UI design
User interview
Customer interview
Stakeholder management
Working with technical limitations
Risk management
Scope management
Duo Security is a leading provider of multi-factor authentication (MFA) solutions that help organizations protect against unauthorized access by requiring users to verify their identity through multiple methods before accessing applications. Duo offers various authentication factors, including WebAuthn methods like biometrics (platform authenticators) and security keys (roaming authenticators), which are highly secure, phishing-resistant, and user-friendly.
Despite the advantages of WebAuthn methods, their adoption among Duo users remains low. The platform WebAuthn method, which allows users to authenticate using built-in biometric features on their devices, is one of the least used Duo authentication factors. Even though 14 million (62%) users have devices equipped with platform authenticators, less than 2% actively use them.
Currently, the only mechanism to encourage users to register these more secure WebAuthn methods is the "Tired of Passwords" experience, which is available exclusively to passwordless users. This approach is too narrow in scope, and the post-enrollment promotion process for these secure methods is labor-intensive and manual.
Our ultimate goal is to drive a 100% WebAuthn future, where WebAuthn methods are universally adopted for their enhanced security and user experience. To move toward this goal, we are developing a policy configuration that encourages users to register a WebAuthn platform authenticator during their authentication flow.
While this initiative is still in development and planned for FY25, its intended impact is to significantly increase the adoption of WebAuthn methods, thereby strengthening overall security and improving the user experience.
I led the project end-to-end, handling user research, stakeholder alignment, feasibility checks, and scope management.
I collaborated with passwordless team designer Cynthia on UI explorations, and she supported the process with insights on passwordless perspectives.
Web design
Passwordless designer
2 engineers
2 product managers
Data science expert
Accessibility expert
Content designers
July - Dec 2023
WebAuthn methods is the best-in-class, yet it's the least adopted method. 14 million users have a platform authenticator available, but less than 2% of them have used a platform authenticator.
Duo Security is a leading provider of multi-factor authentication (MFA) solutions that help organizations protect against unauthorized access by requiring users to verify their identity through multiple methods. Among these methods are WebAuthn credentials, which include platform authenticators (like biometrics) and roaming security keys. These WebAuthn methods are known for their high security, phishing resistance, and ease of use.
Despite these advantages, the usage of WebAuthn methods remains notably low among Duo users. The platform WebAuthn method, which allows authentication through built-in biometric features on devices, is one of the least used Duo authentication factors. Although overall Duo authentications have increased by 38% over the past year, the adoption of platform WebAuthn methods has not kept pace.
This issue is not due to a shortage of available platform authenticators; in fact, 14 million (62%) users have devices with these authenticators. However, less than 2% of these users have utilized a platform authenticator in the past month.
Given Duo's goal to achieve a 100% WebAuthn future, there is a significant opportunity to address this low adoption rate and further enhance the security and user experience across the platform.
How might we increase the use of platform WebAuthn authentication methods without unnecessarily disrupting user/customer’s experience, and expand the experience to work across both PWL and MFA authentications?
Through customer interviews, we discovered that the current process for encouraging users to adopt more secure methods post-enrollment is cumbersome and manual. Customers often resort to sending emails or setting up weekly reminders, which many users tend to ignore. They frequently have to manually identify and remind hundreds of users or escalate the issue to management to ensure secure method registration.
Currently, Duo's authentication flow is divided into two main flows hosted on different domains in the backend: Passwordless (PWL) and MFA. The existing in-product solution, "Tired of Passwords" (ToP), is only available for the PWL flow and lacks configurability. This limitation is problematic because, despite WebAuthn support in MFA, customers have no easy way to prompt users to adopt secure methods. The current ToP configuration often results in missed opportunities to prompt platform authenticator setup and may cause excessive nudging if a roaming authenticator is enabled but not available.
Our challenge is to enhance the adoption of platform WebAuthn methods without disrupting the user or customer experience and to expand the solution to cover both PWL and MFA authentications.
Due to NDA & the project in development, I am unable to share a detailed comprehensive process on my portfolio. But the brief version of the process is shown below. Please reach out to learn more.
Phase II of the project involves customer configuration
A policy configurable experience allowing customers to prompt their users to register platform authenticators during authentication.
When the policy is enabled, and Duo detects that a platform authenticator is available, the user will get prompted to register one (e.g. Touch ID) after they approve their first factor.