Case Study

16.7 millions Americans had their identity stolen in 2017 alone. As an identity protection company, IdentityForce has information and resources to help people keep their identity safe. Their challenge is getting that information into the hands of new and current subscribers and motivating them to use it.

Project Details
  • Concept project
  • 2-week design sprint
  • 3-member team
  • User interviews
  • Journey mapping
  • Wireframing
  • Usability testing
  • Project Manager
  • Research Lead
  • Desktop prototype
Heads up
This was a concept project undertaken as part of General Assembly's UX Design Immersive program in summer 2019. I was part of a three-person design team and led our design research work.

Project Overview

To help push out existing IdentityForce content to new and existing subscribers, we design a challenge and rewards feature. We conducted research and, as we synthesized our findings, we identified a secondary business need that our feature could solve for. We infused all of that into several rounds of wireframes, before conducting usability tests.

Psst—hit any of those links to skip down to the section you're most interested in.

The brief

IdentityForce has a lot of best practices content that they currently push out to their existing users via email and newsletters. My team was asked to find a way to push more content out to those users and encourage them to take small steps to protect their identity.

My role

I was the team's Project Manager and Research Lead; my teammates took the lead on information architecture, interaction design, and visual design. As Project Manager, I created our team project plan, team functional plan, and the project timeline. As the Research Lead, I wrote the discussion guide for user interviews, performed domain research, and designed our usability testing. I also created wireframes, gave design feedback, and built out new pages for the prototype.

Our solution

We decided to gamify the learning experience by creating monthly challenges that IdentityForce subscribers could complete. In exchange for completing challenges, subscribers would earn points that they could redeem for rewards. We embedded best practices knowledge throughout the experience, and created a new Best Practices knowledge hub in IdentityForces’ existing Resources feature.


Design Research

Research focused on understanding two things: how the identity protection industry worked and how technology can support behavior change. I started with domain research, then conducted user interviews, and pulled from behavior research from the Nielsen Norman Group.

Domain research

I had no experience using identity protection, so I started by conducting domain research. I shopped around to get a sense of what was and wasn’t covered by typical identity protection companies. I also interviewed one of my teammates who had worked with an IdentityForce competitor. My biggest takeaways were that:

Most revenue comes from companies, not people

Identity protection companies make most of their money from businesses. They usually didn’t make much from individual or family subscriptions.

Companies often only sign up after a data breach

Most individual and family subscribers enroll in identity protection after their employer or a company they interact with experiences a data breach.

Companies pay for enrollees to get one free year

Employers and companies that have experienced a breach often offer individuals and their families a free one-year identity protection subscription.

People rarely re-enroll after the free year ends

Most individuals and families who choose to enroll through a discount provided by a company, often leave when their free subscription ends.

3 months

is how long it takes identity theft victims to find out what’s happened. Some don’t find out for three years.

16.7 million

Americans were victims of identity theft in 2017 alone. That includes one million children.

$540 million

in out-of-pocket cost for the families of the 1 million children who had their identity stolen in 2017.

User interviews

With that context in mind, I developed a discussion guide that the team could use to conduct user interviews. My main goals were to better understand: how people currently learn about identity protection best practices; what inspires them to change their behaviors; and what current beliefs they have about identity protection.


People tended to blame themselves for not being better informed about identity protection.

Preference for desktop

People seem to prefer handling sensitive information on a desktop rather than a phone​.

No go-to resource

None of the interviewees had a single, go-to resource for identity protection or cybersecurity knowledge.

"I know it's not the best way to manage my passwords, but I keep doing it."
- Marissa, User Interviewee
Behavior research

To better understand the connection between behavior and design, I read up on research from the Nielsen Norman Group. In particular, I focused on research about consistency, social proof, and authority. I learned that:

People like consistency

People like to be consistent, even if they know that what they’re doing isn’t efficient or smart.

It's all about that first step

Thanks to internal and external pressures, if you make people commit to something once, they are likely to follow through with it again and again.

Authority has its benefits

Authority does more than help companies meet goals; it also lightens their users’ cognitive load. When you trust a website, you can relax.



With our research gathered, we sat down to see what insights we could extract, starting with an affinity mapping exercise. We consolidated our findings into a journey map and then a persona. That in turn helped us clarify our problem and solution statements.

Affinity mapping

With that data gathered, we were ready to start synthesizing. That started with creating an affinity map based on our user interviews. In our first round, I think we were being influenced by the structure of the discussion guide because our final map nearly matched the guide’s structure. I asked my team to redo the exercise, focusing more on themes. Our second round (below) turned out to be much more useful.

Skepticism about identity protection

Our interviewees tended to have neutral or negative beliefs about identity protection services. Some believed it was an outright scam, while others were frustrated that services weren't more clearly explained. None felt confident they knew what identity protection services included.

Few authoritative resources

When it comes to staying on top of identity protection best practices, interviewees tended to rely on personal experience and the anecdotal experiences of their friends and family. None could list a go-to resource that they would turn to to get clear, well-researched identity protection content.

Distrust of specific industry best practices

Several interviewees expressed doubts about commonly-circulated advice like using a password manager. They feared, for example, that having all passwords in one place would make them more vulnerable, not less. This specific distrust tended to bleed into distrust of identity protection in general, likely because it's not seen as a holistic body of research.


Even interviewees who said they didn't know anything about identity protection services associated it with passwords. In fact, most saw the two as synonymous, rather than seeing good password management as one part of identity protection. This suggested that people dismissed identity protection services because they simply didn't know everything it entailed

Journey mapping

To better understand a typical identity protection subscriber's experience, we created a journey map starting with their first contact through their employer or business. We knew early on, their experience would be largely negative both because their information may be compromised and because they're skeptical of identity protection companies.

That skepticism would likely persist through the onboarding experience as they're asked for more personal information. Afterwards they were likely to feel more positive knowing the service was active in the background, only to realize at the end of their free period that they weren't feeling positively enough about the service to start paying for it out-of-pocket.

User persona

Based on the affinity map and the results of my domain research, we were able to put together a persona of our typical user, who we named Brian Boucher. And from that persona flowed both our user and business problem statements.

Brian is a high school teacher and a new father. He worries about the safety of his and his family’s identity, and knows identity theft could cost them severely. Brian recently enrolled with IdentityForce but doesn’t really know what the service provides and is skeptical of its legitimacy. Brian wants to know if he’s taking the right steps to keep his and his family’s identities safe while also following best practices.

Pain points

Skeptical of identity theft protection providers and thinks it may be a scam

Doesn’t know what identity protection includes or how it works

Has a hard time choosing which company to rely on

Has a difficult time keeping track of his passwords


Needs to feel secure that his family's information is covered

Notifications and alerts that keep him informed without any work from him

Needs to be able to monitor his wife and child’s identities

Needs a trustworthy source of information

Wants to feel empowered by being well informed

How we can serve

Be a trustworthy and authoritative source of best practices

Reassurance knowing that his identity is being kept safe

Demonstrate the wide range of customers that we already serve

Empower and encourage him with engaging content

Have a clear explanation of the service we provide

Problem statement

Brian is worried about his and his family's personal information becoming compromised in a data breach. He's unsure of what services he can trust or how they work. But he knows he needs an automated and engaging way to stay on top of his family's identity protection.

Identifying a secondary business opportunity

The journey mapping exercise made clear that we were really dealing with two problems. The first was covered in the brief: IdentityForce had content it wanted to push out. The second problem was that individual and family subscribers were choosing not to renew their subscriptions after their free year expired.

Solution statement

Through gamification, IdentityForce can entice Brian to improve his knowledge of identity protection best practices, and reward him for taking steps to secure his and his family’s identities. As Brian completes challenges and claims rewards, he deepens his knowledge, becomes more comfortable with identity protection, and becomes more likely to renew his subscription.



We took our findings and settled on a monthly challenge and rewards feature that would ask users to complete challenges to win rewards, while also learning about best practices. We generated several rounds of wireframes to clarify our idea and dived deeper into the challenge, verification, and rewards flows.

Infusing research into design decisions

Based on the Nielsen Norman Group research, I knew that getting users to commit to taking an action was key to keeping them engaged in the long run. So I suggested linking the rewards to progressively more difficult monthly challenges that would allow users to earn redeemable points; Brian would be doubly motivated to complete the challenges—from both the desire to be consistent and the lure of a reward.

I also knew from user interviews that people prefer to handle sensitive information on desktops rather than mobile devices. We also knew that IdentityForce’s mobile app was very different from their desktop experience. Rather than trying to bring the mobile experience up to par with the desktop version and then build out our feature, we decided to focus our time on IdentityForce’s desktop experience.


The team started with a design studio exercise to generate ideas early on. Once we settled on a direction, our Information Architect and Visual Design Lead translated our ideas into a sitemap and user flow. Our Lead Interaction Designer then created our wireframe templates, which we could take and use to spin off our own wireframes for dedicated pages. Finally, our visual design lead triaged wireframes and applied her visual style guide to them to give them a consistent look and feel that matched IdentityForce’s current web experience.

To generate ideas quickly, we gave ourselves for five minutes to sketch ideas, shared them, and then give and received feedback. After a few rounds of this, the team decided to pursue my idea of a rewards program, giving us a starting point for our new feature. Our initial design studio focused on mobile, but as we learned more about IdentityForce, we decided to focus on the desktop experience.

Below, the results of our design studio exercise, which helped us rapidly generate ideas. As we learned more from our interviews, we shifted our focus to desktop experiences.

Above, my early sketches included ideas for the Challenge page, the Rewards pages, and some preliminary sketches for the Knowledge Hub. The icons on the left were the main navigation in IdentityForce’s desktop experience, and we wanted to make sure we accounted for it. I also wanted to explore ways to incorporate best practices.
Above, determining how users would enter their credit card information turned out to be a bigger challenge than expected. I hadn’t understood that identity protection services didn’t monitor your credit card activity. My early sketches assumed they did, and a user would be able to just select which cards they wanted to include in the challenge.
Above, we all agreed we wanted to include previews of potential rewards to entice users to follow through on the challenge. Here I explored some ideas for displaying those rewards, and ways to break down the challenge instructions. We ultimately decided to develop the top, left sketch, which broke down instructions into numbered steps.
Above, as we continued to refine the card entry and selection page, we settled on the idea of a modal window that would pop up and allow users to add cards. Before any cards were entered, the screen would show instructional and encouraging microcopy.
Challenge flow

We envisioned the challenge experience starting with an email; IdentityForce would send subscribers an email once a month letting them know a new challenge was ready. The content and style of each challenge would vary depending on the topic. A phishing challenge could consist of completing a quick or review sample emails to identify common telltale signs of phishing; while a credit card challenge could involve checking your card balances and verifying how much IdentityForce sent to that card—a verification schema that we borrowed from Venmo and other financial apps.

Below, a user opens an email, reviews that month's challenge, reads the instructions, completes a quiz and learns some useful facts in the process via modals, before finally earning 25 rewards points.

Verification flow

One challenge that became apparent was the difficulty of having a universal, one-size-fits-all verification schema to ensure users were actually fulfilling their challenge requirements. Like the challenges themselves, we decided that the verification scheme would have to be tailored to the particular topic. That might sometimes be as simple as a final score on your quiz.

Below, our verification schema for a credit card challenge. Users will need to enter their credit card information, after which IdentityForce would send a small amount of money, up to a nickel, and ask users to validate how much had been sent to each card.

Claiming reward flow

Early on, we worked under an assumption that IdentityForce would be able to dispense monetary rewards like gift cards. Our hypothesis to be validated was that the revenue boost from individual subscribers choosing to renew would offset those costs, and help fund rewards for the next cohort. When our stakeholders expressed hesitancy with this hypothesis, we knew we needed to explore other ideas.

‍We went back to the drawing table and turned to other industries for inspiration. Our solution was a partnership-model similar to what many airlines offer. Instead of gift cards, IdentityForce could offer airline miles, discounts, and cash back from select commercial partners.

Below, a user who has accumulated 45 points, selects from a menu of rewards, some of which require more points than the user has.


Usability testing

While my teammates assembled our final visual design and prototype, I developed the scenarios and tasks for our usability tests. Because we had changed the rewards point system to make it more challenging to earn rewards, we wanted to test two different scenarios. Based on the results, we made a few design changes to our final prototype.

Scenarios and tasks

Our first scenario asked our testers to imagine their employers had enrolled them in a free year of identity protection. They (our testers) have logged in once, and one day get an email offering rewards for completing challenges. Testers were asked to find three things they could do to better manage their passwords, and then to complete the current month’s challenge.

Our second scenario took place after a few months of completing challenges, when the user had earned enough points to request a reward. They've also recently purchased a home that needs a lot of work. They needed to find a suitable reward for them and order it.

Relocating best practices

Only two of our testers thought to go to Best Practices tab to learn about passwords; most went to IdentityForce’s existing Resources page in the side menu. So we relocated the content.

Users forgot instructions

Our testers were confused by the challenge instructions. Not only did they forget or not even the instructions on the challenge page, they also thought they were being asked to pay.

Unclear point breakdowns

They also didn’t notice how the rewards were broken down by point value, and weren’t aware that their rewards point balance had increased after completing a challenge.

Design changes

Based on our results, we made a few changes to our design:

Embedded instructions

In the challenge user flow, we embedded instructions on each screen in the same location to clue users in to what they needed to do to progress. We also revised our copy to be more explicit and conversational.

Improved visual cues on Rewards page​

We made design changes to the rewards page to make it clearer that each row represented a different tier of rewards. We also overlayed a translucent black tile on top of rewards that users weren’t eligible to claim yet.

Relocating Best Practices

We removed the Best Practices tab from our challenge feature and added it to IdentityForce’s Resources page as a fifth tab. We believed that it would be worthwhile to keep the page as we had designed it because the other pages weren’t bucketed in any thematic way.

Explanatory text on rewards

We did want users to be able to see details about the rewards if they were curious. So if someone did click on a reward they weren’t eligible to claim, they would see details but in place of the claim button, they would get a message explaining that they didn’t have enough points yet.

More case studies

Designer & Prototyper



Sitework Hub

Visual Design Lead