UX Design Case Study – HealthCo Two-Factor Authentication

My Role: Senior UX Designer and Product Owner

Industry: Healthcare

The Goal:

HealthCo, a major Michigan healthcare payer, needed to add two-factor authentication and device assessment technology to their existing secure website portal, account registration and user-authentication processes. With account registration and management already a significant pain point for user-account management, a refined and user-friendly user experience design was required.

The Process:

HealthCo needed to add two-factor authentication to their member portal, MyHealthCo, but their, already difficult, account registration and management processes wouldn’t allow for a bolt-on approach with this new functionality. The current process recycled screens, had incorrect, if any, instructions and no clear indication of where the user was in the process. The entire user experience design for account registration, management and authentication would need to be redesigned.

If this had been a series of simple transactions based around account creation and management it would have been easy to simply design the flows and work from that, in fact, we tried that. However, what we didn’t know initially, was that there was another piece, beyond two-factor authentication that needed to be built in, and that was doing device assessments.

‘It was kind of like a ‘Choose your own adventure’ story in that it needed multiple paths designed and flowed out

Device assessments occur, almost invisibly, prior to kicking off the user experience, but the outcome of the device assessments, in real time, determines the user experience path that a respective user is sent down. It was kind of like a ‘Choose your own adventure’ story in that it needed multiple paths designed.

This wasn’t a problem, but we didn’t anticipate it when we started looking at the overall user experience design.

From a user research perspective, there wasn’t anything out of the ordinary. HealthCo’s standard user personas still applied; we had use-cases for new account creation, updating passwords, email addresses, phone numbers, etc. However, what we didn’t know was how the user would navigate the various paths depending on how their device was assessed, which was really the x-factor for the entire user experience design.

Device assessment errors could inadvertently block a user’s device completely, so we had to design a series of ‘emergency exits’ to prevent this

The design and development teams worked to sketch out a variety of user flows, trying to find all the possible variables based on what information we might receive from the device assessments, as well as creating new user experience flows for all aspects of account creation and management. Along with this, the device assessment vendor had undergone some organizational changes and couldn’t always give us technical direction for their errors, which could effectively ban a user from the site, so we had to design a series of ‘emergency exits’ to assist the user should they run into false positive issues with the device assessment.

Once we had all of the flows mocked up, we created paper prototypes and began rigorous user experience testing and research with the flows. It took us several iterations per flow, to begin to nail down how we would create a high-fidelity design that the development team could code to. In the course of this, while building consensus, we also did quite a bit of usability testing to ensure that the interfaces, as well as the overall experience was straight-forward.

After a lot of testing, we handed off our mockups to the development team and they went to work coding and creating the high-fidelity user experience design. Once that was complete, we started another cycle of user experience and usability testing and readied the new user experience flows, two-factor authentication and device assessment for release.

The team put a lot of work and thought into how to make the user experience for 2-factor authentication, device assessment and account creation and management as seamless and user-friendly as possible. The proof was in the pudding when on the first day of a quiet launch there wasn’t a single issue with account creation or account management reported to the contact center or the helpdesk, an issue would could happen as many as ten times on the slowest day.

 The team was able to create
the best kind of user experience,
the one nobody notices​

The Win:

This was an operational, and not very glamorous, information security change that could have had very negative ramifications for the overall user experience to say nothing of actively preventing people from accessing MyHealthCo to get access to their accounts and healthcare information. 

However, the thing that makes this case study stick out for me is that it with a series of simple and straight-forward research and prototyping techniques the team was able to create the best kind of user experience, the one nobody notices.

I have omitted and obfuscated confidential and proprietary information in this case study.