Case Study:
Protecting Every Login to macOS & Windows
Overview
Problem
Passwords are no longer enough to protect employees logging into their work Mac or PC. These sensitive computers now require Multi-Factor Authentication (MFA) to comply with cybersecurity insurance requirements or follow the Executive Order on Improving the Nation’s Cybersecurity. Computer logins now require a password and a separate factor, such as one-time code, a push notification, or a security key.
Audience & Needs
Protecting every desktop login with MFA affects administrators and end users.
Administrator needs
- deploy software that changes the login experience for every computer in their organization
- configure which end users are affected
- minimize end users being locked out of their work computers
End user needs
- understand their computer login will change
- get enrolled in any new security measures for MFA
- use MFA on every computer login
- still be able to login when their computer is offline
Skills
- prototyping
- visual design
- usability testing
Team
My team at Okta:
- Design: Lead Product Designer (me), a Product Designer, a User Researcher
- Engineering: a manager, 2 macOS, 3 Windows, 2 QA
- 2 Product Managers
- a Documentation Writer
Design Process
Competitive Research
We weren’t the first to market with Desktop MFA. But each competitor used a custom interface, rather than following Windows or macOS conventions.
I advocated for this opportunity to speak to one of Okta’s strengths—vendor neutrality. DECISION: follow the Windows and macOS interface conventions, because end users probably trust them more than any security product.
This also moved us closer to the product positioning of “Okta Inside” (à la “Intel Inside”) and the eventual goal of shipping Okta with every laptop.
Constraints
Following the Windows and macOS interface conventions came with heavy constraints. On Windows login, we were limited to strictly 10 basic UI elements and couldn't even include images or customize the login font in any way.
On macOS login, we could use the UI elements of any macOS app, but had to either cover up the username & password fields or emulate the entire login window, down to the colorful background image that varies with each release.
Prototyping for feasibility
I prototyped early in low fidelity to clarify what was possible and needed from our solution.
My prototypes mixed UI with authentication logic; both were fully clickable. Interactive logic was crucial since my prototype shared and informed the code engineers would eventually build. I presented these prototypes to the team on a weekly basis to confirm feasibility, eliminate unnecessary states, and ensure I delivered UI for every critical path.
Extensive prototyping allowed us to simulate and test a complete user experience before we committed to code.
Usability testing improved enrollment
Usability testing my Windows prototype with representative users found a key challenge. End users had 50 logins to enroll in additional security after being logged in. Not only did users defer enrollment until the count was low, they expected to enroll when the count reached 0. Decision: meet end user expectations to minimize error states and troubleshooting costs.
macOS engineers revisited the feasibility of starting with enrollment during login. I found inspiration in the macOS Setup interface, which also appears before users are logged in.
This became how we introduced ourselves and enrolled users:
Usability testing my macOS prototype eliminated all the enrollment friction we found with the original Windows approach. This approach also simplified the code and implementation logic, making it easier to QA and document.
Outcomes & Market Feedback
Following the Windows and macOS interface conventions led to interfaces that felt fully integrated into the existing, familiar, trusted login experience. In beta testing, administrators shared comments like "it looks like you partenered with Microsoft [or Apple]," even when we weren’t soliciting UI feedback.
We generated $1mm ARR in the first 7 weeks after the product announcement in Washington, D.C.
