BT ID Checker
Context
BT has identified an opportunity to create more awareness around its portfolio of security products by helping people feeling safer online. Through the ID checker people will be able to find the details of data leaks connected to their email addresses and get advice on what to do and what steps to take.
Discovery
Research and Competitors Analysis
I started working on a competitors analysis while some user interviews were being carried out to gather insights around the needs and what level of competency people have around the subject of cybersecurity. The primary needs identified were:
As a customer, I need to feel protected online so that I can use my services without worry.
As a customer I need to understand what steps I can take in clear and simple way so that I can improve my online protection.
As a customer I need to be educated on what threats exist and what the implications are so I can take adequate steps.
These user interviews were important to give me and the content designer a solid ground around the level of understanding people have around cybersecurity, the most appropriate language to use and to picture a high level architecture of the user journey from the identification of the thereat to its resolution.
The interviews also helped frame a very helpful picture of different types of customers and their behaviour towards cybersecurity:
Carefree and the cautious customers don’t necessary grasp the link between an email address and ID theft
Cybersecurity is not purely about protection, the desire for privacy is an emerging need manifesting in different ways for different types of customers
People are now more concerned about protecting themselves than their equipment.
Ideation
Should we / How might we
Having validated our primary user needs we regrouped to map out all the insights gathered through research and start brainstorming opportunities to tackle in the design phase. We did this through an HMW session where we started jotting down questions and opportunities which we prioritised through dot voting:
HMW encourage repeat use of identity checker so that customers remain secure?
HMW raise awareness for the public/our customers on cyber security so that they feel educated enough to want to take some action
How might we create awareness around the value of BT cybersecurity through the id checker
Our HMW workshop was followed by an ideation session where as a squad we came up with some sketches and ideas . Based on these we started discusssing the Hypotheses we wanted to test with our first prototype
Hypotheses
With the ID checker we will make it simple for people to know what personal information linked to their email has been exposed and we will educate them around the steps they need to take to get protected. We will know this to be true when we’ll see more engagement and activations of BT security products. (engaging) *part of second iteration not MVP
People will feel safe about entering their email address because BT is a trusted brand. We’ll know this to be true if we see a good level of CTR from the login page to the Id checker landing page. (trustworthy)
by using a progressive disclosure approach people will feel more engaged and find the task not overwhelming. We’ll know this to be true when we’ll see a high successful rate of task completion. (simple)
by explaining the context around the breach we will help customers understand the level of severity of such breaches. We’ll know this to be true if during testing we’ll see engagement and interest around it. (educative)
Definition
Flows and Scenarios
Following our sketching session I took some of the most voted ideas out of the workshop and based on the hypotheses we formulated I started mapping high level flows around all the different scenarios we had to cover. During this phase I worked in close contact with our Solution Architect and 3rd party API provider to understand the limitations and constraints we had in order to find the most appropriate solutions and deliver a good and comprehensible experience to our users
There were a lot of questions that we needed clarification on before starting designing, (some of them) :
Is there an upper limit on the number of email addresses someone can check? Can we restrict it when logged out?
How is our API configured? can it show passwords appearing in lists of credentials shared on the dark web ?
Is there an upper limit to the number of breaches we will let users view?
How dynamic are the results coming from the 3rd party API provider ? (are these increasing each time a new breach takes place ?)
The high level flow would see a BT customer being able to access the new feature through their dashboard and security page (after logging in ). Some of the big names in ID check (ie HIBP) will show the detailed results publicly and others (ie F SECURE) uses 2FA . For the MVP we had not yet integrated 2FA with the ID checker but knowing that customers preferred to keep their breached records privater the quickest thing we could do was to present the results only after the login wall . Not the best in terms of privacy but still acceptable as an MVP.
Design and Development
Designs from the 2nd Iteration
Designs from the 2nd iteration
After our first round of testing we took our learnings and insights and with the PO started mapping out user stories for dev . We worked in scrum and 2 weeks sprints . During the development I worked in close contact with developers, actively participating to all ceremonies (sprint planning , demos, refinements, retros).
The feedback from the MVP were quite satisfying with some interesting data showing that customers felt that their security awareness increased of 70% and with 84% of users confirming that the MVP was simple, easy and efficient to use.
Eventually the id checker deprioritised. There were a lot interesting points which came out of our brainstorming sessions and we learned a lot form our first MVP release that we wanted to bring new features on a new iteration but a huge replatforming for BT followed.
Draft mapping on mural of high level user stories.