Call Me: 312.451.3608

Textura Two Factor Authentication

Project Overview

Textura CPM accounted for 60% of Textura’s revenue; it is a payment management and processing software that stores sensitive banking information for thousands of companies and subsidiaries. With that in mind, when it was discovered a hacker came close to breaking in and stealing account information the decision was made hide banking information and add a two factor authentication as a security measure.

In order for this process to work we needed to capture every admin user’s cell phone number, or in the 5% cases where there was no cell phone we captured a landline number that can be called with a security code.

Note: CPM was an existing application before I worked on it; all of the screen designs were already in place. My designs consisted of the modals/page overlays as well as the user flows.

Process

My first step was to research how different banks handle their two factor authentication processes. In fact, I used my own bank and set up on a few extra devices in order to capture their process. Once I had an idea what my basics were I worked with my manager, the lead database architect for CPM, to create a series of user scenarios how to capture a user’s information and when to set up roadblocks.

Project Elements

Process Screens –  Shows all the screens and designs that went into creating the project.

Element Descriptions –  This is a list of the various stages and steps in the process I put together for the developers so they would know which element goes with which scenario.

Outcome

The Roadblock

The first goal was to capture the user’s phone number. A week before the two-factor authentication went live we worked with marketing and customer service to send out an email warning users what was coming. 


When a user first logs into CPM they are presented with the below modal, we intentionally set it up as a roadblock. There was no corner “X” to close the modal. The only way out was to enter a phone number or click “Remind Me Later.”

The Roadblock: Phone Number Error

We wanted to make sure the user enters the correct number, which is why we ask them to enter it twice. If they enter the wrong number they are presented with an error message and they can correct the numbers.

Verify Identity

Once the user enter a matching number they are presented with an option to receive a verification code via text message or by a voice call for those who do not have cell phones. Also, there is an additional opportunity for the user to update their phone number if they entered the wrong number.

Message Recieved

In an effort to make the process realistic I included a phone screenshot.

Enter Security Code

Once the user receives their security code they can enter it to add their phone as to the verification process.

Security Expired

The user has 15 minutes to enter their code; if they fail to enter it within the time limit they must request a new code. When they click “Get New Code” they are taken back to the “Verify Identity” screen and run through the process again.

Two-Step Verification Successfully Added

Once the user’s phone number has been verified they will see this success screen.

Edit Banking Info

In order to protect sensitive information all banking details are hidden until the user verifies their identity. If the user does not have their verification phone number set up they must first run through the “Roadblock” screens and set up a new number. Once the number has been verified they will then be able to view/edit the banking information.

Verify Identity

If user tries to edit their banking information they are required to verify their identity. The screen they see is the same as the above “Verify Identity” screen with one distinct difference; the phone numbers are hidden as a security measure.

Enter Security Code

Identity Successfully Verified

Enter Security Code Error

If a user enters the wrong code, they see this screen and have four more chances to enter the correct code. They always have the option to “Get New Code.”

Failed Verification

If the user fails to enter the correct verification code after five attempts they must request a new code altogether. Once they request a new code they can repeat the process.

Lost Phone

If a user loses their phone or wants to edit their phone number they must contact client/customer service in order to add a new number. This was a security concern that came up; this allows customer service to verify the user before updating their account information.

Lost Phone Client Services View

When the user calls in this is the view the customer service employee sees when resetting a phone number.

Lost Phone Part 2

After the client services admin resets the user’s phone number the user is then told to refresh the page. When the page is refreshed they see the Lost Phone Two Factor setup. Once they enter a number and start the process they follow the same steps shown at the top of the page.


Let's Connect