It was time for a design update and it brought about a major concern as I begin thinking about the new look and feel.  While updating the experience is important, we needed to focus on the security of our user's information.

When I began to think about the login experience of our clients, our client’s meaning the company I currently worked for SynerMed, I must say that initially I was only drawn to the interface and interactions.  Working in the medical industry places an added need for proper security practices when designing something as simple as a login page.

After doing some research on user security and the best security practices, I provided my team with some documentation to illustrate how I think the flows should work.  Below are the documentation I presented.

Updating Security Practices

This was an example of how to capture email addresses, update security questions, and passwords for all users.  It was suggested to present the user with this flow after logging into our online web application.  Tone and copy were going to be key in the success of this campaign, so users wouldn’t feel dragged down by having their login process disrupted.

The use of authentication codes via email was a new approach that initially got some pushback, but after some explaining our director ultimately left the decision in our hands.  Utilizing this technique allowed for the user to never leave the browser tab they logged into to complete the security campaign.

Forgetful Passwords

Once we started talking about making it a requirement for every active to have an email address associated with their account, we needed to explore all of the potential scenarios that one could encounter when logging in.

Being in the health care industry you can run into malicious user’s wanting access to sensitive patient information.  This was a concern when going through this flow.  Having email level authentication aides in further securing the account and helps when you may forget your password.  We didn’t want to show any successful messages pertaining to a user’s email address.

What's my username again?

One of most straight-forward processes, no need to explain here.  No confirmations, just an email sent.

My Password is Expired?

Once again the use of the authentication code process keeps user in their same browser tab and allows for a more modern and secure feel.  Another key thing to note is providing users with a confirmation email after they’ve made any changes to their accounts.

Break Points

Rather than get into crazy diagrams with all the possible pitfalls and negative scenarios, I chose to show all negative flows by their respective break points.  The security update process shares a lot of common pages so seeing them all in one place was good for discussion.