fits-all solution, multiple verification methods accommodate the varying needs and abilities of users.
3.
Security best practices remain at the forefront to ensure users have an opportunity to recognize and acknowledge friction.
Keeping these principles in mind, in collaboration with the product owners and developers, I decided to proceed with two forms of 2FA: email two-factor authentication as an MVP solution and push authentication as a fast follow.
Why didn’t I select the most secure methods of two-factor authentication?
Even though it received a 5/5 security score from the IT experts I interviewed, an authenticator app was not selected because the barrier to entry is too high for the majority of users. Additionally, outsourcing security would make it challenging for Purple to help its users with sign in issues.
Similarly, biometrics was not chosen as a sign-in method because it is would create accessibility problems for users without biometric readers on their devices.
The process
Working fast and loose: Creating initial flows and wireframes
Email 2FA happy path
Entry point: The user enters the username and password to their Purple account.
Success criteria: The user enters the security code and completes sign in.
Click image to enlarge
Push authentication happy path
Entry point: The user enters the username and password to their Purple account.
Success criteria: The user selects the correct number on their mobile device and completes sign in.
Click image to enlarge
Final screens
Push authentication
Purple members can easily authenticate new sign in attempts from a trusted device with the Purple app installed. No need to remember a password, push authentication is as simple as opening your phone using facial recognition.
Block a push authentication sign in attempt
Users can block sign in attempts from their trusted devices. For peace of mind, they are served up the options to change their password or lock their account.
Email two-factor authentication
To each their own - push authentication isn’t the ideal solution for every yser. Purple members have the option to authenticate their sign in via a familiar two-factor authentication flow.
Next steps
Roadmapping robust security
The next steps are to integrate email 2FA across the suite of the client’s products and determine sign-in entry points from each product.
In the future, push authentication will be offered in addition to email 2FA as a more secure sign-in method to those users who choose to opt in to it.
Thank you for reading!
Are you interested in working with me or just want to chat design?
Please visit my contact page and reach out!