Yale DUO Opt-In

Project Overview

To improve online security at Yale, the IT team planned to launch a two-factor authentication requirement for all of its 20,000+ community members. The UX team was responsible for consulting with the rollout and designing, testing, and iterating on any front-facing solution involving the rollout of this service.

Problem Statement

As members of the Yale community, our interactions with Yale's online services were going to become more cumbersome and challenging due to the implementation of two-factor authentication.

This effort was motivated by a lack of guidance regarding the implementation of the rollout of two-factor authentication at the university level. The original plan would require users to adapt to the new experience with minimal support, which could lead to confusion, resistance, and security risks.

Process

Original Plan

Initially, the team considered a rollout plan that involved dividing the Yale community into groups and gradually adding each group to the new security plan. This approach would require users to adapt to the new experience on their own and the only communication to them would be an email they received warning them of this upcoming change.

Competitive Analysis

As part of our research, the UX team conducted a competitive analysis of other universities that had implemented a similar two-factor authentication service. We found that most universities embedded the DUO authentication inside a university-themed webpage. This approach was visually appealing and reinforced user confidence that the service was university-approved, encouraging them to eventually opt in.

Solution Strategy: The Illusion of Choice

Our first recommendation was an opt-in system where users are flagged for opt-in eligibility. They can then visit a website to learn about two-factor authentication and opt-in at their own pace. This system provides users with the opportunity to learn about two-factor authentication and understand its importance to the university. They can then feel empowered to opt in themselves, rather than being forced into a new system.

Design Considerations

System Status Visibility

The opt-in process had different outcomes depending on the user's account, which was determined by the back-end system. To ensure that users were aware of their progress in the opt-in process, the UX team made it clear in our designs that we needed to show users where they were in the process. As stated in Nielsen Norman's 10 Usability Heuristics, it is important to display the system status to the user, which allows them to understand their position in the process and determine their next steps.

To this end, we designed a progress meter at the top of the screen that outlines the three-step process of opting into DUO.

User Preparation

Admittedly, two-factor authentication is not a light topic. However, we have attempted to create a user-friendly experience that provides a high level of understanding of what to expect. We utilized the 5 W's method to guide our approach: What to expect, when will I be prompted, why does this need to happen, and what to do if you need help.

Edge Cases Through User Testing

Through user testing, we discovered that users could take different paths based on experience, devices, and eligibility. To cover all use cases, we created a comprehensive user flow.

To simplify DUO account management, we embedded it into the opt-in process at the review stage. However, we encountered an issue with users who only had a landline as their DUO device. Although the requirement was to have at least one active device, the idea of the one device being an office landline where the majority of workers are now working from home raised a major red flag. To improve this specific use case, we recommend implementing a back-end check and suggesting alternative device setups.

Solution

The team's solution to the two-factor authentication rollout was to create an opt-in webpage where users could choose when to start their new security experience. This allowed them to manage their devices since they possibly could already be using the two-factor platform DUO.

• The opt-in system provided users with the opportunity to learn about two-factor authentication and understand its importance to the university.
• Users could feel empowered to opt-in themselves, rather than being forced into a new system.
• By implementing this approach, the UX team was able to provide users with a user-friendly experience that offered a high level of understanding and prepared them for what to expect during the process.

Results & Impact

User Feedback

In the final screen of the opt-in application, we included a user feedback survey where users could rate their experience from 1 to 5 stars and provide additional comments in a text field.

Lessons Learned

Through the process of designing and launching the opt-in system for DUO authentication, the UX team at Yale learned several valuable lessons:

Empowerment Through Choice

One of the key takeaways was the importance of providing users with choice and control over their experience. By creating an opt-in system, users were able to feel empowered and educated about the new security measures being implemented.

Edge Case Consideration

The team learned the importance of considering edge cases in the design process. Through user testing, they discovered that users could take different paths based on their devices and eligibility. This led to the creation of a user flow to cover all use cases and the implementation of a back-end check to suggest alternative device setups for users who only had a landline as their DUO device.

The Value of User-Centered Design

Overall, the Yale DUO Opt-In project demonstrated the value of a user-centered design approach and the importance of considering the needs and experiences of all users, even in complex and technical projects.