In the book “ Industries of the Future” by Alec Ross, he specifies that we are at the center of cyber security or digital security revolution. Personal data such as identity, financial and personal information floods the digital space and prime for malicious wrongdoings. Also, there is no scarcity of headline news about companies that aggregates digital information that is getting hacked. In Capital One, and as a financial company that acquires users data to provide the best product- I believe we have a great responsibility to our customers to provide a robust security capability for their digital and financial experience.
Inside Capital One, I partnered with great minds to understand, investigate and craft digital experiences that revolve around multi-factor authentication.
This challenge is peppered with ambiguities and intricacies. Smack in the cross section of multi-device interaction, behavior shifting outcomes and a tech industry that is in a constant horse race for dominance. Google and Yahoo have their own products, and both of them continue to evolve their experience.
While I research the target users, I simultaneously dove into the world of MFA. The complexity of this area in the digital security is immense. To fortify a solid authentication, you need multiple points from a user. Get something they have or possession; this could be a device or a physical object that user has and can verify that it is assigned to them. Get something they know or knowledge, and something they are- Inherance. If you manage to get multiple sets of points, you can lower the risk and vulnerabilities of a user account towards malicious digital attacks.
Placing this concept in an interaction form showcased so many challenges. Preliminary empathy research was gathered and created. Most of the users do not understand the central concept and won’t spare any time to learn or understand. User’s pain point was mostly focused on the required task and the subset task that were initiated from the original task. For example, most of the security UX asked the users to what kind of method they want to use. When users choose the one that they want, another task will surface, and so on and so forth. For them, all they want is to go to their final destination, and don't want to feel like unusual security requests are sidetracking them.
Storyboarding and utilizing content first tactics helped craft the experience. I surfaced many use cases, storylines, narratives, happy and unhappy paths users may encounter. This way we can also craft the specific language (in a dialog / conversational form) for a particular use case.
When Martha, a Capital One customer opens her account online, she doesn’t have to answer odd and forgettable questionnaires. All she has to do is sign in and approve with her mobile device. Also, approving with her fingerprint, which the experience provides, adds a layer of security which gives her an additional sense of confidence.
The story: Security in every financial activity.
We defined this experience as SwiftID.
SwiftID will take the place of those security questions for users of the Capital One app and website. In the app, users can sign up for SwiftID, which then captures a unique image of their phone as a way to identify the user going forward. After sign-up is complete, whenever there’s a need for strong authentication at login, a push notification is sent to that registered phone.
The Visual / Craftsmanship:
As the lead designer, I ask, how may I want to visualize the experience so the user can grasp the concept immediately. I want to make them login into their laptop, see the request/message, then go to their mobile device, interact and finally approve the request. It seems so easy when you think of it, but sometimes the user doesn’t have their device near them. I utilize illustration for direction and additional contextual message. Because the interaction is a multi-device experience and even though that our request to our users is self-explanatory, providing visuals that transmit immediate messaging causes users to act intuitively.
Subjectivity of the Pain points-
Interviews and customer research tells us that sometimes users wants intense security protocols, AND sometimes they don’t. This information provides me a sense of pain threshold for the users that I can use and incorporate into my experience recovery techniques.
Authentication is not an additive experience. Users must do it. Capital One doesn't place this protocols for no reasons. But since this overall experience has built in friction, Users tend to acclimate, and self-adjusts to the given friction and that may cause side-effects. Complacency is one of them.
Technology perspective: My personal forecast is multifactor authentication will evolve into a much robust experience that incorporates multiple technologies- such Cognitive Intelligence, IOT, and Blockchain. As an experience designer, I have a responsibility to understand underlying and consequential behaviors around MFA. The more users understand and use the concept the better it is for the whole industry.
Business perspective: Businesses that understand users needs around security will always be exemplary in building customer relationships. “ I love that Capital One thinks of me and watches my back around security”- this is what I hear often in research. This connection is a definite value that future business leaders will keep in mind. Plus, the cost of identity verification/solutions is a great financial factor to consider.
Challenges in security and authentication will never go away. Businesses are focusing the customer relationship efforts to make their user their VIP( valuable individual person). That being said and as I continue to concentrate on the user's needs, all I can offer is best contextual/bespoke support at the right time and the right moment.
SwiftID launched in late 2015.
Special thanks to my partners:
John Fields, Justin Bowers, Lawrence Altaffer.
Your combined knowledge, support, and rigor were unfathomable.