2-Step Verification

Kiva experienced a rising threat from hackers using credential stuffing to breach user accounts. The surge in data breaches, translated into millions of attempted logins on Kiva accounts with some accounts being compromised.

To safeguard Kiva accounts from hackers, we needed an automated method to strengthen the security of these accounts.

*Disclaimer: For security purposes, this case study does not go in-depth of the full 2-step verification process.

ROLE

Sole product designer

TEAM

1 Product Manager
3 Engineers
1 Copywriter
Support team

DURATION AND FORMATS

4 weeks for desktop and mobile

Problem

Internal data showed an increase in malicious users trying to take over Kiva accounts and stealing money through credential stuffing.

Hypothesis

By adding an extra layer of security with 2-step verification, we will reduce the amount of malicious activity, thereby reducing the risk to Kiva users and Kiva itself.

Final designs

A new security layer that protects Kiva accounts from hackers with one or multiple verification methods.

How we got there

Success metric

What % of Kiva account holders set up 2-step verification?

Project goals

Create secure user flows for mobile web and desktop
Motivate users to set up 2-step verification
Educate users on how to use 2-step verification

Research

I gathered insights from external research studies on 2-step verification and highlighted the key takeaways:

87% of participants felt that 2-step verification was an effective solution to protect accounts.
Common challenges for 2-step verification are usability and adoption.
63% of participants stated that “being too busy” was the most common reason for choosing not to adopt 2-step verification.
66% preferred second-person, personal headlines, making participants feel that the message cared about them and that using 2-step verification must be in their best interest.
Google found that on-device prompt helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.

I also conducted competitive research on 9 companies with industries in social media, banking, and email to analyze how they were using 2-step verification.

Mapping out the user flows helped me visualize the various pathways per action. I annotated common UX patterns, requirements per security method, email triggers, and how they were educating users.

Before designing, understand the UX first

To help me grasp the complexities of 2-step verification, I created a list of questions to tackle before I started designing:

How does Auth0 (an authentication and authorization service used by Kiva) work?
What does the flow look like when setting up 2-step verification?
What does it look like when turning off or editing security methods?
How can things go wrong?

I created multiple iterations of the 2-step verification user flows and sought feedback from product, engineering, and customer service teams. Valuable points were made on technical feasibility with Auth0 and edge cases.

High level overview of the final user flows

Design explorations

2-step verification

One of the main goals when designing was to answer this question: “how can I make the user feel secure and confident in their actions when going through the flow?”

My attempt at this was to use minimal designs in order to direct the user's attention to the instructions and to work with our copywriter in creating succinct, yet informative copy that educates the user throughout the 2-step verification journey.

1st iteration:

I used minimal designs and focused on educating through copy and the idea of having educational illustrations per screen in an attempt to combat one of the main challenges for 2-step verification: usability.

2nd iteration:

The main change here was combining the text and phone call options to create a more streamlined flow that encouraged users to choose the most secure method, authentication app, by only providing 2 options.

Final design:

Due to scope and deadlines, the final designs did not incorporate the educational illustrations as initially planned, but was archived for future use.

Spec & Handoff

Finally, I used Figma to spec and handoff the V1 Guest Checkout flow to our engineering team.

Learnings

Diving deep into the trenches of 2-step verification pushed me to think more about edge cases. You should always be thinking of how things could go wrong so that you could best prepare and take the necessary precautions, both from a technical and project perspective.
Documenting complex workflows on various attempts and why they didn’t work was extremely helpful to refer back to as a reminder for design decisions. Future designers or other team members will also be able to reference these conversations to understand context and reasons as to why we did or didn’t go with a certain solution.
Work with the customer service team more often! Their close relationship to users, provided a fresh perspective as they were able to shed light on various edge cases, giving me the opportunity to adjust and strengthen my designs.