To help push out existing IdentityForce content to new and existing subscribers, we design a challenge and rewards feature. We conducted research and, as we synthesized our findings, we identified a secondary business need that our feature could solve for. We infused all of that into several rounds of wireframes, before conducting usability tests.
Psst—hit any of those links to skip down to the section you're most interested in.
IdentityForce has a lot of best practices content that they currently push out to their existing users via email and newsletters. My team was asked to find a way to push more content out to those users and encourage them to take small steps to protect their identity.
I was the team's Project Manager and Research Lead; my teammates took the lead on information architecture, interaction design, and visual design. As Project Manager, I created our team project plan, team functional plan, and the project timeline. As the Research Lead, I wrote the discussion guide for user interviews, performed domain research, and designed our usability testing. I also created wireframes, gave design feedback, and built out new pages for the prototype.
We decided to gamify the learning experience by creating monthly challenges that IdentityForce subscribers could complete. In exchange for completing challenges, subscribers would earn points that they could redeem for rewards. We embedded best practices knowledge throughout the experience, and created a new Best Practices knowledge hub in IdentityForces’ existing Resources feature.
I had no experience using identity protection, so I started by conducting domain research. I shopped around to get a sense of what was and wasn’t covered by typical identity protection companies. I also interviewed one of my teammates who had worked with an IdentityForce competitor. My biggest takeaways were that:
Identity protection companies make most of their money from businesses. They usually didn’t make much from individual or family subscriptions.
Most individual and family subscribers enroll in identity protection after their employer or a company they interact with experiences a data breach.
Employers and companies that have experienced a breach often offer individuals and their families a free one-year identity protection subscription.
Most individuals and families who choose to enroll through a discount provided by a company, often leave when their free subscription ends.
is how long it takes identity theft victims to find out what’s happened. Some don’t find out for three years.
Americans were victims of identity theft in 2017 alone. That includes one million children.
in out-of-pocket cost for the families of the 1 million children who had their identity stolen in 2017.
With that context in mind, I developed a discussion guide that the team could use to conduct user interviews. My main goals were to better understand: how people currently learn about identity protection best practices; what inspires them to change their behaviors; and what current beliefs they have about identity protection.
People tended to blame themselves for not being better informed about identity protection.
People seem to prefer handling sensitive information on a desktop rather than a phone.
None of the interviewees had a single, go-to resource for identity protection or cybersecurity knowledge.
"I know it's not the best way to manage my passwords, but I keep doing it."
To better understand the connection between behavior and design, I read up on research from the Nielsen Norman Group. In particular, I focused on research about consistency, social proof, and authority. I learned that:
People like to be consistent, even if they know that what they’re doing isn’t efficient or smart.
Thanks to internal and external pressures, if you make people commit to something once, they are likely to follow through with it again and again.
Authority does more than help companies meet goals; it also lightens their users’ cognitive load. When you trust a website, you can relax.
With that data gathered, we were ready to start synthesizing. That started with creating an affinity map based on our user interviews. In our first round, I think we were being influenced by the structure of the discussion guide because our final map nearly matched the guide’s structure. I asked my team to redo the exercise, focusing more on themes. Our second round (below) turned out to be much more useful.
Our interviewees tended to have neutral or negative beliefs about identity protection services. Some believed it was an outright scam, while others were frustrated that services weren't more clearly explained. None felt confident they knew what identity protection services included.
When it comes to staying on top of identity protection best practices, interviewees tended to rely on personal experience and the anecdotal experiences of their friends and family. None could list a go-to resource that they would turn to to get clear, well-researched identity protection content.
Several interviewees expressed doubts about commonly-circulated advice like using a password manager. They feared, for example, that having all passwords in one place would make them more vulnerable, not less. This specific distrust tended to bleed into distrust of identity protection in general, likely because it's not seen as a holistic body of research.
Even interviewees who said they didn't know anything about identity protection services associated it with passwords. In fact, most saw the two as synonymous, rather than seeing good password management as one part of identity protection. This suggested that people dismissed identity protection services because they simply didn't know everything it entailed
To better understand a typical identity protection subscriber's experience, we created a journey map starting with their first contact through their employer or business. We knew early on, their experience would be largely negative both because their information may be compromised and because they're skeptical of identity protection companies.
That skepticism would likely persist through the onboarding experience as they're asked for more personal information. Afterwards they were likely to feel more positive knowing the service was active in the background, only to realize at the end of their free period that they weren't feeling positively enough about the service to start paying for it out-of-pocket.
Based on the affinity map and the results of my domain research, we were able to put together a persona of our typical user, who we named Brian Boucher. And from that persona flowed both our user and business problem statements.
Brian is a high school teacher and a new father. He worries about the safety of his and his family’s identity, and knows identity theft could cost them severely. Brian recently enrolled with IdentityForce but doesn’t really know what the service provides and is skeptical of its legitimacy. Brian wants to know if he’s taking the right steps to keep his and his family’s identities safe while also following best practices.
Skeptical of identity theft protection providers and thinks it may be a scam
Doesn’t know what identity protection includes or how it works
Has a hard time choosing which company to rely on
Has a difficult time keeping track of his passwords
Needs to feel secure that his family's information is covered
Notifications and alerts that keep him informed without any work from him
Needs to be able to monitor his wife and child’s identities
Needs a trustworthy source of information
Wants to feel empowered by being well informed
Be a trustworthy and authoritative source of best practices
Reassurance knowing that his identity is being kept safe
Demonstrate the wide range of customers that we already serve
Empower and encourage him with engaging content
Have a clear explanation of the service we provide
Brian is worried about his and his family's personal information becoming compromised in a data breach. He's unsure of what services he can trust or how they work. But he knows he needs an automated and engaging way to stay on top of his family's identity protection.
The journey mapping exercise made clear that we were really dealing with two problems. The first was covered in the brief: IdentityForce had content it wanted to push out. The second problem was that individual and family subscribers were choosing not to renew their subscriptions after their free year expired.
Through gamification, IdentityForce can entice Brian to improve his knowledge of identity protection best practices, and reward him for taking steps to secure his and his family’s identities. As Brian completes challenges and claims rewards, he deepens his knowledge, becomes more comfortable with identity protection, and becomes more likely to renew his subscription.
We took our findings and settled on a monthly challenge and rewards feature that would ask users to complete challenges to win rewards, while also learning about best practices. We generated several rounds of wireframes to clarify our idea and dived deeper into the challenge, verification, and rewards flows.
Based on the Nielsen Norman Group research, I knew that getting users to commit to taking an action was key to keeping them engaged in the long run. So I suggested linking the rewards to progressively more difficult monthly challenges that would allow users to earn redeemable points; Brian would be doubly motivated to complete the challenges—from both the desire to be consistent and the lure of a reward.
I also knew from user interviews that people prefer to handle sensitive information on desktops rather than mobile devices. We also knew that IdentityForce’s mobile app was very different from their desktop experience. Rather than trying to bring the mobile experience up to par with the desktop version and then build out our feature, we decided to focus our time on IdentityForce’s desktop experience.
The team started with a design studio exercise to generate ideas early on. Once we settled on a direction, our Information Architect and Visual Design Lead translated our ideas into a sitemap and user flow. Our Lead Interaction Designer then created our wireframe templates, which we could take and use to spin off our own wireframes for dedicated pages. Finally, our visual design lead triaged wireframes and applied her visual style guide to them to give them a consistent look and feel that matched IdentityForce’s current web experience.
To generate ideas quickly, we gave ourselves for five minutes to sketch ideas, shared them, and then give and received feedback. After a few rounds of this, the team decided to pursue my idea of a rewards program, giving us a starting point for our new feature. Our initial design studio focused on mobile, but as we learned more about IdentityForce, we decided to focus on the desktop experience.
Below, the results of our design studio exercise, which helped us rapidly generate ideas. As we learned more from our interviews, we shifted our focus to desktop experiences.
We envisioned the challenge experience starting with an email; IdentityForce would send subscribers an email once a month letting them know a new challenge was ready. The content and style of each challenge would vary depending on the topic. A phishing challenge could consist of completing a quick or review sample emails to identify common telltale signs of phishing; while a credit card challenge could involve checking your card balances and verifying how much IdentityForce sent to that card—a verification schema that we borrowed from Venmo and other financial apps.
Below, a user opens an email, reviews that month's challenge, reads the instructions, completes a quiz and learns some useful facts in the process via modals, before finally earning 25 rewards points.
One challenge that became apparent was the difficulty of having a universal, one-size-fits-all verification schema to ensure users were actually fulfilling their challenge requirements. Like the challenges themselves, we decided that the verification scheme would have to be tailored to the particular topic. That might sometimes be as simple as a final score on your quiz.
Below, our verification schema for a credit card challenge. Users will need to enter their credit card information, after which IdentityForce would send a small amount of money, up to a nickel, and ask users to validate how much had been sent to each card.
Early on, we worked under an assumption that IdentityForce would be able to dispense monetary rewards like gift cards. Our hypothesis to be validated was that the revenue boost from individual subscribers choosing to renew would offset those costs, and help fund rewards for the next cohort. When our stakeholders expressed hesitancy with this hypothesis, we knew we needed to explore other ideas.
We went back to the drawing table and turned to other industries for inspiration. Our solution was a partnership-model similar to what many airlines offer. Instead of gift cards, IdentityForce could offer airline miles, discounts, and cash back from select commercial partners.
Below, a user who has accumulated 45 points, selects from a menu of rewards, some of which require more points than the user has.
While my teammates assembled our final visual design and prototype, I developed the scenarios and tasks for our usability tests. Because we had changed the rewards point system to make it more challenging to earn rewards, we wanted to test two different scenarios. Based on the results, we made a few design changes to our final prototype.
Our first scenario asked our testers to imagine their employers had enrolled them in a free year of identity protection. They (our testers) have logged in once, and one day get an email offering rewards for completing challenges. Testers were asked to find three things they could do to better manage their passwords, and then to complete the current month’s challenge.
Our second scenario took place after a few months of completing challenges, when the user had earned enough points to request a reward. They've also recently purchased a home that needs a lot of work. They needed to find a suitable reward for them and order it.
Only two of our testers thought to go to Best Practices tab to learn about passwords; most went to IdentityForce’s existing Resources page in the side menu. So we relocated the content.
Our testers were confused by the challenge instructions. Not only did they forget or not even the instructions on the challenge page, they also thought they were being asked to pay.
They also didn’t notice how the rewards were broken down by point value, and weren’t aware that their rewards point balance had increased after completing a challenge.
Based on our results, we made a few changes to our design:
In the challenge user flow, we embedded instructions on each screen in the same location to clue users in to what they needed to do to progress. We also revised our copy to be more explicit and conversational.
We made design changes to the rewards page to make it clearer that each row represented a different tier of rewards. We also overlayed a translucent black tile on top of rewards that users weren’t eligible to claim yet.
We removed the Best Practices tab from our challenge feature and added it to IdentityForce’s Resources page as a fifth tab. We believed that it would be worthwhile to keep the page as we had designed it because the other pages weren’t bucketed in any thematic way.
We did want users to be able to see details about the rewards if they were curious. So if someone did click on a reward they weren’t eligible to claim, they would see details but in place of the claim button, they would get a message explaining that they didn’t have enough points yet.