MFA
Nordstrom Multi-Factor Authentication
Overview
In September 2017, Equifax suffered an unprecedented security breach that compromised sensitive personal data of 148 million Americans. In early 2018, hackers stole credit card information from 5 million Saks Fifth Avenue and Lord & Taylor customers. The Nordstrom Board of Directors recognized the urgent need to protect customer accounts and tasked the UX team, along with seven other teams to implement multi-factor authentication on all its digital channels by the end of Q1 2018.
Results
From the original Board directive to the near simultaneous launch across desktop, MOW, and mobile apps, MFA was completed in just under three months. There was no measurable negative impact to the overall business KPIs and in conjunction with several other anti-fraud strategies, the company saw a significant reduction in fraud. As a result of working with several new teams, I was able to establish new partnerships to help foster future UX collaboration and design thinking at Nordstrom.
Partners
UX Writing, UX Research, Product Management, Engineering, Security, Privacy, Executive Team
Roles
User Experience, User Interface, Prototyping, Visual Design, Production
Research & Discovery
The Nordstrom Board of Directors declared in November 2017, that protecting customer data is a part of good customer service, and we were tasked to increase our online security by the end of Q1 2018.
Working backwards from March 2018, we needed to give technology ample time to develop and test, so UX needed to be done with our work by the end of January. The Principle UX Designer started research on industry best practices, our UX Writer started research on copy best practices, while I dove into a competitive analysis.
Based on our combined research, the UX team presented 16 points that we felt best represented industry best practices and a customer focused experience.
User Flows
Next, I partnered closely with product management, technology, and security to create user flows that mapped out the experience of signing in and checking out. The user flows helped us identify any pain points, gaps, or technical limitations that we as a team might need to work around.
Initial Comps
I quickly created a set of MVP comps and a second set of phase two comps as a fast follow.
Conflict & Compromise
An interesting element of the MFA project was that UX was working directly with teams that from an experience standpoint, are diametrically opposed. The primary goal of Security is to protect the company from bad actors, by making it harder for them to access sensitive information. This is inherently added (and arguably necessary) friction for users.
In my original design, I created a code input field that helped customers understand how many digits to expect in the code that we would send them, along with displaying the numeric keypad for mobile users. Security argued that having individual fields limited their ability to modify the code length in the event of a large scale, orchestrated attack. Additionally, they requested the standard keyboard, which would make it harder for bad actors to determine how codes are formed.
After a very passionate and heated debate between teams, UX understood the need for security to be flexible with code length and agreed to move to an open form field. UX pushed back hard on the standard keyboard, arguing that forcing customers to try an enter a numeric code from the standard keyboard would be an exercise in frustration, given the limited time the text message appears on a customer’s screen.
After working closely with security, privacy, and legal, the design was iterated until we got to a point that met each team’s requirements. I began to build out a prototype for our sole usability test.
Prototyping & Usability Testing
A couple of weeks before the launch, the user research team conducted a remote study with 20 participants. All of the participants were able to complete the task and 18 participants felt the process was intuitive. The primary learning from our usability study was that we could make some additional improvements with the copy to make the process clearer.
Final Comps
The final desktop checkout flow.
The final MOW checkout flow.
The final iOS checkout flow.
The final Android checkout flow.