Moneyfarm's two-factor authentication

Company

Moneyfarm

Year

2020

Length

2 months

Team

Back to index
handy-favorite

The problem

Relying solely on a regular login using email and password is a potential security risk for our customers. In addition to that, for certain customers, the perceived risk of not having two-factor authentication is very high, leading to a decrease in trust of the Moneyfarm platform and the company as a whole.

handy-favorite

The goal

Provide an easy to use solution for two-factor authentication login, leveraging the MultiFactor capabilities of our authentication provider Auth0.

Discover

Understand the problem and turn it into an opportunity for the business and the customers. Align with all the team and stakeholders and sketch out solutions.

handy-favorite

Customer feedback

Potential customers were expressing their concern to our CRM team in opening an account with Moneyfarm given the lack of security functionality that is a standard in the financial domain. Current customers kept asking for this new layer of security in the app reviews.

handy-favorite
handy-favorite
handy-favorite
handy-favorite

Gathering requirements

We gathered with product owners and developers to understand the scope of the project, the feasibility given by our third-party provider, and the desired outcome of the feature.

handy-favorite
handy-favorite

Mapping the user journey

I started mapping out the user journey while asking questions the various expert such as developers and product owners. The journey flow was then divided into main flows.

handy-favorite
handy-favorite

The enrolment on App

Enabling the second factor was possible straight from the mobile app installed on the desired device to be used as authentication.

handy-favorite
handy-favorite

The enrolment on Web

If the user would activate the two-factor from the browser the main difference with the app journey would be the scan of the QR code, necessary to pair the mobile device with the user account.

handy-favorite
handy-favorite

The login on web

To login into the web app with a 2FA active the user needed to authorize the access on the paired device. A notification would display the attempted login and the location.

handy-favorite
handy-favorite

Other options to login

We considered the cases where the user could not receive a notification to login and added two additional functionalities on the mobile app.

handy-favorite

Testing

The outcome of internal testing and feedback from a closed release to selected customers.

The security screen needed some clean up

With the increase of functionalities in the security screen, it became much harder for the user to easily scan and find the desired item in the list. I redesigned the screen taking in consideration layout, common used patterns and iconography.

handy-favorite

The app wasn't mentioned on web

During the first iteration of the flow, I assumed our users had already our app installed, and that they knew it was required to enable the two-factor authentication. Well, they didn't. At the beginning of the flow, I added another step inviting the user to download the app.

handy-favorite

App confirmation was needed for the disenrollment

If the user decided to disable the second factor, a notification would be sent to the paired device to confirm. We discovered that this was a logic coming from our third-party tool. This wasn't indeed mentioned in the modal and some of the early users were confused by that, by clicking the button nothing would really happen. I changed the illustrations, copy and removed the buttons to prompt the user to check their phone to confirm.

handy-favorite

Up next

Moneyfarm's Onboarding