In an effort to increase the online security at Yale, the IT team introduced two-factor authentication with an online opt-in process for all its 20,000+ community members. The UX team was in charge of creating, designing, and testing the portal that allows users to opt-in for DUO Everywhere.
This was on the same team as the Yale Single Sign-On project. In fact, this effort was a part of that project. However, this mini-project was spawned and produced in a 2 week period where all hands were on deck and the UX work encapsulated the entirety of my work hours.
Yale was spearheading an effort to improve the online security of the Yale community by introducing two-factor authentication. The issue presented was that most users have used the DUO platform before in a very limited capacity, but we are now forcing them to use it potentially on an everyday basis. The backend technology of this was already set in place, but the security team at Yale reached out to the UX team in regards to the rollout process.
The team was aware of the situation that most of our users are now going to be subject to a slight annoyance whenever they have to log into a Yale-supported application. The team wanted to minimize any possible pain points that the user could run into during this transition period. Another difficult aspect of this effort was the timeframe, we were given a small window of a month to create, test, and ideate a solution to help this issue.
Initially, the team was considering a rollout plan that included putting the Yale community into groups and slowly adding a group at a time into this new security plan. This would essentially force the user into this new experience, then they would get an email explaining what is going to change for them. Instead, the UX team recommended an opt-in system where users would be flagged for opt-in eligibility where they can go to a website, read about what two-factor authentication is, and opt-in themselves.
This opt-in system allowed the user to go at their own pace, give them the opportunity to learn about two-factor authentication and why it is important to the university, and feel empowered opting in themselves rather than being forced into a new system.
Admittedly, two-factor authentication isn't a light topic. We understood the task at hand and attempted to create an experience that a user could scan the page and gain a high level of understanding of what their future holds. We utilized the 5 W’s method which involved what to expect, when will I get prompted, why does this need to happen, and what do I do if I need help?
The opt-in process had a few outcomes depending on the user’s account, which was determined by the back-end system. The UX team made it very clear in our designs that we wanted to make sure the user knew where they were in the process of opting in. As stated in Nielsen Norman 10 Usability Heuristics, the visibility of the system status was important to show to the user. This allowed the user to understand where they are in the process and determine what their next steps are. As shown in the image, we designed our progress meter at the top of the screen to outline the three-step process of opting into DUO.
We learned very quickly that there would be a few different paths for our users based on their past experience, current devices added, and status of opt-in eligibility. To make sure we catch all of our use cases, we created a user flow.
Due to the fact that users in the Yale community have used the DUO system in the past on a much smaller scale, they would possibly already have devices added. In the event that users might want to change or add new devices to make their experience easier, we decided to have the DUO account management page embedded into the review stage (step 2) of the opt-in process.
One issue we ran into was the possibility of a user only having their landline as their DUO device. From a UX perspective, we viewed this as a red flag. With the new experience of having the user needing to use DUO in a bigger capacity, the UX team felt that users should not rely on one landline to authenticate every time they log in to applications. To address this, we recommended a back-end check to see if users fell into this group. We specifically addressed the need to add another device and included recommended user setups that had options that did not include landlines as their primary device.
On the final screen of the opt-in application, we added a user feedback survey where our users rated their experience 1-5 stars and had a text field to provide any additional comments.
Rating: 4.6 Average
Word cloud of feedback:
"Since the launch of DUO Opt-in in 2020, our instances of people using compromised NetIDs have dropped to zero." - Jeremy Rosenberg - Interim Chief Information Security Officer - Yale ITS