Two-Factor Authentication
OVERVIEW
As technology gets more complex and the opportunities for account takeovers by hackers becomes more widespread, protecting oneself digitally with an extra level of security keeps your money with you and only you. Implementing mandatory two factor authentication as soon as possible was both a member safeguard and business necessity at Navy Federal Credit Union.
TEAM
1 UX Designer, 1 UX Writer, 2 Product Managers, 1 Engineer
MEDIUM
Adobe XD | Desktop, Mobile, Tablet
DURATION
ROLE
Lead UX Designer
THE PROBLEM
Constant threat of compromised accounts
The fear of having your financial information compromised has risen exponentially these days, and for good reason. Account takeovers have risen approximately 72% from 2019 to 2020 and we observed multiple FIs have massive data leaks. In the past the only security measures a member would have was to create a password that met certain complex qualifiers. Problem was that members reuse passwords on other sites as security fatigue sets in, which is the main cause of security breaches.
We needed to go further to keep members secure so my team and I were challenged to introduce Two Factor Authentication into all our digital touchpoints.
Providing security during login was necessary across all digital touchpoints.
THE PROCESS
Implementing Tw0-factor authentication
Mandatory Two Factor Authentication is defined as using a member’s preferred login sequence (three options - biometric, username with password, and a passcode) a member would then receive a prompt and select either a push notification or a code through text or phone call. The member then verifies the code received on that device. This process existed on the mobile app, responsive web, and potentially any page that required authentication.
PROCESS MAP
Our solution to the challenge of constant alleviating excess and repetitive two factor authentication was to begin every novel login sequence with the basic idea of two factor authentication.
That’s where we implemented our point of delight for our members - use enhanced backend security measures and allow members to confirm their devices and browsers once with Mandatory Two Factor Authentication. Then, they were given the opportunity to select a Sign In Preference. Here, they would only need to login with their credentials and the backend would run scripts to verify that this device or browser was previously verified and allows the member to bypass Two Factor Authentication.
OVERVIEW OF FLOW
Login
Members login as their normally would and select their verification method.
Verification Sequence
Member enters code via a text message they received. On iOS, the member can autofill the code.
Easy Sign In via Biotmetrics
Member chooses an easier login next time they login to avoid getting the 2-step sequence.
Succeed or Fail
If the member succeeds, they can continue to remember the device for next login. Member also becomes locked out if they fail to verify.
USER TESTING
We tested with 12 members. Our research indicated that members liked this “bypass” of mandatory authentication and would be able to continually increase our high rates of mobile usage. Having high traffic on our native mobile app and to our online web experiences is the driver of business and ensures the great experience we can provide for our members.
Overall Review
Members were interested and supported increased security and welcomed it coming from Navy Federal, especially since they did not take steps themselves to increase safety from their perspective.
​
All said that making 2-step mandatory was a good idea. Most cited that if Navy Federal thinks that they need to do this, it’s for a good reason.
Of the12 members...
2 preferred online
9 preferred mobile app
1 used both online and mobile equally
Impacts & Learnings
The login process is the first impression a user has with us and it’s the first time we establish trust and security with our audience. Knowing this, my team had to push out a known expected pain point to every member by adding an additional step in order to preserve the safety and security of our members’ personal information.
Most of the respondents in a 203 person survey who initially set up 2-step are still using it.
​
We learned that overall, members had high satisfaction with the addition of mandatory two factor authentication.