OneSignal Two-Step Authentication

An enhanced security feature for dashboard customer accounts

Two setup modals for OneSignal two-factor authentication

Role & Responsibilities

Product Design

Project Background

OneSignal is an incredibly popular tool that's used by developers around the globe to send mobile and web push notifications, and their leadership team committed to delivering additional layers of account-level security to their customers in 2020.

Two-factor authentication is becoming an increasingly common security feature across mobile and web apps. Once it's enabled for an account, the account owner will have to use a time-based passcode that's generated by an authentication app or password manager to log in. The randomized and short-lived passcode ensures that accounts that have had their passwords leaked will be more difficult to compromise by an outside party.

I researched two-factor enablement and management flows across a multitude of apps to discover common patterns and terminology.

As a result of this research, I pushed to name the feature with the simpler term of Two-Step Authentication, and for the team to resist adopting the acronym "2FA" publicly. Acronyms could cause confusion when they're used in documentation or conversations between customers and support or sales staff.

Working alongside a Product Manager and Senior Full-Stack Developer to learn technical constraints, I created extensive wireframes and high-fidelity prototypes in Figma for each screen of the setup process, as well as the emails that the user would receive as they enabled and disabled the feature for their account.

Screenshot from the Figma desktop application with multiple artboards with desktop screen designs visible

After the launch of Two-Step Authentication, I continued to work on design for additional account-level security enhancements with the goal of making the process for having a secure account feel like a seamless part of the OneSignal experience.

Results

The feature was adopted widely across both single developer accounts and large organizations within days of being launched publicly, bringing peace of mind to users who are sensitive to account security issues.