Brief
Enable a way to offer users the option to protect their accounts using an advanced form of protection such as SMS or software authentication.
Detail
Customer feedback suggested that they would be more confident in our product if we offered two-step authentication to protect their accounts. Reaching out to our clients confirmed that the feature was highly desirable. Further, competitive analysis suggested that many offerings of similar nature do provide this option and that we would be wise to do the same.
It was originally submitted that we should implement SMS authentication, as many of our users have already provided their mobile numbers. But in the end I suggested we proceed with a more secure option using an authentication software app, specifically Google Authenticator.
Challenges
Providing a way for an existing user to 'switch on' 2-step authentication; Provide a way for users to 'switch OFF' 2-step authentication and revert back to username/password; message the benefits of enabling account security; Ensuring new users are not prompted for verification codes when they have not switched the feature on.
Potential Hazards
Account security is inherently tricky because of the potential to lock someone out of their account. We needed to account for desktop or mobile devices and for the possibility their phone does not have a functioning camera (google authentication uses a QR code by default).
Result
All work was completed within our two-week sprint and launch went off without a hitch. Feedback was very positive - we sent out emails and browser notifications (for those that opted in for communication) with messaging for the new feature. Even without additional incentive (we briefly considered discounts for those that enabled the feature), adoption was immediate and wide spread. Nearly all of our active coaches enabled 2-step authentication within the first two weeks. Students adopted the feature as well, largely encouraged by their coaches.
Typical Flow - Add
This wireframe shows the flow from the time a user selects to add authentication to the verification. The flow branches in the middle in case the user cannot scan QR codes with their mobile device.
Typical Flow - Remove
We also needed to provide a way for a user to remove the added security if they wished, so this is the flow for that scenario.
Prototype
Here are the prototype shots for a typical flow beginning from the account dashboard page and ending at the confirmation messaging.
