Improving 2-step verification reset experience

Project overview: 2-step verification (2SV) adds an extra layer of security by requiring customers to confirm their identity when they sign into their bank account or Scotiabank app.

Customers that get a new mobile phone, change their phone number, re-installed the banking app, or update their biometric settings, are required to reset the 2-step verification (2SV). However, many are unable to remember answers to security questions needed for identity (ID) verification process or end up calling customer support center.

Business goals: Reduce call volumes related to 2SV resets; Improve security to prevent account takeovers; Integrate Gemalto, a third-party identity verification solution.

User goals: Reset 2SV confidently and independently; Feel secure while recovering digital bank account access.

Team: Design, Product, Content, Engineering, Legal, and Fraud teams

My role: I collaborated with another designer and two product managers to integrate Gemalto micro-app into Scotiabank’s identity and authentication process.

Reset 2SV screen

The problem

Reimagining 2SV reset

Customers struggled to reset their 2SV after changing devices or biometric settings.  This leads to frustration, a lack of trust in the process, and increased reliance on the customer support (call center). 
We needed a user-friendly way to reset 2SV without needing to call customer support for help, while protecting accounts from fraud.

2sv FAQ

User research and insights

Feedback from locked–out customers

Using Maze, a user research platform, we sent surveys to 500 customers who had recently been locked out of their account after multiple unsuccessful attempts to reset their 2SV following a device or phone number change.

Survey findings:

  • Customers generally feel frustrated when going through the process to reset their 2SV
  • Security questions, especially those relating to past account transactions, are difficult to answer without banking access
  • There were confusion around when/why 2SV is triggered
  • Many customers lacked confidence to continue the reset process, fearing they would be locked out of their accounts permanently
  • Customer support staff spent significant amount of time walking customers through the manual reset steps

Heuristic review of existing reset flow

We conducted heuristic review with the customer experience team including product designers and researchers, to evaluate the current 2SV reset flow experience. Using the Jakob Nielsen’s 10 usability heuristic principles, we accessed the clarity, flexibility, error prevention, and user control of the flow.

Heuristic principle

Issues identified

Visuals

Match between system and real world

Customers were confused by technical terms and languages such as “Primary trusted device, Secondary trusted device, or 2SV method”

Heuristic review screen 1

Error prevention

No warning or hints in the previous screen before showing security question screen to customers causing drop-offs

Heuristic review screen 2

Help users recognize, diagnose, recover

Vague error messages left customers unsure how to fix the issue by themselves

Heuristic review screen 3

Challenges and constraints

  • The Gemalto app was used for both new account onboarding identity verification and 2SV reset identity verification
  • Financial security and risk requirements
  • Gemalto integration had a fixed SDK flow and branding
  • Customers on desktop have to switch to their mobile phone to use Gemalto. In addition, Gemalto requires a mobile phone with camera to continue the flow

Design process

Competitive analysis

Collaborating with another designer, we conducted some competitive analysis to understand how other banks implemented ID verification flow.

Competitive analysis-neo bank

NEO bank ID verification

High-level flow chart

I mapped the existing flow and highlighted friction points and feedback from the heuristic review. I created a flow diagram to understand how Gemalto will integrate into 2SV reset flow.

2sv reset Flow chart

Stakeholder review

I presented a subway map of the flow to stakeholders for technical feasibility and feedback.

2sv reset subway map

I collaborated closely with product manager, content design, engineering, fraud, security, call centre operations, data analysts, business analysts, and legal to align on the better solution for clients. I updated the error screens based on security risk concerns and tested with customer experience team for clarity. In addition, I went through two design reviews with product leads and design directors to ensure the designs aligned with business and user requirements.

Final solution

The new 2SV reset flow replaced security questions with the Gemalto SDK app. I designed clear, step-by-step guidance and messaging to build trust. Customers could quickly scan a QR code that redirected them to their mobile device, where they verified their identity using the Gemalto app. This solution provided stronger security and better protected customer accounts from bad actors.

Impact

  • 68% of users completed 2SV reset successfully on first attempt from their mobile app
  • 52% reduction in 2SV reset related support tickets within 5 weeks of rollout

Reflections

What went well:


Timely and consistent collaboration with cross-functional teams helped with maneuvering the complexity and constraints of this project, including aligning priorities early. In addition, the clarity of the new flow and successful completion of 2SV reset from mobile was a big win for customers.

What I would improve:

Increase 2-step verification awareness. Many customers are still unaware of the importance of securing their account with 2-step verification. Proactive education through FAQs and help docs could help set the expectation and reduce confusion during 2SV reset.

What I learned:

Complex security flows can be made simple and intuitive to customers with the right structure and language.

View more of my projects