Change Password
How I influenced Online and Mobile banking to look deeper than the original ask to force 9 million clients to change their online passwords
RBC • Online and Mobile Banking
As the Lead Interaction Designer, I worked with other Interaction, Visual, and Content designers in Online and Mobile Banking in a quick discovery phase that revealed how this project would impact clients.
From inception to implementation, I worked with Product and Technology in quick iterations to ship fast.
Once implemented, I collaborated with Researchers and Product to demonstrate the real "under the surface" problem and potential risks for the business, such as a spike in calls after once clients change their passwords, along with possible ways to mitigate it.
Ultimately, that led to the project's expansion, with more pieces added to the roadmap.
_______________
9 million clients had old passwords that didn’t comply with the most recent security guidelines.
They were either too weak, too old, or lacked the most recent encryption level. That exposed clients to fraud and RBC to security and reputational risks.
Business
Case
Enforce the new security standards by proactively prompting clients to update their non-compliant passwords, while minimizing the impact to advisors in the assisted channels (call centre, branch, chat, etc.).
Project
Objective
The current Change Password flow was hosted in and old platform that didn’t offer the most recent encryption levels and accepted passwords that didn’t meet the minimum requirements.
Main
Challenges
01 Outdated technology
02 No pro-active PW maintenance
There wasn’t a pro-active mechanism to prompt users to change their passwords, or a design pattern to use for this type of communications with clients.
03 Not available in the Mobile App
The Change password flow was not available in the Mobile app, only in Online banking; however, about 30% of users were mobile only; 27% were hybrid.
04 Tight deadline to meet compliance
Matching target dates and release schedule resulted in having less than 2 months to ship the solution; design had less than 3 weeks. Because it’s a Compliance issue, this was a Severity 1 project.
Clients with non-compliant passwords will be targeted and forced to change their passwords upon sign-in.
Original Business' input
Design's proposal
After running a quick Design Discovery sprint, the team had a better understanding of the problem from the user perspective and how the original solution could result in a spike in calls. Once presented to stakeholders, they were convinced that we needed a more progressive approach to communicate with clients.
Why? Because...
"Forcing clients to change their passwords will disrupt their online banking experience, resulting in confusion, frustration, and increased calls to assisted channels."
The final solution was broken into four main efforts:
1 - Re-platform and refresh by incorporating the recent guidelines and following the current Online Banking UI patterns;
2 - Develop it as a webview, to be consumed by the Mobile App, to speed up shipping and extend the functionality to almost 3 million clients.
*30% of users are mobile-only and 27% are hybrid (mobile and desktop).
3 - Marketing communication intercept modal upon sign-in starting 60 days before the deadline; the message gets more assertive 30 days before the deadline:
4 - Force password change 60 days after the targeted campaign initiated by prompting clients with non-compliant passwords to change their passwords upon sign-in.
Solution
Initial designs
Final Implementation
After several iterations and compromises...
1 and 2 - Re-platform, refresh and make it available in the Mobile App -- Most relevant changes made after stakeholder alignment and Research:
"Current password" field: Mandatory as per Compliance; we needed to add it back;
With that, Research revealed that many people may not remember their current password as they use passkeys, biometrics, or have their passwords saved on their devices;
Tips: moved down after realizing it got too prominent and pushed all the fields (higher priority) below the fold; also, that part couldn't be validated by our back-end.
3 - Marketing communication intercept modal upon sign-in starting 30 days before the deadline; the message no longer changes over time:
4 - After 30 days the targeted campaign is initiated, send users to the existing Reset Password flow instead of asking to change their passwords on the same sign-in screen:
Staggered approach
Run multiple campaigns with smaller groups of clients as a way to mitigate the impact on Advice Centre.
Pilot
Test live with 40K users to measure the impact on Advice Centre channels before opening to millions of clients.
Root cause and consequences
Human memory limitation
Underestimation of password strength
Lack of awareness/education on password security
Low motivation to create strong PWs
Harder PWs are hard to remember
Avoid changing it
Reuse PWs across multiple sites/apps
Lead to...
Which results in...
Clients who are vulnerable to fraud
Security and reputational risks for RBC
Clients mindsets
How clients may feel when signing in to RBC to do their banking and are asked to change or reset their password:
Annoyed 🙄
I don’t like to change passwords because it’s hard to remember
I don’t remember my old password
RBC is telling me to change my password
Confused 😒
I don’t know how to create a strong password
I don’t know how to keep my password safe
I don't understand why I have to change it
Unsure 🤔
I don’t think I’ll remember my new password next time I need to sign in
Confident and at ease 😎
RBC has my best interests in mind
RBC worries about my safety
I will change my password because I want to keep my account safe
Why people avoid changing passwords or creating weak passwords:
Usability test insights
With a grain of salt...
Familiarity
Participants were familiar with other websites and apps that requested them to change their passwords upon sign-in
Clarity
The message to change their password was considered clear and direct. All participants understood what they had to do and what would happen if they didn’t act by the target date
Annoyance Vs. Importance
Changing passwords is not a top-of-mind task because people have memory issues. However, several participants recognized the importance of keeping their accounts secure and appreciated the bank's proactive approach to protecting them.
Minimal disruption
Forcing clients to change their passwords wouldn’t cause a significant disruption on assisted channels. None of the participants said they felt they would need to call after seeing the message.
However....
"The real risk for burdening the assisted channels actually comes after clients change their passwords."
Due to...
Confusing Reset Password flow:
The current Reset Password process has multiple steps where clients get stuck:
Last name and Postal code - when they enter information that doesn't match their profiles
2-step verification - when they don't have a mobile device
Confusing Sign-in that leads to Reset failure:
Current sign-in is split into 2 steps that happen on separate screens
Error messages are unclear and don't help users to self recover
Mistakes made on sign-in are carried over to the Reset flow
Final proposal
It was clear that to avoid a spike in calls related to Change Password, what we actually needed was:
Streamline the Sign-In and Reset Password flows
Force users to change passwords right on the sign-in screen, rather than taking them to the Reset Password flow
Re-think the ways we allow clients to sign-in and reset/change their passwords altogether
New proposed sign-in in one page
Added to the
product roadmap!