Textura Two Factor Authentication
Textura CPM accounted for 60% of Textura’s revenue; it is a payment management and processing software that stores sensitive banking information for thousands of companies and subsidiaries. With that in mind, when it was discovered a hacker came close to breaking in and stealing account information the decision was made hide banking information and add a two factor authentication as a security measure.
In order for this process to work we needed to capture every admin user’s cell phone number, or in the 5% cases where there was no cell phone we captured a landline number that can be called with a security code.
Note: CPM was an existing application before I worked on it; all of the screen designs were already in place. My designs consisted of the modals/page overlays as well as the user flows.
My first step was to research how different banks handle their two factor authentication processes. In fact, I used my own bank and set up on a few extra devices in order to capture their process. Once I had an idea what my basics were I worked with my manager, the lead database architect for CPM, to create a series of user scenarios how to capture a user’s information and when to set up roadblocks.
Process Screens – Shows all the screens and designs that went into creating the project.
Element Descriptions – This is a list of the various stages and steps in the process I put together for the developers so they would know which element goes with which scenario.
As previously mentioned the first goal was to capture the user’s phone number in a simple and easy manner. A week before the two-factor authentication went live we worked with marketing and customer service to send out an email warning users what was coming. This helped to “soften the blow” when a user encountered a roadblock for the first time.
When a user first logs into CPM they are presented with the below modal, we intentionally set it up as a roadblock. There was no corner “X” to close the modal. The only way out was to enter a phone number or click “Remind Me Later.”
The Roadblock Phone Number Error
We wanted to make sure the user enters the correct number, which is why we ask them to enter it twice. If they enter the wrong number they are presented with an error message and they can correct the numbers.
Once the user enter a matching number they are presented with an option to receive a verification code via text message or by a voice call for those who do not have cell phones. Also, there is an additional opportunity for the user to update their phone number if they entered the wrong number.
In an effort to make the process realistic I included a phone screenshot.
Enter Security Code
Once the user receives their security code they can enter it to add their phone as to the verification process.
Security Code Expired
The user has 15 minutes to enter their code; if they fail to enter it within the time limit they must request a new code. When they click “Get New Code” they are taken back to the “Verify Identity” screen and run through the process again.
Two-Step Verification Successfully Added
Once the user’s phone number has been verified they will see this success screen.
Edit Banking Info
In order to protect sensitive information all banking details are hidden until the user verifies their identity. If the user does not have their verification phone number set up they must first run through the “Roadblock” screens and set up a new number. Once the number has been verified they will then be able to view/edit the banking information.
Once the user tries to edit their banking information they are required to verify their identity. The screen they see is the same as the above “Verify Identity” screen with one distinct difference; the phone numbers are hidden as a security measure.
Enter Security Code
Identity Successfully Verified
Edit Banking Info Part 2
Once the user has been verified they are able to view and edit their banking details.
Enter Security Code Error
As shown above sometimes a user might enter the wrong code, if that happens they see this screen and have four more chances to enter the correct code. They always have the option to “Get New Code.”
If the user fails to enter the correct verification code after five attempts they must request a new code altogether. Once they request a new code they can repeat the process.
If a user loses their phone or wants to edit their phone number they must contact client/customer service in order to add a new number. This was a security concern that came up; this allows customer service to verify the user before updating their account information.
Lost Phone Client Services View
When the user calls in this is the view the customer service employee sees when resetting a phone number.
After the client services admin resets the user’s phone number the user is then told to refresh the page. When the page is refreshed they see the Lost Phone Two Factor setup. Once they enter a number and start the process they follow the same steps shown at the top of the page.