IBM Verify: Mobile Multi-Factor Authentication
Team: Haidy Perez-Francis, Peter Vachon, Patrick Chew, Ploy Buraparate
Illustration by Patrick Chew
Summary
IBM Verify was the first consumer-facing mobile application that helped users safely authenticate to their critical accounts. While developing this application, we began to understand key user requirements for biometric identification and fought hard-won battles against our own technologists to build an application that excelled in customer experience, not just technological capabilities. The research around this application focused on how to minimize friction in a naturally undesirable experience and how to navigate from mobile to desktop and vice versa and maintain a seamless workflow.
Doodle by me
Unpacking the problem
The irony of working in security is that nobody wants to think about security until they realize they don’t have it. To create a more secure experience for users, it often means inserting a step into their workflow, causing a natural sense of interruption and friction. Mobile multi-factor focuses on providing authentication on-the-go through a user’s mobile device through a set of different authentication methods, extending from biometrics (facial recognition, touch ID, or voice recognition) to push authentication to a 6-digit one-time passcode.
The key questions our team had for this work were:
What would motivate a user to enroll in multi-factor authentication?
What were some common consumer expectations for multi-factor that already exist?
What are some of the core baseline expectations that our users will compare our experience against?What were technological constraints or requirements would we need to consider as we iterated on our ideal experience?
Research Methodologies
Generative Exploration (6 weeks)
Co-creation of an ideal experience with key offering team stakeholders to unify on a product direction and set of user goals
Competitive audits for key competitors and consumer applications that apply biometric detection (SnapChat, Facebook tagging)
Exploratory user interviews with an panel of users from a diverse set of genders, race, age, and technological competencies to understand user sentiment towards two-factor authentication
Conceptual evaluations to explore different styles of biometric enrollment (face, voice, fingerprint)
Conceptual evaluations to deeply understand the relationship of multi-platform enrollment, specifically between QR code from desktop to mobile device (iPhone and Android)
Voice biometric phrase testing to understand key user errors for potential pass phrases
Evaluation Testing (3 week sprints x 7)
Rapid A/B testing to help narrow down design direction for user experience flow and visual design direction
Heuristic analysis of workflows to maintain design best practices
Performance testing for desktop-to-mobile testing
Unmoderated testing for full-fledged consumer workflows via UserTesting.com
Our Users & Their Needs
Jessica, End User
Jessica is focused on completing whatever workflow she wants to do and 2FA only stands in the way. Jessica needs a way to seamlessly authenticate in a way that does not distract her from the task at hand.
Scott, Security Administrator
Scott is focused on providing security to his organization. At large organizations, Scott may manage a few applications. At smaller organizations, Scott may be a swiss-army-knife. Scott needs an out of the box 2FA solution with customizable applications that grow and shrink with his business needs.
Alice, Developer
Alice is a mobile app developer. She’s not necessarily invested in security nor is she an expert in it. She’s focus on building things, which she finds satisfying. Alice needs a way to build applications that come with security-baked in, so she can focus on creating an excellent experience for her users.
Gabe, IT Support
Gabe is not a security specialist. He’s focused on helping employees and customers at his organization fix their problems so they can carry on with business as usual. Gabe needs a way to easily remediate Jessica’s authentication problems so she can get access to her applications.
End Product
IBM Verify is available on App Store and the Google Play store.
Extending Knowledge
Completed IAM digital workshop by a participant
In addition to developing a consumer experience, the research conducted for this product yielded a lot of understanding of the underlying work that produces the consumer experience. To better understand the domain of Identity and Access Management (IAM), which multi-factor authentication is an extension of, I spent time specifically understanding the domain and the key users for IAM. I then created a 4-hour self-paced workshop for folks to complete, which was a way to scale a full day in-person role playing workshop.
In this workshop, participants got a taste of real threats caused by infiltration of identity and access management systems, basic domain vocabulary, a first-hand user journey of an IAM project from conception to rollout, and a series of podcasts that I curated from user interviews. Finally, once they consumed this domain knowledge, participants could perform a choose-your-own-adventure game where they needed to try to simulate an IAM project from end to end as a security architect.
The average NPS score of this workshop is 8 (whoo-hoo neutral!) and was completed by all members of the design team and made available to product marketing new hires.
When reflecting upon the frustrating experience users had when they were authenticating (or more so failing to authenticate) I began to understand the key importance of designing for error. Other than designing for the non-happy-path experience, designing for error presents a real opportunity to connect with your developers in a different way. In planning and designing and even considering outlying use cases, we bring in our teams into the design process unique way that creates a culture of trust.
An excerpt from this article:
“User experience is a team process. As designers, we play a role in how user-centeredness is disseminated into our organization. We need to enable our broader teams to provide the best experience with design principles and best practices ensure that good user experience can work at scale.”