American Society of Composers, Authors and Publishers (ASCAP)
At ASCAP, I worked on one of the first information security measures for our members: our Designated Users section.
THE PROBLEM
In an effort to increase security and protect member data, we wanted to discourage our members from sharing credentials and encourge them to add authorized users, or as we call them--Designated Users. But before doing so, it was critical we take a look at the current state of our Designated Users section. It was important for us to do our due diligence regarding current user permissions including their ability to create inquiries, change payment information and their overall user experience.
THE GOAL
The goal is to create a layered defense and make it more difficult for an
unauthorized person to access an account.
THE PROCESS
DISCOVERY
Our discovery revealed some scary stuff--
-
Only about 42% of our Designated Users are active--that means 24% of them have never loggged in and 34% haven't logged into their account for 18 months. Inactive accounts may become targets for attackers to compromise. If these accounts have weak or reused passwords, attackers can exploit them to gain unauthorized access to the website or associated services.
Although we already had another modal making sure their information was up to date, our developers had trouble making quick changes to that modal (such as the addition of showing a cell phone number). I suggested instead of making the fields editable right within the modal, simply provide them with a link that will take them to the area where they can make the necessary changes.
BEFORE
AFTER
USERFLOWS
Depending on the email and/or phone number listed in the user account, that is what will be listed as an option for 2FA. If a user cannot authenticate using one of those two options, the only secure way to access their account would be by contacting the organization.
DESIGN
Based on the userflows, we concluded that the setup interface should allow users to:
-
Select one of the existing authentication methods.
-
Update their email or phone number.
-
Skip enrollment until 2FA is mandatory
And for the security screen:
-
User can enter the security code and then click verify
-
User can click Remember this device (saves device for 90 days)
-
User can click “Resend Code” if they did not receive a code or need a new one
-
User can click “Click here” to get instructions on next steps if they do not have access to the selected authentication method
Were we able to accomplish the prerequisite for 2FA?
For collecting cell phone numbers prior to launching 2FA, we set a goal of 20%. By the end of September, we collected 27%. For getting emails to be verified, we set a goal of 30% and we achieved 39% by December.
2FA Enrollment and Adoption
For 2FA setup and adoption, ~56% of users enrolled into 2FA (41,251 out of 73,752). We had a 97%-99% 2FA authentication success rates.
What was the impact on our support team?
Post-launch, we only had 22 calls/inquiries related to 2FA--that's 0.08% (Oct 25 - Nov 28). 14 of the calls were from members who really needed their hands held throughout the entire process; it wasn't just one specific reason. We had only 4 members who were designated users/members that were sharing login credentials and were locked out for this reason.
Learnings and Next Steps
Some things we have learned from this project:
-
Cell phone is the prefered method of authentication for users with both cell phone and email
-
The low engagement with FAQ, and demonstrate that users understand the feature
-
Low engagement with update contact information could be demonstrative of the efficiencies of the earlier deployed modal collecting cell phone numbers and emails.
Next steps include looking into making 2FA mandatory and also a way to bypass 2FA entirely--but is this safe? Stay tuned!