Following recent security incidents, Cashrewards launched the Security Program of Work with aims to strengthen account protection while maintaining usability. Key priorities included implementing Multi-Factor Authentication (MFA) and making mobile numbers mandatory for all accounts to reduce unauthorised access risks and enhance user trust.
By embedding security within the existing user experience, the initiative strived to balance compliance, fraud prevention, and ease of access, while ensuring security measures supported both users and business operations.
Focus
Security Experience Design
Duration
April - September 2024
Goals & Objectives
Business Objectives
✅ Strengthen account security by ensuring all users have a verified mobile number linked for the introduction of MFA.
💡 Enhance user trust and experience by integrating security features without unnecessary friction.
📈 Support business growth by aligning security improvements with operational efficiency, reducing fraud-related risks.
Design Goals
🔄 Introduce MFA within the existing user journeys for authentication and high risk-actions, while minimising as much friction as possible.
📱 Implement mandatory mobile collection for existing and new users in line with security enhancements.
📣 Proactively communicate security updates to the Cashrewards user base through phased education and clear messaging.
HMW
How might we reduce the risk of unauthorised access and fraud while maintaining a seamless user experience?
Research & Insights
Kicking off the research phase, I audited existing authentication practices in the Cashrewards platform and found that email-only authentication was the primary method of user verification. This approach was insufficient, exposing vulnerabilities that allowed bad actors to access cashback balances, customer data, and the newly introduced online gift cards.
Additional data revealed that over 30% of user accounts lacked a verified mobile number, further highlighting gaps in account security. This insight informed the design direction to introduce Multi-Factor Authentication (MFA) using SMS One-Time Passcodes (OTP), requiring users to verify their identity via a linked mobile number before accessing sensitive account features. This implementation needed to accommodate both existing users without linked mobiles and capture new users signing up to ensure wide adoption.
I conducted a competitive analysis to benchmark Cashrewards against industry standards in account security. Among the companies that had implemented MFA, those that successfully balanced security and usability stood out, strengthening account protection and enhancing user trust. In contrast, poorly integrated MFA often led to friction and increased user drop-off. A key learning was that a progressive approach, such as clear, contextual prompts and educational messaging, improved adoption and gave users greater confidence in the added security measures.
To better understand operational pain points, I worked closely on internal interviews with the Member Services team to gather insights from security-related support tickets. A key finding was the lack of linked mobile numbers led to time-consuming manual verification processes, often requiring back-and-forth communication to confirm user identities and investigate unverified access.
With the planned introduction of new security measures, there was concern about a potential increase in support enquiries, which could negatively impact cost-to-serve metrics. As a result, a core objective of the program was to strike a balance between minimising ticket volume and maintaining user support. This led to the exploration of opportunities such as clearer in-product messaging, self-serve support options, phased roll-outs and proactive education to reduce a higher dependency on Member Services.
Collectively, these insights shaped a multi-layered design response aimed at strengthening account security across the Cashrewards platform - all within a tight 6 month timeframe. Rather than a single solution, the program required coordinated, design-led interventions across multiple touchpoints to balance security, usability and operational efficiency.
Key Solutions
Rather than following a traditional step-by-step design process, this initiative required an iterative and collaborative approach, balancing security enhancements with usability, business needs and technical constraints. The following highlights key design implementations that contributed to the success of the Security Program of work.
Driving Mobile Adoption for Security
To prepare for the introduction of MFA and strengthen account security, mobile number verification was introduced through a phased rollout. The experience evolved from light-touch notifications to a mandatory full-screen prompt at sign-in. Each phase was designed to balance urgency with flexibility, guiding users through the change while minimising disruption to their shopping journey.
Read more
Securing the Sign-up Flow for SSO Accounts
A critical compliance gap in the sign-up flow allowed users registering through Google, Apple, or Facebook to bypass mobile verification. To address this, the flow was redesigned to capture mobile numbers across all SSO entry points. The updated experience balanced platform constraints with a low-friction onboarding process, resulting in higher verification rates and a more secure sign-up journey.
Introducing MFA for Sensitive Features
Access to sensitive features, including password resets and stored gift cards, was previously secured through email-only verification. To reduce risk, SMS-based MFA was added to high-risk actions using a modular OTP flow. The design aligned with user expectations by placing verification at natural friction points, improving account recovery success while supporting platform-wide consistency.
Establishing a Unified Error System
Inconsistent error messaging made it difficult for users to understand issues and slowed down support resolution. A streamlined error code system was introduced to improve clarity while protecting sensitive information. Codes were integrated into existing UI patterns to maintain a simple, secure experience across the platform.
Learnings
📚 Learning a new domain quickly is just as critical as solving for users.
None of us had prior experience designing for security but we hit the ground running: adapting quickly to legal, technical, and risk frameworks, while still advocating for user experience. This required close collaboration with Product, Engineering, IT, Member Services, and Legal teams to make informed design decisions.
🔒 Strong security shouldn’t come at the cost of user experience.
A key challenge was striking the right balance between strengthening security and maintaining a seamless user experience. With new features introducing friction, even in small ways, my focus was on minimising disruption while guiding users with clarity. By rolling out designs in phases and layering in contextual education, we supported user adoption without overwhelm.
🧠 Auditing what already exists is just as important as designing what's new.
The Security program consisted of multiple initiatives delivered in parallel. Mapping out the full end-to-end security experience allowed a birds eye view to streamline logic and reduce friction, while ensuring each step added value without bloating the user journey.
⚖️ Design decisions in security must balance effort, risk, and usability.
Every decision came with trade-offs between business risk, technical effort, and user experience. I mapped multiple design paths and presented them to stakeholders across departments, helping the team prioritise lightweight solutions that still addressed key security needs. Early alignment with engineering surfaced constraints before they became blockers.
Opportunities for Future Improvement
Establish a dedicated security team to scale with the company’s growth.
Security was treated as a short-term program of work, but as the product and user base grow, there’s a need for ongoing security ownership. A dedicated team would allow for proactive monitoring, iterative improvements, and a more strategic, long-term approach - shifting from reactive fixes to integrated protection that evolves with the platform.
Modernise underlying systems to unlock more scalable security design.
Working within legacy architecture limited what we could implement. Modernising backend systems and infrastructure would enable us to adopt external tools, reduce complexity, and build more adaptable, future-proof security experiences, ultimately improving speed, stability, and design flexibility.
Final Thoughts
Delivered within six months, the Security Program of Work laid the foundation for a more resilient and user-friendly account protection system. Rather than applying quick fixes, we approached security as a connected system: considering how authentication, recovery, and risk mitigation could support each other at scale.
From introducing MFA for high-risk actions to streamlining mobile verification and auditing outdated flows, each implementation balanced security, usability, and support needs. This reduced the risk of unauthorised access, improved account recovery, and created a more consistent, scalable approach to secure user journeys.
