Only 5% of all Luno customers have two-factor authentication enabled
Luno currently allows customers to keep their accounts more secure by offering two-factor authentication, but only a fraction of customers have it enabled.
One of the primary reasons for this, is because it takes a lot of effort to enable it through 3rd parties like Google Authenticator.
Here are the instructions a customer would normally need to follow (with some customer questions):
Step 1: Download another app like Google Authenticator
- 2 F what?
- Why do I need to install another app?
- How much data will it cost me?
- How long will it take to download?
- Oh, while this is downloading, what's happening on TikTok?
- Now that it's downloaded, what do I need to do?
Step 2: Come back to Luno, copy this key 3PEV5VXLTLZFDTCL6X47WYKIXKTYM1SD, and paste it into your 2FA app
- Oh my! What happens if I accidentally mess up one of these characters?
- Where do I paste this in the new app?
- I see 6 numbers now, is that my new 2FA code?
Step 3: Copy the 6-digit code and come back to Luno
- Why is there a 30-second timer on the code?
- The code I just pasted expired; what now?
Step 4: Use this code the next time you sign in
- Can I delete this new app?
- Can my partner still sign into my account?
- What happens if I lose this code?
Of course, not all of these questions will pop up for customers, but it does highlight how much complexity there is in a seemingly small task. And so, the pain of the problem of not having a more secure account becomes less annoying than the effort to solve it.
This means that customers’ accounts are less secure and give bad actors a greater chance of stealing their crypto.
Instead of relying on customers to keep their accounts more secure, we took a more proactive approach:
We turned the Luno app into a 2FA app, reducing the complexity & cognitive overhead of account security.
A customer could now trust their device to receive sign in codes via push notifications instead of a 3rd party authentication app.
Here are some of the things we did to make their accounts more secure and seamless at the same time:
Feature 0: A customer's device is automatically trusted when they verify their identity, thereby automatically upgraded with 2-step verification by simply signing up
Feature 1: A customer with a trusted device that signs in on a non-trusted device will receive a code on their trusted device
Feature 2: No sign in code is required when a customer signs in on their trusted device
Feature 3: A dedicated account recovery flow enables customers to access their accounts again if they lose their trusted device
Feature 4: For extra security, a trusted device can only be removed while being on a trusted device
Feature 5: To drive the adoption of trusted devices for customers without one, we introduced and explained it to them with a simple guide the first time they signed in again
What I did
I had multiple discovery sessions with our team's product manager to explore various iterations of what the most seamless, yet secure solution could look like.
We mapped out flows in Miro with sticky notes and collaborated closely with engineers to invite early feedback on the cost and impact of various solutions and approaches.
Designs were done in Figma in collaboration with our UX writer and brought back into a Miro flow to make it easier for engineers to refine for delivery.
Due to the way we’ve previously done 2 step verification, I also worked with the PM to define the most optimal launch strategy to reduce the negative impact on customers.
We also held 3 collaborative test parties to make sure the solution is top-notch and ready for launch.
Once launched, we continued to monitor the impact in all our regions through a Looker data dashboard.
The solution made 59% of our customers more secure and reduced the time to sign in by 42%.
Our adoption strategy also proved to be highly effective with an average increase in adoption of ~500% per week at the peak of the rollout.
What we learned & what’s next
Emotions like fear and greed are hardwired in human brains and often inhibit us from keeping our accounts safe. Acknowledging this as the root-cause problem enables us to design and build more proactive solutions, thereby relying less on customers to keep their accounts secure.
There’s a series of solutions that will help us get there, including wider adoption of passkeys, account-based biometrics, and geolocation checks.
This, together with several other things we’ve already done over the past year, has enabled us to reduce the number of compromised accounts dramatically.
Our goal is to have the most seamless, yet secure customer experience at Luno.