As a Lead UX Designer at Google, a company renowned for its cutting-edge technology and services, I was tasked with the challenge of designing an intuitive workflow for unphishable accounts. The focus of this project was on mobile devices, aiming to offer a seamless user experience for securely accessing services and protecting sensitive domains like online banking from phishing attempts. Traditional security protocols utilizing USB devices were not suitable for mobile phones, and existing Near Field Communication (NFC) solutions on Android lacked usability. The objective was to introduce Bluetooth Low Energy (BLE) functionality as an alternative for external authentication, enforcing security keys as a two-step verification method.

‍

Requirement Analysis

The journey began with an in-depth requirements analysis conducted in collaboration with Google's security engineers. By examining both successful and unsuccessful user paths in setting up and authenticating their accounts, I gained invaluable insights into potential pitfalls and areas for improvement.

User Persona

Our primary user persona is individuals at high risk for targeted phishing attacks. These could range from public figures and executives to employees responsible for sensitive information. Google employees also utilize this enhanced security measure for accessing secure company resources.

Types of Security Keys and Technologies

Understanding the different forms of security keys and their corresponding technologies was a crucial step:

Bluetooth Low Energy (BLE): Offers wireless convenience but requires periodic charging.
Near Field Communication (NFC): Ensures secure pairing through close proximity but is slightly less convenient.
USB: Provides straightforward, battery-free operation but may require adapters for certain devices.

System Use Case

I worked closely with security engineers to schematize the system behavior for each type of security key, aiming to agree on all possible scenarios a user might encounter. While the "happy path" is straightforward, the real challenges lie in the numerous edge cases that can arise during a user's initial registration. These edge cases were documented using a UML (Unified Modeling Language) diagram and later utilized to craft design solutions for each specific situation. This approach allowed us to develop intuitive recovery paths for the user in each case.

Design Solutions and Documentation

Informed by the requirement analysis and technology overview, I developed a sign-in flow that accommodates various key types. Every design choice was meticulously documented to offer a comprehensive view of both the administration and end-user experience, taking into account not just the 'happy path' but all known edge cases.

Designing the Sign-in Flow

The sign-in flow was designed to be both secure and user-friendly, incorporating the following steps:

1. Administration: Account set to "unphishable" status, mandating the use of a security key.
2. Registration: User-guided security key registration process.
3. Pairing: System prompts to initiate the pairing mode on the security key.
4. Sign-In: Implementation of two-step verification for a more secure sign-in process.

User Testing and Feedback

To validate the design, we enlisted a designated researcher from Google's research team for guerrilla testing. Setting up a mobile study station at the entry hall of Google headquarters, we engaged employees in real-time testing as they walked in. This immediate feedback allowed for necessary adjustments to be made to the prototype, enhancing its usability.

Conclusion and Impact

The project culminated in a successful implementation of the design that addressed various user personas and scenarios. The unphishable account workflow substantially benefits the user by enhancing security measures, particularly against phishing threats. It provides an extra layer of security that not only considers system requirements but also human behavior and potential error, making it a comprehensive solution. The design process, from meticulous requirement gathering to iterative testing, led to a robust system that serves as a benchmark in user-centric security solutions.