Security & Login

A cross-channel authentication flow to allow users secure and convenient identity verification on any Telstra platform, store or even phone call.

securityCover-3x

TEAM

Telstra Digital

ROLE

UX Designer

PLATFORMS

App & Web

DURATION

3 months

Password fatigue

Login and authentication had long been a thorn in the side of Telstra’s digital self-service, and with the launch of their new MyTelstra app and website in 2019 the problem had reached breaking point. Only 45% of customers were using the app in a signed in state - unable to view all their services, bills and help options.

Compounding this problem was a high dropout rate during the registration flow, as well as clear customer dissatisfaction with repeated verification steps on phone calls.

“Had to repeat my name, address and problem on multiple calls in a row - huge waste of my time”

- App store review

"Tried to reset my password and it just sends me in a loop of question and answer ...  you already know who I am"

- Customer support forum

login1
login2
login3

Above:  screens from  the existing login flow

Detailing the assumptions

By this time, 2-factor authentication using a PIN code sent by SMS or email was standard across many industries (e.g. banking) and biometric technology had reached widespread adoption.  For Telstra it would mean reduced fraud risk, less reliance on Support agents to authenticate customers during transactions, and open up secure ways to self-serve. There was only one question - would customers see the value in it?

As the UX designer on the rollout of ‘Multi-factor Authentication’ (PIN and biometric), it was my job to answer this question, and figure out an elegant way to tie this into existing login and onboarding flows. My first step, before any kind of solutioning, was research into existing customer behaviours/attitudes - and so I planned a series of interviews. These would be less focused on usability and more on utility, aiming to answer:

• What prior experiences do customers have with different forms of login, and what are their attitudes towards security?

• Does multi-factor fit within a Telstra app context? Which use cases - login, payments, etc?

• Identify pain points with related language - biometrics, 2-factor authentication...

User Testing #1 - Value Proposition

Critical to successful insights from the user interviews was recruiting the right people to test with, for which I referred to Telstra’s consumer segments. While confidential, these tend to skew older in age while still including a broad range of demographics and levels of digital literacy - it was helpful to keep this in mind throughout the design process.

I conducted 5 one-on-one interviews, which consisted of the following parts:

1. Background questions to understand the customer’s technology usage, experience with digital login and in-store/on-call authentication

2. Short tasks using an Invision prototype - from initial login + onboarding into the app, to managing account security settings and changing of personal details.

Note: All of the prototype screens already existed in the live app/website, only a single new splash page was mockup up to gauge sentiment.

usertestMFA1
usertestMFA2
usertest-synthesis-1

From left to right: mapping out the basic flow of the prototype, quick synthesis by notetakers and  Affinity Clustering key findings

The key takeaways from the interviews were: the value prop is compelling, based on security and convenience factors, and the vast majority of surveyed customers would have no issues with using biometrics.

In terms of actual use cases for Telstra: the majority described the code/biometric prompt as necessary or expected when changing personal details or making payments.  As expected, there were some lingering copy confusion, especially around the term ‘biometrics’.

“I put Telstra on the same level of security as NAB. Every time I change something I get sent a PIN”

- Participant 2

“Im sick to death of typing in my email and password…anything that makes that easier I support, as long as its secure.”

- Participant 4

Designing accessible forms

The design system at the time had no patterns for hiding and showing input in a field, and also no ‘pin entry field’ component, so these needed to be designed from scratch.

The next step was researching common UI patterns used, in a wide ranging competitor analysis that included CBA, Google, Apple, Uber, and many more. I was especially interested in input fields - finding a clear trend towards a visible number of remaining digits - and language, with ‘2-step verification’ and ‘Security beyond the password’ commonly used.

.

competitiveanalysisMFA

An accessibility audit was also carried out using the WCAG guidelines, evaluating everything from the unlock screens of Android and iOS to leading banks and social media.  Suprisingly many of these market leaders failed in meeting the WCAG criteria and we learnt from these mistakes. An example was auto-progression, a common practice of moving to the next screen once a field has received all input - which seems like smart design but fails the WCAG criteria by introducing an unpredictable page change. To resolve this, a simple ‘Next’ button was introduced.

Detailed wireframes

Having essentially re-learnt form design from a new perspective, I was able to create detailed flows in Axure for the basic Setup, Change/Reset and Use During Transaction journeys. In addition to multifactor, a new state was introduced to handle customers who were Not Logged In at all. The key was making the screens and error handling detailed enough for build, but also providing a template and flow other designers could reference in the future as these flows were rolled out throughout more touch points in the company.

UX-flow-multifactor
UX-flow-multifactor2

User Testing #2 - Usability and Interactions

It was time for another set of 5 user interviews, with a focus on task completion and detailed interactions. Due to COVID-19, these had to take place via video call, for which Askable Live was used.

usertestMFA

Pictured: a sample of the screens that were tested.

The task completion rate for the Setup flow was high, with all participants able to find the feature and complete enrolment process. Ease of use was also favourable, with participants giving it an average Single-Ease-Question score of 5.8 out of 7.

There was a slight issue with the Change or Reset flow, with 2 participants unable to locate the entry point from its label and iconography. Similarly there was some confusion around some of the language, in regards to privacy of the biometric and what features in the app required it.

Overall, the test reiterated the basic flow and interaction design decisions as correct, while also highlighted some issues in the detail for the team to focus on in the final weeks before build.

QA and launch

After some further refining and Critiques with the rest of the design team, the designs went into development. QA was especially important here due to the form-intensive nature and accessibility requirements, so I received test builds and personally reviewed each piece of functionality. I also showcased the feature to senior leadership and provided a roadmap of its future use cases.

Unfortunately technical API issues delayed all flows except the Not Logged In flow. However this flow did have a remarkable impact after just 3 months, with the number of authenticated customers going from 45% to over 80%. Additionally, the multi-factor flows have been included in call centre training and the templates now form the ‘north star’ of secure login at the company.

Let's work together

Reach out at faris.ahmed1@live.com