Design a Multi factor authentication app for the visually challenged.

Visually challenged - is that low vision or complete lack of vision? Do we need to consider any other special needs like hearing, or physical impairments like movement of hands, fingers, ability to sit, etc.

MFA app - to be clear, are you talking of MFA apps that are used to generate an OTP or fingerprinting based secondary/tertiary auth method? How many levels of auth - 2FA, 3FA or more? Most consumer apps that use MFA are designed for 2FA

Is it for Android, iOS - any preference?

Summary of problem statement - design a 2FA mobile app for visually impaired (no vision), the user has the ability to hear and no other significant disabilities

Define Goals and Constraints :

Goals of the app -

- user experience : make it easier for smartphone users with visual impairment to securely access their applications without the risk of identity leakage

- revenue : the MFA app will be licensed/sold to application providers who are writing creating applications (ex. online banking, shopping) that are designed for people with visual disabilities.

For this exercise, lets focus on the user experience for a visually impaired person. If the MFA app can differentiate itself on how simple it makes the auth workflow for the user, while maintaining high security standards then there is a higher possibility of the app succeeding and making more money

Constraints - assuming we are not working with any constraints at this time around resources or time. The MFA app is a smartphone app, so the design has to take into account the capabilities of existing smartphones.

User segmentation : As previously discussed there are a few user groups that I can think of in the visually impaired category

- people with low vision and no other disabilities

- people with no vision and no other disabilities

- people with no vision and other disabilities like lack of hearing, and other physical impairments

For this exercise, I'll focus on people with no vision and no other disabilities. This user group cannot see, but they can hear and respond to audio through speech or hand gestures.

The reason I am picking up this user group is because there are quite a few solutions that are available for people with low vision (like special templates with color contrasts, special fonts etc) to allow them to comprehend through sight.

The last category would probably require specialized devices and current smartphones may not work at all for these users. Since the app needs to be designed in the context of existing smartphones, I chose not to pick this user group.

User Journey and Pain Points :

User needs to set up their MFA app, select their preferred authentication methods, store their credentials if needed (ex. fingerprint, or secret questions)

The user's journey for using the MFA app will depend on how the app that requires MFA is set up. I can think of 2 possible scenarios

Scenario 1:

1. User needs to login to a a mobile banking app which requires 2FA

2. User logs in to the mobile banking app using their username and password

3. If first login is successful, user is redirected to MFA app for secondary login

4. User accesses the MFA app, provides secondary login information within the MFA app - this could be things like fingerprint, one time password generated by MFA app, secret questions or a confirmation (ex. yes its me!)

5. If 2FA is successful, login is considered successful and user is directed to the mobile banking app

Scenario 2:

1. User needs to login to a a mobile banking app which requires 2FA

2. User logs in to the mobile banking app using their username

3. Mobile banking app redirects user to MFA app

4. User accesses the MFA app, provides primary login credentials within the MFA app - this could be things like a password, fingerprint, one time password generated by MFA app. Once that's successful, MFA app asks for secondary login information which could again be fingerprint, secret questions or a confirmation (ex. yes its me!)

5. If 2FA is successful, login is considered successful and user is directed to the mobile banking app

Scenario 1 is more likely because highly secure app providers keep primary authentication with them as it provides them the ability to change MFA providers without impacting the end users significantly. Primary auth can also be used to reset secondary auth credentials like secret questions

Pain Points or Challenges to solve for :

1. MFA set up : knowing how to dowload the app, set up their profile, pick the desired auth method from the available list of methods that are acceptable by the mobile banking app and set up the auth.

2. Step 3 : knowing when user has been redirected to the MFA app and from which app (mobile banking app in this case)

2. Step 4 : knowing the MFA app layout, options available for secondary login, pick the right option, enter the information from MFA app to mobile banking app (ex. OTP), acknowledgement that information was accepted

3. Step 5 : Knowing that secondary login information was correct and accepted by the mobile banking app. Knowing that user has been redirected back to mobile banking app, knowing the layout of the mobile banking app after redirection

4. User needs to know when the MFA app is not working and why (ex. due to app backend issues or expired credentials) User needs to know what to do next if the issue is on the user side (ex. update credentials)

Possible Solutions and evaluation :

Line #	Action.	Impact to User.	Effort to Implement
1	MFA App setup	High	Low - voice activated app search installation and set up is available in all smartphones by deafult
2	Redirection between apps	High	Low - voice activated workflow whenever user switches from banking app to MFA app and back
3	Using MFA app - fingerprint, confirmation (yes its me!) where no data is required to be taken from MFA app and entered into banking app (like OTP)	High	Low - voice activated implementation for user to scan their fingerprint or tap twice anywhere on the screen to confirm authentication
4	Using MFA app - OTP that requires user to read OTP from MFA app and enter it into banking app within a fixed time period	Low	High - this type of an auth method is not suitable for this user group as it requires switching between apps multiple times. Apps have different layouts and it can be quite complex to ensure that the user does not hit a corner case
5	Acknowledgement when login is successful	Low	Low - once user has logged in, and is redirected back to the mobile banking app, the banking app itself will voice activate which will tell the user that they have logged in or not based on the banking app's layout. Additional ack within MFA app after login is successful and before user is redirected to the banking app is a nice to have feature
6	Error conditions - when MFA app has problems (backend service is down, credentials have expired)	High	Low - voice activated notification to the user if the app service is down, or if the credentials have expired. Step by step guided workflow to reset credentials and proceed with the login workflow
7	Error conditions - when login fails due to incorrect credentials	High	Low - voice activated notification that explains why login failed (ex. finger needs to be pressed harder for scan to happen properly)

amrita_n · Answer 2 · 2022-06-24T00:28:33+0000

Multi-factor authentication refers to multiple forms of identification of a user to provide access to the service

Clarifications/assumptions:

1. Where is the multi-factor authentication used for? Is it used by an existing app/product to authenticate a registered user? - Yes

2. Which device- mobile/web-based? Let's assume this is for an app on a mobile device. Further I'll talk in terms of iOS devices (it has ~60% market share in US, which is the market I assume we are targeting initailly). Androids should have similar set ups.

3. Visually-challenged can mean having partial vision or completely blind. For the sake of clarity, I will assume the later

User groups:

1. Blind kids (age 5-12 years)

2. Adults (age 13-50)

3. Senior citizens (> 50 years)

I would like to focus on User group #2 for below reasons:

--considering uniform population distribution, this age group would cover the largest chunk

--kids and senior citizens are dependent on adults even for daily chores, so a blind person in these groups would find a mobile device all the less appealing

User journey:

A blind individual will rely on senses apart from vision, i.e. voice, sound and touch to access the mobile app

1. Enable a voice assistant (typical click of a side bar or 'hey siri' on iOS)

2. Say 'open xyz'...where xyz= app that uses authentication

3. The user gets authenticated by the app (multi-factor)

4. The user gets access to the app

Possible methods to authenticate the user for #3 in the user journey:

Sr. No	Method	Ease of use	security level offered	Implementation effort
1	Face Id	H	H (this is a strength of iOS devices and has been optimized at highest level)	L (in-built solution)
2	Security questions	H	M-L (since voice will be used to set up and answer security questions, anybody overhearing can gain access)	M
3	fingerprint authentication	H	VH	VH
4	last login date and time - The user will be prompted to mention the last login date & approx time of the day when the app was accessed	H	H	M

Based on the evaluation criteria (ease of use, security level, effort), I'll build the MVP for multi-factor authentication using methods #1,2, & 4. Method #3 (fingerprinting) can be put in the product backlog and take a strategic route when there are no constraints on timeline/resources

Trade-offs:

--Face Id at times fails to detect user in dark spaces

--since security questions depend on pre-recorded answers based on voice, they can be overheard. This can be handled by the app by asking the user to periodically change the security questions and answers (like password reset)

Metrics:

North-star metric: #of unauthorized accesses = 0 (zero tolerance to identity theft)

Secondary metric: % of failed login attempts < say, 5%

Impact metrics:

Retention- the churn rate < say, 5% (users should not find the authentication process cumbersome)

amrita_n · Answer 3 · 2022-06-24T00:43:27+0000

Multi-factor authentication refers to multiple forms of identification of a user to provide access to the service

Clarifications/assumptions:

1. Where is the multi-factor authentication used for? Is it used by an existing app/product to authenticate a registered user? - Yes

2. Which device- mobile/web-based? Let's assume this is for an app on a mobile device. Further I'll talk in terms of iOS devices (it has ~60% market share in US, which is the market I assume we are targeting initailly). Androids should have similar set ups.

3. Visually-challenged can mean having partial vision or completely blind. For the sake of clarity, I will assume the later

User groups:

1. Blind kids (age 5-12 years)

2. Adults (age 13-50)

3. Senior citizens (> 50 years)

I would like to focus on User group #2 for below reasons:

--considering uniform population distribution, this age group would cover the largest chunk

--kids and senior citizens are dependent on adults even for daily chores, so a blind person in these groups would find a mobile device all the less appealing

User journey:

A blind individual will rely on senses apart from vision, i.e. voice, sound and touch to access the mobile app

1. Enable a voice assistant (typical click of a side bar or 'hey siri' on iOS)

2. Say 'open xyz'...where xyz= app that uses authentication

3. The user gets authenticated by the app (multi-factor)

4. The user gets access to the app

Possible methods to authenticate the user for #3 in the user journey:

Sr. No	Method	Ease of use	security level offered	Implementation effort
1	Face Id	H	H (this is a strength of iOS devices and has been optimized at highest level)	L (in-built solution)
2	Security questions	H	M-L (since voice will be used to set up and answer security questions, anybody overhearing can gain access)	M
3	fingerprint authentication	H	VH	VH
4	last login date and time - The user will be prompted to mention the last login date & approx time of the day when the app was accessed	H	H	M

Based on the evaluation criteria (ease of use, security level, effort), I'll build the MVP for multi-factor authentication using methods #1,2, & 4. Method #3 (fingerprinting) can be put in the product backlog and take a strategic route when there are no constraints on timeline/resources

Trade-offs:

--Set-up for multi-factor authentication methods will require user training

--Face Id at times fails to detect user in dark spaces

--since security questions depend on pre-recorded answers based on voice, they can be overheard. This can be handled by the app by asking the user to periodically change the security questions and answers (like password reset)

Metrics:

North-star metric: #of unauthorized accesses = 0 (zero tolerance to identity theft)

Secondary metric: % of failed login attempts < say, 5%

Impact metrics:

Retention- the churn rate < say, 5% (users should not find the authentication process cumbersome)

amrita_n · Answer 4 · 2022-06-24T00:43:54+0000

Multi-factor authentication refers to multiple forms of identification of a user to provide access to the service

Clarifications/assumptions:

1. Where is the multi-factor authentication used for? Is it used by an existing app/product to authenticate a registered user? - Yes

2. Which device- mobile/web-based? Let's assume this is for an app on a mobile device. Further I'll talk in terms of iOS devices (it has ~60% market share in US, which is the market I assume we are targeting initailly). Androids should have similar set ups.

3. Visually-challenged can mean having partial vision or completely blind. For the sake of clarity, I will assume the later

User groups:

1. Blind kids (age 5-12 years)

2. Adults (age 13-50)

3. Senior citizens (> 50 years)

I would like to focus on User group #2 for below reasons:

--considering uniform population distribution, this age group would cover the largest chunk

--kids and senior citizens are dependent on adults even for daily chores, so a blind person in these groups would find a mobile device all the less appealing

User journey:

A blind individual will rely on senses apart from vision, i.e. voice, sound and touch to access the mobile app

1. Enable a voice assistant (typical click of a side bar or 'hey siri' on iOS)

2. Say 'open xyz'...where xyz= app that uses authentication

3. The user gets authenticated by the app (multi-factor)

4. The user gets access to the app

Possible methods to authenticate the user for #3 in the user journey:

Sr. No	Method	Ease of use	security level offered	Implementation effort
1	Face Id	H	H (this is a strength of iOS devices and has been optimized at highest level)	L (in-built solution)
2	Security questions	H	M-L (since voice will be used to set up and answer security questions, anybody overhearing can gain access)	M
3	fingerprint authentication	H	VH	VH
4	last login date and time - The user will be prompted to mention the last login date & approx time of the day when the app was accessed	H	H	M

Based on the evaluation criteria (ease of use, security level, effort), I'll build the MVP for multi-factor authentication using methods #1,2, & 4. Method #3 (fingerprinting) can be put in the product backlog and take a strategic route when there are no constraints on timeline/resources

Trade-offs:

--Set-up for multi-factor authentication methods will require user training

--Face Id at times fails to detect user in dark spaces

--since security questions depend on pre-recorded answers based on voice, they can be overheard. This can be handled by the app by asking the user to periodically change the security questions and answers (like password reset)

Metrics:

North-star metric: #of unauthorized accesses = 0 (zero tolerance to identity theft)

Secondary metric: % of failed login attempts < say, 5%

Impact metrics:

Retention- the churn rate < say, 5% (users should not find the authentication process cumbersome)