In the book “ Industries of the Future” by Alec Ross, he specifies that we are at the center of cyber security or digital security revolution. Personal data such as identity, financial and personal information floods the digital space and are prime for malicious wrongdoings. Also, there is no scarcity of headline news about companies that aggregates digital information that is getting hacked. In Capital One, as a financial company, that acquires customer data to provide the best product- I believe we have a great responsibility to our customers to provide a robust security capability for their digital and financial experience.
Inside Capital One, I partnered with great minds to understand, investigate and craft digital experiences that revolve around multi-factor authentication.
This challenge was peppered with ambiguities and intricacies. Smack in the cross section of multi-device interaction, behavior shifting outcomes and a tech industry that is in a constant horse race for dominance. Google and Yahoo have their own products, and both of them continue to evolve their experiences.
While I research the target users, I simultaneously dove into the world of MFA. The complexity of this area in the digital security is immense. To fortify a solid authentication, you need multiple points from a customer. Get something they have or possession; this could be a device or a physical object that customer has and they can verify that object was assigned to them. Get something they know, and something they are- Inherance. If you manage to get multiple sets of those data, you can lower the risk and vulnerabilities of a user account being exposed to malicious digital attacks.
Placing this concept in an interaction form showcased so many challenges. Preliminary empathy research was gathered and created. Most of the users do not understand the central concept and won’t spare any time to learn or understand. Pain points were mostly focused primarily on the required task and the subset task that was initiated from the original task. For example, most of the security UX asked the customers to what kind of method they want to use. When they choose the task they want to perform, another task will surface, and so on and so forth. For them, all they want to do is to go to their final destination, and don't want to feel like unusual security requests are sidetracking them.
Storyboarding and utilizing content first tactics helped craft the experience. I surfaced many use cases, storylines, narratives, happy and unhappy paths that customers may encounter. This way we can also craft the specific language (in a dialog / conversational form) for a particular use case.
When Martha, a Capital One customer opens her account online, she doesn’t have to answer odd and forgettable questionnaires. All she has to do is sign in and approve with her mobile device. Also, approving with her fingerprint, which the experience provides, adds a layer of security which gives her an additional sense of confidence.
The story: Security in every financial activity.
We defined this experience as SwiftID.
SwiftID will take the place of those security questions for users of the Capital One app and website. In the app, users can sign up for SwiftID, which then captures a unique image of their phone as a way to identify the user going forward. After sign-up is complete, whenever there’s a need for strong authentication at login, a push notification is sent to that registered phone.
The Visual / Craftsmanship:
As the lead designer, I asked, how I want to visualize the experience so the customer can grasp the concept immediately. I want to make them login into their laptop, see the request/message, then go to their mobile device, interact and finally approve the request. It seems so easy when you think of it, but sometimes the customer doesn’t have their device near them. I utilized illustration for direction and contextual message. Because the interaction is a multi-device experience and even though that our request to our users is self-explanatory, providing visuals that transmit immediate messaging causes users to act intuitively.
Subjectivity of the Pain points-
Interviews and customer research tells us that sometimes users want intense security protocols, AND sometimes they don’t. This information provides me a sense of pain threshold for the customers that I can use and incorporate into my experience recovery techniques.
Authentication is not an additive experience. Users must do it. Capital One doesn't place these protocols in place for no reason. But since this overall experience has built-in friction, customers tend to acclimate and self-adjusts to the given friction; and that may cause side-effects. Complacency is one of those.
Technology perspective: My forecast is multifactor authentication will evolve into a much robust experience that incorporates multiple technologies- such Cognitive Intelligence, IOT, and Blockchain. As an experience designer, I have a responsibility to understand underlying and consequential behaviors around MFA. The more users understand and use the concept the better it is for the whole industry.
Business perspective: Businesses that understand customer's needs around security will always be exemplary in building customer relationships. “ I love that Capital One thinks of me and watches my back around security”- this is what I often hear in research. This connection is a definite value that future business leaders will keep in mind. Plus, the cost of identity verification/solutions is a great financial factor to consider.
Challenges in security and authentication will never go away. Businesses are focusing the customer relationship efforts to make their customer their VIP( valuable individual person). That being said, and as I continue to concentrate on their needs, all I can offer is the best contextual support at the right time and the right moment.
SwiftID launched in late 2015.
Special thanks to my partners:
John Fields, Justin Bowers, Lawrence Altaffer.
Your combined knowledge, support, and rigor were unfathomable.