Two-factor authentication
On sign up, clients are opted in to email based authentication by default. However a notable percentage of clients continue to use email, the least secure two-factor authentication (2FA) method. In the case of crypto, this leaves them especially vulnerable to account takeovers.
Two-factor authentication
Lead design
Wealthsimple 2021
Key requirements
Provide context
Provide clients with a clear and compelling, yet concise explanation of why they should upgrade their 2FA.
Inspire trust
Improve client trust by enabling them to feel confident that we have their best interest top of mind.
Improve security
Transition all crypto clients that wish to withdraw assets to a more secure authentication method.
Phase one
A general push to upgrade to a more secure 2FA method. This is framed as a strong nice to have but implies future feature releases will require this task to be complete.
Pre launch push
Prefacing the launch of Crypto Withdrawals with an app wide push to increase the percentage of clients using a non email based authentication method.
Deferring to later results in a secondary prompt via a card on the account screen.
Increased clarity
A re-work of the existing 2FA method selection view both repositions options from most to least secure, and increases the ability to parse the information presented.
App-based authentication is the most secure option and so it is labelled as recommended and selected by default.
Phase two
A hard block on feature access. Clients who previously deferred the prompt to update will be blocked from accessing Crypto withdrawals due to security measures in place.
Mandatory upgrade prompt
Clients who previously deferred prompts to upgrade (phase one) will be blocked from withdrawing crypto until they upgrade their authentication method.
This is a security must-have to help protect clients and Wealthsimple from bad actors.
24 hour holding period
To further protect clients, a 24 hour holding period will be implemented on crypto withdrawals following their 2FA upgrade.
During this period they will be contacted via email about the change, giving them an opportunity to notify us if they were not the one to initiate it.
Clients will have access to all other app functions during this time.
Impact
*
Clients using app-based authentication
*
Clients using SMS based authentication
*
Clients using email based authentication
Shoot me a message to see the impact of this work
hi@kellyseay.com