Secure login with 2SV (2–step verification)

Project overview: Many legacy accounts use security questions and answers to verify their identity during login to access their bank digitally (about 800,000 customers). This method of authentication verifies user’s identity by asking personal information. However, answers to these security questions can be phished, thereby making these account vulnerable to fraudsters.

Goals: Strengthen login security by replacing 2-step verification (2SV) knowledge based security questions such as “What high school did you attend” with a more secure form of authentication such as One Time Passcodes (OTP).

Platform: Mobile banking (iOS, Android) and Web (online banking)

Team: Design, Content, Product, Security, Fraud & Risk, QA, Business Analyst, Legal, Engineering, and Marketing.

My role: UX designer, research, and design strategy.

Enter 2-step verification code screenn
Security question screen

The problem

Need for stronger security with seamless usability

Many banking fraud cases are a result of weak authentication methods. As account takeover (ATO) incidents continued to rise, it became clear that a more secure authentication method was needed. 
However, introducing an extra form of verification during login, a high frequency flow, risked creating frustration.

Challenge

How might we make account login safer without adding friction?

User research and insights

Insight 1:  Security answers can be forgotten

Customer feedback and customer support call logs showed that many customers did not remember their security answers, especially if the questions were set years ago. In addition, customers were confused and frustrated about why they were being asked security questions.

Insight 2:  Security questions can be phished

The fraud team reported multiple cases where fraudsters bypassed 2-step verification by correctly guessing or maliciously acquiring answers to security questions. This was a major vulnerability to our login flows.

Key insight

Knowledge based authentication adds risks and frustration. One Time Passcodes (OTP) was more secure and user friendly.

Call center log review

We collaborated with the call centre operations team to review call logs related to security questions from the past 6 months.

Examples of customers’ response:

"I set those questions when I opened my account ages ago; No idea what answer I provided back then".
"How am I supposed to know how much I spent in my last transaction when I can’t access my banking app! I need to log in to get the answer".
"I cannot access my online banking. I need the 2 step verification security questions removed from my bank account immediately".

Hypothesis

Replacing these security questions with a more secure form of authentication such as 2SV Push notification or One-Time Passcode (OTP) could reduce fraud risks and improve log in success rate.

2-step verification mobile screens

Solution

Replace security questions with One Time Passcode (OTP) 2-step verification

Flow-map of 2-step verification

We proposed migrating every customer using security question and answer to log into their account to a more secure authentication method within four months. One Time Passcode (OTP) reduced the need for memory/knowledge based authentication and made account log in more secure and faster.

The migration would be implemented in two phases:

Phase 1: Include a 'skip for now' link which would make setting up one time passcode optional for customers. 

Phase 2: Remove 'skip for now' link and make one time passcode enrolment a mandatory step for customers to access their digital bank account.

Rationale: Designing and shipping the changes in phases would give customers time to familiarize themselves with the incoming changes.

Limited time and multiple dependencies

With limited time and many dependencies, impact on other business line, fraud, security, legal, external vendors contract, aligning priorities and approvals was a major challenge. I had to design around regulatory reviews and risk assessments.

Phase 1 — Optional 2SV enrolment

In the first phase, enrolling into 2-step verification (2SV) during log in was optional. I included a 'Skip for now' link to give customers the choice of setting up 2SV immediately or deferring it to a later time. This approach allowed customers to learn about the new feature without feeling overwhelmed with the sudden change and gave them time to gradually transition from security questions to a more secure form of authentication.

I collaborated with our content designer to create email campaigns to communicate the new changes, benefits of 2-step verification to customers, and when/why 2SV is triggered (e.g. new device).

Skip 2-step verification screen
Design system -component library

Phase 2 — Mandatory 2SV enrolment

In the second phase, 2-step verification (2SV) enrolment became mandatory. I removed the 'Skip for now' option to ensure all customers adopted a more secure authentication method.
Customers who previously logged into the digital account using knowledge based security questions and answers were shown a screen prompting them to set up 2SV One Time Passcode (OTP) before they could proceed.

Design system -component library

Change management

We sent email reminders to clients outlining the timeline for mandatory 2SV enrolment and clearly explaining the reason and how 2SV helps protect their accounts. Our goal was to ensure customers understood the reason behind the mandatory lockout introduced in phase 2.
To support this, we collaborated with stakeholders across the business to review and refine the messaging (gathering feedback, iterating on the copy), and presented a final version that was clear, empathetic, and informative.

Design research & Accessibility test

  • We went through several design and content reviews with stakeholders across the business
  • Conducted accessibility reviews on the new screens
  • Collaborated with QA team to ensure compatibility across devices

Replacing security questions with One Time Passcode (OTP) - Phase 2

Design system -component library

Design highlights:

  • Replaced knowledge-based security question with a screen for OTP enrolment
  • Provided clear fallback options: OTP resend option and capability to receive OTP by text or phone call
  • System email sent to clients explaining why 2SV is required to reduce drop off

*Another designer worked on the feature that will allow customers outside of Canada to receive OTPs as Text message or Voice calls.

Listening, learning, and iterating

We saw a spike in call volumes few weeks after rollout, customers were not happy with the mandatory 2SV enrolment.  Despite extensive planning and testing, a few critical issues emerged after rollout and this impacted customer experience and prompted rapid iteration.

Call listening exercise and insights:

The design and product team regrouped to understand the spike in call volumes and get a clearer understanding of customers’ pain points. My design lead led a call listening exercise. The call centre team provided us with over 200 recent calls relating to security questions to 2SV one time passcode migration.

What we heard:

"The person reading the voice code speaks too fast. I don’t have enough time to write it down, so I have to go back to my computer to resend the code, then switch back to my phone to listen again."
"I have mobility issues and don't use a mobile phone. Every time you send a code to my landline, I have to get up and go answer it. It's not easy for me."
"How am I supposed to access my account? Not everyone has a cell phone that can receive text message."

Insights

  • Seniors in care homes faced barriers with voice OTPs
  • Customers that bank on desktop often don’t have their mobile phones nearby
  • Some customers don’t have SMS-capable phones
  • Voice One Time Passcodes are difficult to remember

Iterating based on feedback

Following insights from the call listening sessions, we made the decision to roll back the mandatory 2SV enrolment feature. Instead, we continued to support adoption through a multi-channel awareness campaign, including email, call centre scripts, and in-branch messaging, to help customers understand the benefits of having a stronger authentication and the rationale for moving away from security questions.

We also partnered with the marketing and accessibility team to improve the accessibility of the voice One Time Passcode (OTP) experience. Based on user feedback, the message was re-recorded at a slower pace to ensure that customers, including those with hearing, mobility, or cognitive challenges, could hear and write down the code without stress.
The copy on the enrolment screen was updated to include trust-building language that reinforces the importance of security in a more human and supportive tone.

Design system -component libraryDesign system -component library

Impact

  • 83% increase in One Time Passcode (OTP) enrolment, showing higher adoption of secure 2-step verification practices
  • Reduced support call related to account lockout and 2SV confusion
  • Improved customer understanding of why stronger authentication matters, leading to a higher trust in the login experience

Reflections

Designing for security is not a one-size-its-all. What's simple for one customer may introduce confusion to another. This project reminded me to design with inclusivity in mind, accounting for different ages, devices, and contexts, while never compromising on safety.

View more of my projects