Due to increasing fraud and security risks, Vodafone wanted to move to password-less login for user accounts on the website and app. The solution preferred by the Fraud Team was a ‘magic link’.

A magic link consists of three user steps:
– The user enters their number or email address at login
– If the email address is known, an sms or email is sent with a link
– The user opens their sms or email client, and clicks the link to finish their login

Magic Links also effectively eliminate almost all authentication-related customer support questions (“I forgot my password”, “How can I reset my password?”, etc.).

The Challenges
– Replace a password login that users are comfortable with without causing excess friction, calls to care, or abandonment of use.
– Design a solution that balances user needs, tech limitations, and Fraud requirements

Best practices

Research into login security design and blogs determined best practices to aim for:
– Choice of SMS or Email—Offer a choice of receipt of the link, SMS, or email
– Offer link to choice of mailbox—Lead the user directly to their choice of mailbox app, based on the apps they have installed on their device
– Link expiry—Have some expiration logic for magic links.
– Allow for opening on a different device
– Don’t acknowledge invalid emails/numbers

Pattern research

I used the best practices to assess existing implementations for ideas for our solution.

From this, I worked with the Fraud and dev teams to determine our own secure login user flow, and mapped this for all service journeys to understand key differences, such as NBN and Broadband customers not knowing their mobile number to enter and how they could find it.

Ideation

Using the determined flow and pattern analysis for inspiration, I ran a design jam with the team.

This generated great ideas and insights for developing the UX and UI, such as copy considerations, how to handle user change aversion, unseen unhappy paths, ideas to reduce friction, terminology, etc.

Designing and testing

I designed two prototypes with a goal to test the level of direction and/or simplification the screen could have, including comparing participants for:
– Comprehension of magic link
– Completion of login
– Understanding of which SMS and email are used
– Service variations

Key insights:
– Comprehension of magic link: More detail/explanation was better than less for reducing change shock
– Completion of login: 90% completed with ease, users with English as a second language struggled somewhat, all appreciated the benefit of not needing to remember a password
– Understanding of which SMS and email are used: Most assumed the number the SMS/email was sent to the one ‘associated with the My Vodafone account”
– Service variations: “How do I find my number” was missed, we need to elevate help for nbn/broadband customers

I also assessed the new login experience across various scenarios, for new and existing customers, web and app, post updates, etc.

The copy was extremely important in reducing change aversion and abandonment due to lack of clarity, so I worked vary closely with the copywriter to ensure testing insight was used at every instance of copy along various entry points to the login journey.

After several iterations and playbacks to stakeholders, I developed the final UI.

In conjunction with the user-led design, and utilising a strong pre-launch strategy, the secure link launched with minimal confusion from users and reduced fraud risks.

With fraud concerns changing rapidly, a post-launch pivot required a design iteration ot provide an SMS option only.