Our goals were clear: Reduce account takeovers, fraud investigations, and maintain customer trust. We introduced a login challenge that required users to enter a verification code sent to their email before authenticating into the platform.

My team and I dove straight into concepts and design. When working through the user experience, we wanted to avoid adding unnecessary friction to the login experience.

After collaborating internally, we landed on a solution: After the user enters their login credentials, they're presented with a screen prompting them to check their email for a verification code. Entering the correct code successfully authenticates the user. This solution is seen in many authentication flows, and was proven to work.

In order to reduce unnecessary friction, users were only prompted with the "challenge" if we detected a login from an unknown location, browser, and or IP address.

However, we discovered a larger issue with how customers sign up for their accounts. Many businesses share a login email, which poses a problem for individual users attempting to log in who do not have access to that inbox. In talking with customers, we discovered it would be beneficial to add an option for a verification code to their mobile phones.

More details to come!