Helping users recover their account.
An often overlooked core feature of most online applications; I was responsible for leading the initiative to improve the account recovery process for a SAAS platform with the following goals:
-
- Reduce call volume to customer support for account recovery.
- Implement a fast and secure password reset process.
What I did.
I audited the account recovery processes across popular websites and platforms, (Amazon, Google, Facebook, etc…) analyzing differences in user flow and security measures. Here’s what I discovered:
-
- The conventional flow involves emailing a unique URL to the user, which facilitates the process.
- Limiting and exposing password requirements reduces the likelihood of errors.
- Showing a strength indicator motivates people to create more secure passwords. (Research link)
The following user flow represents the traditional (and least secure) process for account recovery; which starts with identifying the user — usually by username or email address:
Email Address: A case of stolen identity.
The problem with password resets which are 100% dependent on email is that the account integrity of the platform users are trying to reset the password on becomes 100% dependent on the email account integrity. Whoever has access to their email has access to any account that can be reset purely by receiving an email.
In order to address (see what I did there?) this issue, the password reset process only occurs after the user successfully verifies their right to do so. This is done by sending the user a temporary code (by SMS in most cases) to be validated by the system before they can change their password.
The proposed flow.
If you are like me (and the majority of us, I’d say), keeping your information safe is a major concern. For example, most users would be mortified if their accounts were hacked. It is for this that we are advised to have long, complicated and different passwords across all our digital devices, platforms and services. It’s because of this concern for security that companies like Google and Facebook provide bulked up methods, including 2-step verification, aka two factor authentication (by code generator, SMS, email confirmation, etc).
Being secure isn’t easy. The bad guys count on users being lax in protecting themselves. 2-step verification is all about identifying users through their phone. While this means it takes longer to reset their password, the added step is worth it and ensures account security. This is the flow we ultimately decided on;
Something to think about.
Opening a link is more convenient than entering a password that isn’t yours. Users also don’t need to remember a temporary code or face copy/paste issues (which is a pain on touch devices).
For security reasons, the system does not disclose the validity of a user’s username or email address during the “account identification” step. While there’s a slight usability tax for doing this, its a small trade-off for an infrequent process.
What’s so important about this?
This project provided the opportunity to think beyond interfaces (UI components, colors, branding etc…) and solve a nuanced problem while balancing user’s needs, security issues and technical challenges.
I enjoyed working in collaboration with the product manager, connecting different teams (Security, Product and Design) to make design decisions that impact user experience at a core.
What I wish I did.
The ideation and validation phase could have been more efficient had I engaged key stakeholders earlier in the process. I experienced lots of back and forth conversations on the technical implementation of proposed flows.
One caveat for 2step verification by SMS is that the smartphones are capable of receiving both emails and SMS. This means that if someone got their hands on an account holder’s smartphone, we’d be back to one channel. A problem for 2step verification I wish I would have explored further.
Some of the research that informed my decisions were based on previous observations I made of users on social media platforms (Instagram, Facebook) and assumptions I made based on them. I wish I had conducted formal user tests to refine and validate the design solution with representative users.