TD Bank
Two-Step Verification
Two-Step Verification is an identity authentication method for web online banking users to protect them from the potential cybersecurity threats in the digital world.
The Two-Step Verification we created is the core product that helps the customers to add another layer of protection to their bank account, from web banking to mobile app banking.
Overview
Project Timeline
8 Months
Role & Contribution
Product Design
Visual Design
UX Design
Supported Devices
Responsive Web Design
Mobile App (iOS+Android)
Tablet App (iOS+Android)
Tools
Sketch
Adobe Illustrator
Axure
Invision
HOW IT ALL STARTED
Online banking customers are facing the threat of fraud and cybercrime.
According to the report from the Canadian Bankers Association, the estimated cost of cybercrime to businesses will reach 8 trillion dollars over the next 5 years.
I was part of an important project to design a new identity authentication feature for TD Bank to help to protect their online banking customers away from the threat of fraud and cybercrime.
***To comply with non-disclosure agreement, I have omitted and obfuscated confidential information in this case study.***
Introducing Two-Step Verification
Two-Step Verification is a login authentication method for online banking users to protect them from the potential cybersecurity threats in the digital world.
The Two-Step Verification we created is the core product that helps the customers to add another layer of protection to their bank account, from web banking to mobile app banking.
How it works
A high-level diagram to demonstrate TD's Two-Step verification process and how it protects customers' assets.
How it protects user’s data
Most users only have one layer – their password – to protect their account. With Two-Step Verification, if a suspect hacks through your password layer, the hacker still needs to use the customer’s phone to get into your account.
Final Deliverables
Final deliverable for Visual & UI Design included:
Responsive Web Design (1440px, 1024px, 768px, 320px)
Mobile App Design (iOS & Android)
Tablet App Design landscape + portrait (iOS & Android)
Selected TD Web Banking screen design for Two-Step Verification
Selected iOS TD App screen design for Two-Step Verification
Selected Android TD App screen design for Two-Step Verification
Continue to read below to learn about the process and how did we get to the final solution
Project Timeline
At the beginning of the project, we didn’t know we would be designing a two-step verification. It took us a lot of processes to validate the concepts with actual TD customers and working with the researcher and business team to get to the final solution.
Background
TD Bank is serving more than 15 million customers nationally. It’s super important to do their best to protect their valued customers.
With the increasing concerns of cybercrime in the digital world, TD bank decided to develop a new authentication method to protect its financial system and customers’ personal information for their Web Online Banking system from cybersecurity threats.
Problem Statement
How can TD protect its online banking customers from the cybercrime threat?
The client has completed an internal envisioning project before this project kicked off. They have ideated two potential solutions for the new authentication method: Passwordless Login and Soft-Token Login.
About Passwordless Login
Passwordless allows customers to log in without entering passwords, by using biometrics to authenticate customers' identities.
About Soft Token Login
Soft token lets the customers transform the trusted mobile device to generate a security code from the TD app to authenticate the login request.
Challenge
The solutions were in place without understanding the user needs.
The design team rolled on the project with the given solutions.
We weren't very confident that these two solutions would work because we didn’t really fully understand the customers' mental model.
Questions we had:
How do we validate the feasibility of the provided solutions via design?
How do we make a better recommendation to the client so the new authentication feature is just right for customers?
Our design approach to answering the questions:
Building hi-fi prototypes to validate the ideas with current online banking customers.
Leveraging the user testing findings & outcomes to make valuable recommendations.
MY ROLE
As a Product Designer
I joined the design team with 2 Senior UX Designers to frame the design strategy, uncover the user needs and design a simple, intuitive product for the end-users. I was specifically responsible for the UI design deliverables which included Responsive Web Design screens, iOS & Android app screens and Visual Design Specs for development.
In addition, I worked alongside TD Bank’s 2 Business Analysts, a Product Owner, a Project Manager, a Content/Copywriter, and 3 of their development teams (Web, iOS app, Android app)
DESIGN PROCESS
I created hi-fi prototypes for both Passwordless & Soft-Token Login for user testing sessions.
I worked closely with the UX designers, a Copywriter and the business team to dive deeper into the provided solutions. After having the lo-fi wireframes approved by the stakeholder, I created hi-fi prototypes for both Passwordless Login and Soft-Token Login.
Passwordless Login - Enablement/Enrolment Flow
Passwordless Login - Challenge Flow
Soft-Token Login - Challenge Flow
VALIDATION
User Testing Phase
We worked with Phase 5, a marketing, user and CX research lab to conduct series of user testing in order to:
Use our prototypes to uncover the customers' mental models of authentication and password management.
To assess the potential interest of the new authentication concepts.
The user testing sessions were a two days exercise, involved 12 existing TD online banking customers to go through 3 different flows for both Passwordless Login and Soft-token Login.
HYPOTHESIS
We assume these solutions will encourage TD customers to enable them to protect their accounts.
MEASUREMENTS
We will know we are successful when we see participants would be able to understand the purpose of features and willing to enable them.
Phase 5’s Lab located in downtown Toronto.
Executive Summary
Using passwords to authenticate is the primary mindset of customers for the login process.
Customers were overwhelmed with having multiple device hand-offs during the authentication process.
Customers see the increased security benefits but still aren't willing to give up the convenience.
Overarching Findings
10/12 Participants were confused by the concept of the proposed solutions and would decline the authentication process.
Passwordless Login Outcome:
Soft-Token Login Outcome
Result
With the given proposed solutions, all the customer mental models observed will encounter roadblocks.
Only 16% of the participants are willing to enable these features.
Pivoting Direction
Leveraging the research findings
We presented the user testing findings and data to the client's executive and business team.
They decided to discard both the Passwordless Login and Soft-Token Login because the testing outcomes clearly indicated customers faced roadblocks on both authentication methods.
What we learned from the research
3/12 of the participants mentioned Google's Two-Step Verification method as their previous online authentication experience.
Based on Google’s statistics, their Two-Step Verification feature blocks:
100% of automated attacks
99% of bulk phishing attacks
90% of direct, targeted attacks
Product Strategy/Recommendation
Based on the testing results and the synthesized insights, we recommend:
Align the expectations of the most vulnerable segment (convenience focused) while at the same time catering to the security conscious.
Align with the customers' mental models while does not require changing the current password process could ensure that customers will have more trust in the feature.
Listen to customer’s voices and provide a better solution to address their needs.
New Direction
Be data/research driven.
The client executive team agreed to our recommendation and decided to develop a Two-Step Verification as their new identity authentication method.
Competitive Analysis
We started to do some research about the Two-Step Verification and see how other big companies are doing it.
Key findings:
Still requires customers to enter the password as usual.
On-device prompt has the most significant protection rate.
Keep the onboarding introduction simple with help from visual.
Project Goal
Setting up the OKRs for the Two-Step Verification feature.
Increase the enrollment rates from 16% to > 53%
Design Process
I worked collaboratively with UX designers to come up with the user flows of the product.
The purpose of working on the user flows was to help us to communicate the whole idea with developers and to gauge if there will be any technical constraint from the development’s perspective.
I created hi-fi prototypes for Two-Step Verification for final user testing sessions.
I worked closely with the UX designers, a Copywriter and the business team to dive deeper into the product. After having the lo-fi wireframes approved by the stakeholder, I created clickable hi-fi prototypes for the final testing session to validate if our idea would work.
Two-Step Verification - onboarding/enablement prototype flow
Two-Step Verification - challenge prototype flow
FINAL VALIDATION
User Testing for Two-Step Verification
The one last user testing exercise to validate if our Two-Step Verification feature will be accepted by customers.
We went back to Phase 5’s Lab! Our manager, Noman Sidiqqi and UX Designer, Eris Shimoni.
HYPOTHESIS
We believe that building Two-Step Verification will:
1. Increase TD customers’ security awareness.
2. Encourage them to enable the feature to protect their accounts
MEASUREMENTS
We will know we are successful when we see more than 53% of customers are willing to enable the feature.
We worked with Phase 5’s researcher Colin Anderson to conduct series of user testing sessions to validate our concept.
Final Testing Result
67% (8/12) of participants see the benefits and willing to enable the feature.
33% (4/12) of participants still hesitate to give up the convenience.
Pain Points
Participants who declined to use it are still struggling to understand the concept of the Two-Step Verification method.
Some participants still valued convenience over security.
Improvement & Iteration
Team decided to make the trade-off since the purpose of the project is to build a secured layer upon password to protect their accounts.
However, we can reduce the confusion and help customers to understand the purpose of the feature by improving the copywriting.
WRAP UP
We successfully delivered the project after I completed the visual design tasks, delivered the visual design specs to the dev team.
My Takeaway
This project has gone through a lot of processes and challenges, I learned the importance of leveraging the data and research findings to build a product which not only reaches the business goals but also addresses the user needs, and how to effectively communicate those findings with the support from data to convince the stakeholders.
Project obstacles
The project faced a lot of timeline pressure and resource cuts due to the limited budget allocated on this project. Some stakeholders were not very open to taking in recommendations either.
As a Product Designer, I tried to work as efficiently as possible by setting up daily goals for myself and kept the communication between the cross-functional team transparent, articulated the design decision with support from data or with the logical rationale behind it.
What could I do better?
I wish I could stay on the project even for post-launch to learn more from the data and analytics and have an opportunity to improve the product.