Textura Two Factor Authentication

Textura Two Factor Authentication

Project Overview

Textura CPM accounted for 60% of Textura’s revenue; it is a payment management and processing software that stores sensitive banking information for thousands of companies and subsidiaries. With that in mind, when it was discovered a hacker came close to breaking in and stealing account information the decision was made hide banking information and add a two factor authentication as a security measure.

In order for this process to work we needed to capture every admin user’s cell phone number, or in the 5% cases where there was no cell phone we captured a landline number that can be called with a security code.

Note: CPM was an existing application before I worked on it; all of the screen designs were already in place. My designs consisted of the modals/page overlays as well as the user flows.

Process

My first step was to research how different banks handle their two factor authentication processes. In fact, I used my own bank and set up on a few extra devices in order to capture their process. Once I had an idea what my basics were I worked with my manager, the lead database architect for CPM, to create a series of user scenarios how to capture a user’s information and when to set up roadblocks.

 

Project Elements

Process Screens –  Shows all the screens and designs that went into creating the project.

Element Descriptions –  This is a list of the various stages and steps in the process I put together for the developers so they would know which element goes with which scenario.

Results

The Roadblock

As previously mentioned the first goal was to capture the user’s phone number in a simple and easy manner. A week before the two-factor authentication went live we worked with marketing and customer service to send out an email warning users what was coming. This helped to “soften the blow” when a user encountered a roadblock for the first time.

When a user first logs into CPM they are presented with the below modal, we intentionally set it up as a roadblock. There was no corner “X” to close the modal. The only way out was to enter a phone number or click “Remind Me Later.”

The Roadblock

The Roadblock Phone Number Error

We wanted to make sure the user enters the correct number, which is why we ask them to enter it twice. If they enter the wrong number they are presented with an error message and they can correct the numbers.

The Roadblock Phone Number Error

Verify Identity

Once the user enter a matching number they are presented with an option to receive a verification code via text message or by a voice call for those who do not have cell phones. Also, there is an additional opportunity for the user to update their phone number if they entered the wrong number.

Verify Identity

Message Received

In an effort to make the process realistic I included a phone screenshot.

Message Received

Enter Security Code

Once the user receives their security code they can enter it to add their phone as to the verification process.

Enter Security Code

Security Code Expired

The user has 15 minutes to enter their code; if they fail to enter it within the time limit they must request a new code. When they click “Get New Code” they are taken back to the “Verify Identity” screen and run through the process again.

Security Code Expired

Two-Step Verification Successfully Added

Once the user’s phone number has been verified they will see this success screen.

Two-Step Verification Successfully Added

Edit Banking Info

In order to protect sensitive information all banking details are hidden until the user verifies their identity. If the user does not have their verification phone number set up they must first run through the “Roadblock” screens and set up a new number. Once the number has been verified they will then be able to view/edit the banking information.

Edit Banking Info

Verify Identity

Once the user tries to edit their banking information they are required to verify their identity. The screen they see is the same as the above “Verify Identity” screen with one distinct difference; the phone numbers are hidden as a security measure.

Verify Identity

Enter Security Code

Enter Security Code

Identity Successfully Verified

Identity Successfully Verified

Edit Banking Info Part 2

Once the user has been verified they are able to view and edit their banking details.

Edit Banking Info Part 2

Enter Security Code Error

As shown above sometimes a user might enter the wrong code, if that happens they see this screen and have four more chances to enter the correct code. They always have the option to “Get New Code.”

Enter Security Code Error

Failed Verification

If the user fails to enter the correct verification code after five attempts they must request a new code altogether. Once they request a new code they can repeat the process.

Failed Verification

Lost Phone

If a user loses their phone or wants to edit their phone number they must contact client/customer service in order to add a new number. This was a security concern that came up; this allows customer service to verify the user before updating their account information.

Lost Phone

Lost Phone Client Services View

When the user calls in this is the view the customer service employee sees when resetting a phone number.

Lost Phone Client Services View

Lost Phone

After the client services admin resets the user’s phone number the user is then told to refresh the page. When the page is refreshed they see the Lost Phone Two Factor setup. Once they enter a number and start the process they follow the same steps shown at the top of the page.

Lost Phone