Constant Contact users were getting locked out of their account if they didn't have access to their previously registered multi-factor authentication device. This led to an increase in support calls as users sought assistance in regaining access to their account.
To address this issue, I needed to come up with a solution that would allow users to change their multi-factor authentication device online without needing to call support. However, I also needed to ensure that any new devices registered were legitimate and not being used by bad actors to gain access to user accounts.
What is MFA?
Multi-factor authentication (MFA) methods are used to enhance the security of their systems and protect their sensitive information. MFA is a security mechanism that requires users to provide multiple forms of authentication before granting access to a system, application, or data.
By requiring more than one factor of authentication, MFA reduces the risk of unauthorized access to company systems and data, even if a user's password is stolen or compromised. It provides an extra layer of security that makes it much harder for cybercriminals to gain access to sensitive information or accounts.
Constant Contact requires users to use a multi-factor authentication method in order to use the tools.
1. The Problem
The data showed that users kept calling support to update their multi-factor authentication device. We wanted to reduce the amount of calls we received in support by adding a feature where users can update their device on their own. This would save business cost by 1 million+ a year if users could update their device without calling support.
I worked with the security team which advised on what questions we should ask users and what information they need to give us to make sure we weren't allowing bad actors to access accounts.
Then, I designed the error fields and messages. I kept the error messaging broad to avoid bad actors gaining access to accounts. We also determined that we should only allow 3 chances for users, otherwise they should call support.
Here are some changes we made after testing with users:
1. At the end of the flow, we have to log user out and they must log in to set up a new MFA. We were concerned some users might think there was a glitch that took them out of the reset MFA flow so we added a page explaining to users what will happen next and what they should do.
2. We noticed many accounts having multiple users. So if a user doesn’t have certain information to answer the questions or doesn't have access to the email, then they won’t be able to set up a new device. So we added a page in the beginning of the flow of all the steps they would have to do in order to set up a new device with MFA. This would also inform users how many steps this flow will take.
New first step with instructions:
3. One issue we kept coming across in the UXR testing is that many users didn't realize we were asking for the email address of the account owner. I strategized a way where we could reduce the steps to set up a new MFA without breaching security.
Since a user has to log in twice, I suggested we remove the first log in and instead we directly send an email to the account owners email address. Once they receive the email, they will click a a button to authenticate the user and take them back to the flow. Rather than having to copy and paste a code and having to go back and forth from pages. I spoke with the security team and they approved of the new flow.
Final Flow
Here is the final design flow to set up a new multi-factor authentication.
I implemented a new process that enabled users to change their multi-factor authentication device through a secure verification process that included multiple steps to confirm the user's identity. This allowed users to regain access to their account without the need for support, while also maintaining a high level of security to prevent unauthorized access.
By providing users with the ability to change their multi-factor authentication device themselves, we were able to reduce the number of support calls and improve the user experience. Additionally, by implementing additional security measures, we were able to protect against potential threats and maintain the integrity of our user accounts.