Case study: Seamless security

Case study: Seamless security

Problem

Only 5% of all Luno customers have two-factor authentication enabled

Context

Luno currently allows customers to keep their accounts more secure by offering two-factor authentication, but only a fraction of customers have it enabled.

One of the primary reasons for this, is because it takes a lot of effort to enable it through 3rd parties like Google Authenticator.

Here are the instructions a customer would normally need to follow (with some customer questions):

Step 1: Download another app like Google Authenticator

  • 2 F what?
  • Why do I need to install another app?
  • How much data will it cost me?
  • How long will it take to download?
  • Oh, while this is downloading, what's happening on TikTok?
  • Now that it's downloaded, what do I need to do?

Step 2: Come back to Luno, copy this key 3PEV5VXLTLZFDTCL6X47WYKIXKTYM1SD, and paste it into your 2FA app

  • Oh my! What happens if I accidentally mess up one of these characters?
  • Where do I paste this in the new app?
  • I see 6 numbers now, is that my new 2FA code?

Step 3: Copy the 6-digit code and come back to Luno

  • Why is there a 30-second timer on the code?
  • The code I just pasted expired; what now?

Step 4: Use this code the next time you sign in

  • Can I delete this new app?
  • Can my partner still sign into my account?
  • What happens if I lose this code?

Of course, not all of these questions will pop up for customers, but it does highlight how much complexity there is in a seemingly small task. And so, the pain of the problem of not having a more secure account becomes less annoying than the effort to solve it.

This means that customers’ accounts are less secure and give bad actors a greater chance of stealing their crypto.

Solution

Instead of relying on customers to keep their accounts more secure, we took a more proactive approach:

We turned the Luno app into a 2FA app, reducing the complexity & cognitive overhead of account security.
A customer could now trust their device to receive sign in codes via push notifications instead of a 3rd party authentication app.

Here are some of the things we did to make their accounts more secure and seamless at the same time:

Feature 0: A customer's device is automatically trusted when they verify their identity, thereby automatically upgraded with 2-step verification by simply signing up

Feature 1: A customer with a trusted device that signs in on a non-trusted device will receive a code on their trusted device

Sign in flow when the customer is not on a trusted device

Feature 2: No sign in code is required when a customer signs in on their trusted device

Feature 3: A dedicated account recovery flow enables customers to access their accounts again if they lose their trusted device

Account recovery flow for when a customer lost their trusted device

Feature 4: For extra security, a trusted device can only be removed while being on a trusted device

Feature 5: To drive the adoption of trusted devices for customers without one, we introduced and explained it to them with a simple guide the first time they signed in again

Guide screens to help drive adoption of trusted device

What I did

I had multiple discovery sessions with our team's product manager to explore various iterations of what the most seamless, yet secure solution could look like.

A window into our minds. Of course, this is all illegible and gibberish to everyone else. :)

We mapped out flows in Miro with sticky notes and collaborated closely with engineers to invite early feedback on the cost and impact of various solutions and approaches.

A flow with sticky notes to map out a trusted device flow for Luno
One of our early flows mapped out with stickies

Designs were done in Figma in collaboration with our UX writer and brought back into a Miro flow to make it easier for engineers to refine for delivery.

Due to the way we’ve previously done 2 step verification, I also worked with the PM to define the most optimal launch strategy to reduce the negative impact on customers.

We also held 3 collaborative test parties to make sure the solution is top-notch and ready for launch.

An artefact of one of our test parties

Once launched, we continued to monitor the impact in all our regions through a Looker data dashboard.

Impact

The solution made 59% of our customers more secure and reduced the time to sign in by 42%.

Our adoption strategy also proved to be highly effective with an average increase in adoption of ~500% per week at the peak of the rollout.

Number of Malaysian customers adopting trusted devices per week

What we learned & what’s next

Emotions like fear and greed are hardwired in human brains and often inhibit us from keeping our accounts safe. Acknowledging this as the root-cause problem enables us to design and build more proactive solutions, thereby relying less on customers to keep their accounts secure.

There’s a series of solutions that will help us get there, including wider adoption of passkeys, account-based biometrics, and geolocation checks.

This, together with several other things we’ve already done over the past year, has enabled us to reduce the number of compromised accounts dramatically.

Our goal is to have the most seamless, yet secure customer experience at Luno.

• • •