Work sample from this case study

Case Study:
Protecting Every Login to macOS & Windows

✔ In Production (2023)

Overview

Problem

Password prompt on macOS 12

Passwords are no longer enough to protect employees logging into their work Mac or PC. These sensitive computers now require Multi-Factor Authentication (MFA) to comply with cybersecurity insurance requirements or follow the Executive Order on Improving the Nation’s Cybersecurity. Computer logins now require a password and a separate factor, such as one-time code, a push notification, or a security key.

Audience & Needs

Protecting every desktop login with MFA affects administrators and end users.

Administrator needs
  • deploy software that changes the login experience for every computer in their organization
  • configure which end users are affected
  • minimize end users being locked out of their work computers
End user needs
  • understand their computer login will change
  • get enrolled in any new security measures for MFA
  • use MFA on every computer login
  • still be able to login when their computer is offline

Skills

Team

My team at Okta:

Design Process

Competitive Research

We weren’t the first to market with Desktop MFA. But each competitor used a custom interface, rather than following Windows or macOS conventions.

Duo Desktop MFA on Windows

TecMFA on macOS

I advocated for this opportunity to speak to one of Okta’s strengths—vendor neutrality. DECISION: follow the Windows and macOS interface conventions, because end users probably trust them more than any security product.

This also moved us closer to the product positioning of “Okta Inside” (à la “Intel Inside”) and the eventual goal of shipping Okta with every laptop.

Constraints

Following the Windows and macOS interface conventions came with heavy constraints. On Windows login, we were limited to strictly 10 basic UI elements and couldn't even include images or customize the login font in any way.

On macOS login, we could use the UI elements of any macOS app, but had to either cover up the username & password fields or emulate the entire login window, down to the colorful background image that varies with each release.

Prototyping for feasibility

I prototyped early in low fidelity to clarify what was possible and needed from our solution.

My prototypes mixed UI with authentication logic; both were fully clickable. Interactive logic was crucial since my prototype shared and informed the code engineers would eventually build. I presented these prototypes to the team on a weekly basis to confirm feasibility, eliminate unnecessary states, and ensure I delivered UI for every critical path.

Extensive prototyping allowed us to simulate and test a complete user experience before we committed to code.

screenshot of logic frame

screenshot of logic frame next to UI frame with prototype connections visible

screenshot of zoomed out prototype with all connections visible

Usability testing improved enrollment

Usability testing my Windows prototype with representative users found a key challenge. End users had 50 logins to enroll in additional security after being logged in. Not only did users defer enrollment until the count was low, they expected to enroll when the count reached 0. Decision: meet end user expectations to minimize error states and troubleshooting costs.

macOS engineers revisited the feasibility of starting with enrollment during login. I found inspiration in the macOS Setup interface, which also appears before users are logged in.

screenshot of macOS setup screen before login

This became how we introduced ourselves and enrolled users:

screenshot of custom macOS enrollment screen before login

Usability testing my macOS prototype eliminated all the enrollment friction we found with the original Windows approach. This approach also simplified the code and implementation logic, making it easier to QA and document.

Outcomes & Market Feedback

Following the Windows and macOS interface conventions led to interfaces that felt fully integrated into the existing, familiar, trusted login experience. In beta testing, administrators shared comments like "it looks like you partenered with Microsoft [or Apple]," even when we weren’t soliciting UI feedback.

screenshot of custom macOS Desktop MFA factors

screenshot of custom macOS device access code input

We generated $1mm ARR in the first 7 weeks after the product announcement in Washington, D.C.

Desktop MFA shown off on stage at Okta City Tour DC

✔ In Production (2023)