Relying solely on a regular login using email and password is a potential security risk for our customers. In addition to that, for certain customers, the perceived risk of not having two-factor authentication is very high, leading to a decrease in trust of the Moneyfarm platform and the company as a whole.
Provide an easy to use solution for two-factor authentication login, leveraging the MultiFactor capabilities of our authentication provider Auth0.
Understand the problem and turn it into an opportunity for the business and the customers. Align with all the team and stakeholders and sketch out solutions.
Potential customers were expressing their concern to our CRM team in opening an account with Moneyfarm given the lack of security functionality that is a standard in the financial domain. Current customers kept asking for this new layer of security in the app reviews.
We gathered with product owners and developers to understand the scope of the project, the feasibility given by our third-party provider, and the desired outcome of the feature.
I started mapping out the user journey while asking questions the various expert such as developers and product owners. The journey flow was then divided into main flows.
Enabling the second factor was possible straight from the mobile app installed on the desired device to be used as authentication.
If the user would activate the two-factor from the browser the main difference with the app journey would be the scan of the QR code, necessary to pair the mobile device with the user account.
To login into the web app with a 2FA active the user needed to authorize the access on the paired device. A notification would display the attempted login and the location.
We considered the cases where the user could not receive a notification to login and added two additional functionalities on the mobile app.
The outcome of internal testing and feedback from a closed release to selected customers.
With the increase of functionalities in the security screen, it became much harder for the user to easily scan and find the desired item in the list. I redesigned the screen taking in consideration layout, common used patterns and iconography.
During the first iteration of the flow, I assumed our users had already our app installed, and that they knew it was required to enable the two-factor authentication. Well, they didn't. At the beginning of the flow, I added another step inviting the user to download the app.
If the user decided to disable the second factor, a notification would be sent to the paired device to confirm. We discovered that this was a logic coming from our third-party tool. This wasn't indeed mentioned in the modal and some of the early users were confused by that, by clicking the button nothing would really happen. I changed the illustrations, copy and removed the buttons to prompt the user to check their phone to confirm.