Instructions on how to set up 2-factor authentication with google authenticator or authy.
Mobile friendly instructions on how to set up 2-factor authentication with Google Authenticator or Authy.
Mobile friendly instructions on how to set up 2-factor authentication with Google Authenticator or Authy.
Mobile friendly instructions on how to set up 2-factor authentication with Google Authenticator or Authy.
A pop up letting people know that for legal reasons they need to set up 2-factor authentication.
A pop up letting people know that for legal reasons they need to set up 2-factor authentication.
A card prompting people to set up 2-factor authentication with an email code.
A card prompting people to set up 2-factor authentication with an email code.
A card prompting people to set up 2-factor authentication with an SMS code.
A card prompting people to set up 2-factor authentication with an SMS code.
A card prompting people to set up 2-factor authentication with an authenticator app.
A card prompting people to set up 2-factor authentication with an authenticator app.
A card prompting people to set up 2-factor authentication with an authenticator app.

Trust, Time, and Money—
the Cost of Deprioritising Usability

Top-down project ↓

Top-down project ↓

Top-down project ↓

2-factor authentication

2-factor authentication

2-factor authentication

InfoSec team

InfoSec team

InfoSec team

B2C + B2B

B2C + B2B

B2C + B2B

Timeline: 5 months (3 months full-time, then 2 months part-time post-launch)

Timeline:
5 months (3 months full-time, then 2 months part-time post-launch)

User: West African individuals and businesses making payments to other countries

User:
West African individuals and businesses making payments to other countries

Photo of christian harries, senior product designer, the guy who this site is about.

1x Product Design

Photo of product manager Charles, he's available to work.

1x PM

Photo of the Infosec manager I worked with.

1x InfoSec

Photo of Deepika Adusumilli, chief product officer.
Photo of Callum Dryden, chief technical officer.

2x Leadership

Problem

Scope creep

Tough decisions

Too secure?

V.1 Complexity

Cultural differences

V.2 Small tasks

Done VS Perfect

Working VS Done

Deprioriting usability

Reflection

The Problem

African businesses have lost tens of thousands of dollars using foreign exchanges that promise cheap rates and quick transfers. To show people they can trust us with their money, we comply with the Financial Conduct Authority’s regulations. In January 2020, we learned about the FCA’s push for mandatory two-factor authentication when logging in and making transactions. As this project wouldn't make money it was delayed until January 2021. We thought three months would be plenty of time to deliver a secure and user-friendly solution. This, it would turn out, would come back to bite us later.

African businesses have lost tens of thousands of dollars using foreign exchanges that promise cheap rates and quick transfers. To show people they can trust us with their money, we comply with the Financial Conduct Authority’s regulations. In January 2020, we learned about the FCA’s push for mandatory two-factor authentication when logging in and making transactions. As this project wouldn't make money it was delayed until January 2021. We thought three months would be plenty of time to deliver a secure and user-friendly solution. This, it would turn out, would come back to bite us later.

African businesses have lost tens of thousands of dollars using foreign exchanges that promise cheap rates and quick transfers. To show people they can trust us with their money, we comply with the Financial Conduct Authority’s regulations. In January 2020, we learned about the FCA’s push for mandatory two-factor authentication when logging in and making transactions. As this project wouldn't make money it was delayed until January 2021. We thought three months would be plenty of time to deliver a secure and user-friendly solution. This, it would turn out, would come back to bite us later.

Three Unexpected Requirements Increased the Scope

Login page for a legacy product that needed to be updated.

Even if few people use it, legally, it must have two-factor authentication.

Login page for a legacy product that needed to be updated.

Even if few people use it, legally, it must have two-factor authentication.

Login page for a legacy product that needed to be updated.

Even if few people use it, legally, it must have two-factor authentication.

All three of our products (including a legacy one) must have mandatory two-factor authentication — triple the engineering work!

All three of our products (including a legacy one) must have mandatory two-factor authentication — triple the engineering work!

All three of our products (including a legacy one) must have mandatory two-factor authentication — triple the engineering work!

Transactions must be verified with a unique 2FA code — this required upgrading our architecture.

Transactions must be verified with a unique 2FA code — this required upgrading our architecture.

Transactions must be verified with a unique 2FA code — this required upgrading our architecture.

If people hadn’t set up 2FA by April 2021, they couldn’t make new transactions or view their financial info — an extra use case to design and build.

If people hadn’t set up 2FA by April 2021, they couldn’t make new transactions or view their financial info — an extra use case to design and build.

If people hadn’t set up 2FA by April 2021, they couldn’t make new transactions or view their financial info — an extra use case to design and build.

Tight Deadline, Tough Decisions

Sketches of how backup codes and not needing to enter a 2-factor authentication code could look.

Two ways to improve logging in, deprioritised because of time.

Sketches of how backup codes and not needing to enter a 2-factor authentication code could look.

Two ways to improve logging in, deprioritised because of time.

Sketches of how backup codes and not needing to enter a 2-factor authentication code could look.

Two ways to improve logging in, deprioritised because of time.

As front-end devs weren't free for half the project, to ensure we hit the April deadline, we made three decisions:

Prioritise back-end work

We could still make valuable progress by completing the API endpoints and architecture for sending unique transaction 2FA codes.

Prioritise back-end work

We could still make valuable progress by completing the API endpoints and architecture for sending unique transaction 2FA codes.

Prioritise back-end work

We could still make valuable progress by completing the API endpoints and architecture for sending unique transaction 2FA codes.

MVP now, iterate later

Two ways we planned to make logging in easier were to let people log in with backup codes and not need to enter a 2FA code for 90 days. To ensure we delivered on time, we prioritised the essentials using the MoSCoW method.

MVP now, iterate later

Two ways we planned to make logging in easier were to let people log in with backup codes and not need to enter a 2FA code for 90 days. To ensure we delivered on time, we prioritised the essentials using the MoSCoW method.

MVP now, iterate later

Two ways we planned to make logging in easier were to let people log in with backup codes and not need to enter a 2FA code for 90 days. To ensure we delivered on time, we prioritised the essentials using the MoSCoW method.

Deadline flexibility

The InfoSec manager assured us that as long as we’re making progress, the FCA should be happy. We still wanted to launch by April, though.

Deadline flexibility

The InfoSec manager assured us that as long as we’re making progress, the FCA should be happy. We still wanted to launch by April, though.

Deadline flexibility

The InfoSec manager assured us that as long as we’re making progress, the FCA should be happy. We still wanted to launch by April, though.

Too Secure to Be User-Friendly

Sketches of how people could set up 2-factor authentication on an authentication app.

Mobile constraint: Phones can’t scan QR codes on their own screens.

Sketches of how people could set up 2-factor authentication on an authentication app.

Mobile constraint: Phones can’t scan QR codes on their own screens.

Sketches of how people could set up 2-factor authentication on an authentication app.

Mobile constraint: Phones can’t scan QR codes on their own screens.

The most secure way of logging in is with a two-factor authentication code from an authentication app. When Engineering and InfoSec pitched this as the sole way to log in, the customer service team pushed back.

Most of our West African users:

Don’t know how to use an authentication app (user testing later proved this was true). They’re used to getting codes via SMS or email.

Don’t know how to use an authentication app (user testing later proved this was true). They’re used to getting codes via SMS or email.

Don’t know how to use an authentication app (user testing later proved this was true). They’re used to getting codes via SMS or email.

Can’t install apps on their company smartphones without their bosses’ permission and help from the IT team.

Can’t install apps on their company smartphones without their bosses’ permission and help from the IT team.

Can’t install apps on their company smartphones without their bosses’ permission and help from the IT team.

Make time-sensitive transactions. If the person who set up 2FA on their phone was busy, away, or left the company, it would cause issues.

Make time-sensitive transactions. If the person who set up 2FA on their phone was busy, away, or left the company, it would cause issues.

Make time-sensitive transactions. If the person who set up 2FA on their phone was busy, away, or left the company, it would cause issues.

To make logging in both a secure and user-friendly experience, people could choose whether they wanted to log in with an email or app 2FA code. With so many stories about SMS not being secure, we decided not to offer it.

Explaining Things Raised More Questions Than It Answered

Design showing what each 2-factor authentication method does or doesn't allow people to do.

Lesson learned: Don’t burden people with the system’s complexity.

Design showing what each 2-factor authentication method does or doesn't allow people to do.

Lesson learned: Don’t burden people with the system’s complexity.

Design showing what each 2-factor authentication method does or doesn't allow people to do.

Lesson learned: Don’t burden people with the system’s complexity.

In a paragraph of text, we explained why people had to set up 2FA, because of the FCA’s “Strong Customer Authentication” (SCA) requirement. People either hadn’t read this, were confused, or wanted to know more.

“What is the SCA? I don’t understand why you need me to do this.”

“What is the SCA? I don’t understand why you need me to do this.”

“What is the SCA? I don’t understand why you need me to do this.”

To keep secure, people couldn’t log in with an SMS 2FA code. To keep legally compliant, they couldn’t verify transactions with an app 2FA code.

The first design used ticks and crosses to show which methods people could use and when. In practice, this just confused them. They thought the ticks and crosses meant they had or hadn’t completed certain steps.

Different Cultures, Different Expectations

Designs before and after getting user feedback.

For busy West African businessmen, a little guidance goes a long way!

Designs before and after getting user feedback.

For busy West African businessmen, a little guidance goes a long way!

Designs before and after getting user feedback.

For busy West African businessmen, a little guidance goes a long way!

To reduce cognitive load when setting up 2FA, we showed each option as small, clickable cards.

When they got to this step, they took a few seconds to decide which one they wanted to set up, then they did nothing.

“What do I do? How do I get to the next step?”

“What do I do? How do I get to the next step?”

“What do I do? How do I get to the next step?”

Turns out they were expecting two things: instructions and visual cues.

Without calls to action, they didn’t realise they could tap a card to go to the next step; they thought the cards were just purely visual.

Many Small Tasks Are Easier Than Fewer Big Ones

Designs showing the two step process to set up 2-factor authentication with an authenticator app.

More steps = less cognitive load = better UX!

Designs showing the two step process to set up 2-factor authentication with an authenticator app.

More steps = less cognitive load = better UX!

Designs showing the two step process to set up 2-factor authentication with an authenticator app.

More steps = less cognitive load = better UX!

Having rewritten the text to be shorter and clearer, redesigned the setup page to hide the system’s complexity and added calls to action so people knew what to do at each step, when we tested again, most people were happy with the end-to-end flow. The one outlier: setting up app 2FA.

To set up app 2FA on desktop, people had to scan the QR code, then enter the app’s 2FA code back on the product. We thought having both steps on one page would save time; in practice, too much info on the page overwhelmed people.

To reduce cognitive load, we created another version with the steps split over two pages: 1) Scan the QR code, and 2) enter the app’s 2FA code.

People said they preferred the option with fewer steps as it was quicker. Interestingly, though, the 2-step version was quicker to complete and had higher completion rates.

People said they preferred the option with fewer steps as it was quicker. Interestingly, though, the 2-step version was quicker to complete and had higher completion rates.

People said they preferred the option with fewer steps as it was quicker. Interestingly, though, the 2-step version was quicker to complete and had higher completion rates.

Done Is Better Than Perfect

The meme image of a a motorway sign with the straight arrow saying "user friendly solution" and the right arrow saying "next feature". The car is cropped out of the image.
The meme image of a a motorway sign with the straight arrow saying "user friendly solution" and the right arrow saying "next feature". The car is cropped out of the image.

One month before the deadline, we had a solution that everyone was happy with.

It met the FCA’s legal requirements, kept people’s data secure, and was user-friendly. As the project’s scope grew larger than expected, to ensure we shipped on time, we made the tough decision to de-prioritise usability.

Often, when designers push for a good user experience, they do it to reduce risk. If people couldn’t log in or create transactions because 2FA was too complex, the cost would be more than just revenue; it would be our reputation.

Ultimately, the decision came down to two points:

The need to make money

Even with a flexible deadline, by shipping quicker, we could move to the next revenue-generating project.

The need to make money

Even with a flexible deadline, by shipping quicker, we could move to the next revenue-generating project.

The need to make money

Even with a flexible deadline, by shipping quicker, we could move to the next revenue-generating project.

Decision makers didn’t have issues using 2FA, so why would users?

Customer Service could help resolve any minor issues, and we could always make improvements over time.

Decision makers didn’t have issues using 2FA, so why would users?

Customer Service could help resolve any minor issues, and we could always make improvements over time.

Decision makers didn’t have issues using 2FA, so why would users?

Customer Service could help resolve any minor issues, and we could always make improvements over time.

Additionally, to make sure people knew what changes were coming, when, and why, the Customer Service team told people in advance. They even helped some people set up 2FA so they wouldn’t run into any issues when it became mandatory.

Having de-prioritised usability, we launched mandatory 2FA on time and considered the project over. It wasn’t until a few days later that we saw the cost of deprioritising usability.

Working is better than done

On April 1st, people logged in to find they couldn’t make transactions until 2FA was set up. When they tried to set it up, they found they couldn’t for three reasons:

App 2FA confused them —It was new and complex to learn.

App 2FA confused them —It was new and complex to learn.

App 2FA confused them —It was new and complex to learn.

Some people didn’t get SMS codes —AWS sent them, but some networks didn’t support receiving them.

Some people didn’t get SMS codes —AWS sent them, but some networks didn’t support receiving them.

Some people didn’t get SMS codes —AWS sent them, but some networks didn’t support receiving them.

People either didn’t get email codes, or they’d expired by the time they got them.

People either didn’t get email codes, or they’d expired by the time they got them.

People either didn’t get email codes, or they’d expired by the time they got them.

People were frustrated; they had wanted security but not if it made their life more difficult. As their transactions were time-sensitive, and to avoid them using another company, for the next few weeks, Account Managers worked late to make their transactions manually.

Trust, Time, and Money — the Cost of Deprioritising Usability

Screenshot of companies that have lost money due to deproritising usability. One examples includes Hewlett-Packard Co losing 160 million dollars because of problems with their enterprise resource planning system.

“Software Hall of Shame” list, compiled by Robert N. Charette, author of “Why Software Fails”

Screenshot of companies that have lost money due to deproritising usability. One examples includes Hewlett-Packard Co losing 160 million dollars because of problems with their enterprise resource planning system.

“Software Hall of Shame” list, compiled by Robert N. Charette, author of “Why Software Fails”

Screenshot of companies that have lost money due to deproritising usability. One examples includes Hewlett-Packard Co losing 160 million dollars because of problems with their enterprise resource planning system.

“Software Hall of Shame” list, compiled by Robert N. Charette, author of “Why Software Fails”

When a startup is pushing to become profitable, it’s tempting to move fast and improve later. With salaries, maintenance, and various other costs eating up revenue, good usability can be seen as a nice-to-have.

The 2005 report “Why Software Fails” notes that 50% of developers time is spent on rework. The cost of fixing production errors is roughly 100 times more than fixing them beforehand. We learned this firsthand.

The 2005 report “Why Software Fails” notes that 50% of developers time is spent on rework. The cost of fixing production errors is roughly 100 times more than fixing them beforehand. We learned this firsthand.

The 2005 report “Why Software Fails” notes that 50% of developers time is spent on rework. The cost of fixing production errors is roughly 100 times more than fixing them beforehand. We learned this firsthand.

To rebuild trust, we fixed the most important bugs, created a troubleshooting PDF guide, and built the design people were happy with. While the initial launch was rough, when we fast-forward to 2024, people now have very few problems logging in and making transactions with 2FA.

4 Years Wiser — If I Did This Project Today

Hey it's me again, I hope you enjoyed this story. If you have any suggestions to make this site more accessible I'd love to know. +447803373248, once more 447803373248.
Hey it's me again, I hope you enjoyed this story. If you have any suggestions to make this site more accessible I'd love to know. +447803373248, once more 447803373248.
Hey it's me again, I hope you enjoyed this story. If you have any suggestions to make this site more accessible I'd love to know. +447803373248, once more 447803373248.

Looking back on my current experience as a senior product designer, if I were to do this project again, there would be a few things I’d do differently:

Show the financial cost of bad usability — People not being able to log in or make transactions is a bad user experience; them leaving out of frustration costs the business a large amount of recurring revenue.

Show the financial cost of bad usability — People not being able to log in or make transactions is a bad user experience; them leaving out of frustration costs the business a large amount of recurring revenue.

Show the financial cost of bad usability — People not being able to log in or make transactions is a bad user experience; them leaving out of frustration costs the business a large amount of recurring revenue.

Don’t just build fast, fail fast—With more time to test, we would’ve found critical bugs earlier and shown the financial cost of not fixing them.

Don’t just build fast, fail fast—With more time to test, we would’ve found critical bugs earlier and shown the financial cost of not fixing them.

Don’t just build fast, fail fast—With more time to test, we would’ve found critical bugs earlier and shown the financial cost of not fixing them.

When things go wrong, a good team will learn from their mistakes. While the goal was still to become profitable, we would do so by building a good product that people could trust.

Got another 5 min?

Screenshot of the redesigned onboarding page.

Reducing anti-money laundering checks from 2 weeks to 2 days

Bottom-up project ↑

B2C + B2B

Compliance + Sales teams

“Wow we’re asking them for a lot, do we really need to ask them for this much?”

Photo of the compliance officer I worked with.

Ijeoma Uzowuru, Group Head FCC / Risk/ Compliance Operations

Screenshot of the redesigned onboarding page.

Reducing anti-money laundering checks from 2 weeks to 2 days

Bottom-up project ↑

B2C + B2B

Compliance + Sales teams

“Wow we’re asking them for a lot, do we really need to ask them for this much?”

Photo of the compliance officer I worked with.

Ijeoma Uzowuru, Group Head FCC / Risk/ Compliance Operations

Screenshot of the redesigned onboarding page.

Reducing anti-money laundering checks from 2 weeks to 2 days

Bottom-up project ↑

B2C + B2B

Compliance + Sales teams

“Wow we’re asking them for a lot, do we really need to ask them for this much?”

Photo of the compliance officer I worked with.

Ijeoma Uzowuru, Group Head FCC / Risk/ Compliance Operations

Screenshots of the design components made for the first version of the design system.

From pixel pushers to problem solvers, how a design system broke siloed teams

Bottom-up project ↑

DesignOps

Front-end + Product teams

75%

of front-end code didn’t match tickets acceptance criteria.

200%

a product that took 6 months to build, now would take 3 months

Screenshots of the design components made for the first version of the design system.

From pixel pushers to problem solvers, how a design system broke siloed teams

Bottom-up project ↑

DesignOps

Front-end + Product teams

75%

of front-end code didn’t match tickets acceptance criteria.

200%

a product that took 6 months to build, now would take 3 months

Screenshots of the design components made for the first version of the design system.

From pixel pushers to problem solvers, how a design system broke siloed teams

Bottom-up project ↑

DesignOps

Front-end + Product teams

75%

of front-end code didn’t match tickets acceptance criteria.

200%

a product that took 6 months to build, now would take 3 months

Let's connect

Download C.V.

Christian Harries © 2025 (and beyond)

Let's connect

Copy email

11 years broken down

2-8 min design articles

Casual design musings

Outside of design

Download C.V.

Christian Harries © 2025 (and beyond)

Let's connect

Copy email

11 years broken down

2-8 min design articles

Casual design musings

Outside of design

Download C.V.

Christian Harries © 2025 (and beyond)

Create a free website with Framer, the website builder loved by startups, designers and agencies.