Introducing MFA for Sensitive Features
Introducing MFA for Sensitive Features
Access to sensitive features, including password resets and stored gift cards, was previously secured through email-only verification. To reduce risk, SMS-based MFA was added to high-risk actions using a modular OTP flow. The design aligned with user expectations by placing verification at natural friction points, improving account recovery success while supporting platform-wide consistency.
Access to sensitive features, including password resets and stored gift cards, was previously secured through email-only verification. To reduce risk, SMS-based MFA was added to high-risk actions using a modular OTP flow. The design aligned with user expectations by placing verification at natural friction points, improving account recovery success while supporting platform-wide consistency.
Introducing MFA for Sensitive Features
Access to sensitive features, including password resets and stored gift cards, was previously secured through email-only verification. To reduce risk, SMS-based MFA was added to high-risk actions using a modular OTP flow. The design aligned with user expectations by placing verification at natural friction points, improving account recovery success while supporting platform-wide consistency.


Strengthening Protection for Sensitive Features
The previous method of verifying users for account recovery and access to sensitive features relied solely on email authentication. This posed a growing security risk, especially as account balances and customer data became more valuable with the introduction of online gift cards. To address this, we introduced SMS-based MFA for high-risk actions, including password resets and access to stored gift cards.
Strengthening Protection for Sensitive Features
The previous method of verifying users for account recovery and access to sensitive features relied solely on email authentication. This posed a growing security risk, especially as account balances and customer data became more valuable with the introduction of online gift cards. To address this, we introduced SMS-based MFA for high-risk actions, including password resets and access to stored gift cards.



Designing for Security Without Friction
The goal was to strengthen account security while keeping the user experience as frictionless as possible. With a tight six-month timeframe to uplift our security posture, we opted for an SMS-based OTP flow over more complex solutions like biometrics. I worked closely with engineers to audit existing flows, identify gaps and determine where MFA could be integrated without disrupting the user journey. Placement of the OTP steps was informed both by technical constraints and user behaviour patterns, ensuring verification occurred at the right moment to feel expected and purposeful.
Designing for Security Without Friction
The goal was to strengthen account security while keeping the user experience as frictionless as possible. With a tight six-month timeframe to uplift our security posture, we opted for an SMS-based OTP flow over more complex solutions like biometrics. I worked closely with engineers to audit existing flows, identify gaps and determine where MFA could be integrated without disrupting the user journey. Placement of the OTP steps was informed both by technical constraints and user behaviour patterns, ensuring verification occurred at the right moment to feel expected and purposeful.



Creating a Familiar, Scalable Flow
The final OTP flow was designed to be modular and align with industry standards: a six-digit code sent to the user’s verified mobile number, granting access upon successful entry. This consistent security pattern was intended to build user familiarity and trust across high-risk actions across the Cashrewards platforms.
Creating a Familiar, Scalable Flow
The final OTP flow was designed to be modular and align with industry standards: a six-digit code sent to the user’s verified mobile number, granting access upon successful entry. This consistent security pattern was intended to build user familiarity and trust across high-risk actions across the Cashrewards platforms.



Impact
📈 60% conversion rate for account recovery following 2FA verification
📤 Reduced reliance on email-only authentication for sensitive actions
🔐 Strengthened protection for stored value and personal data
🧱 Built platform-wide consistency for security interactions
Impact
📈 60% conversion rate for account recovery following 2FA verification
📤 Reduced reliance on email-only authentication for sensitive actions
🔐 Strengthened protection for stored value and personal data
🧱 Built platform-wide consistency for security interactions