2-Step Verification

Kiva experienced a rising threat from hackers using credential stuffing to breach user accounts. The surge in data breaches, translated into millions of attempted logins on Kiva accounts with some accounts being compromised.
To safeguard Kiva accounts from hackers, we needed an automated method to strengthen the security of these accounts.
*Disclaimer: For security purposes, this case study does not go in-depth of the full 2-step verification process.


Sole product designer


1 Product Manager
3 Engineers
1 Copywriter
Support team


4 weeks for desktop and mobile


Internal data showed an increase in malicious users trying to take over Kiva accounts and stealing money through credential stuffing. 


By adding an extra layer of security with 2-step verification, we will reduce the amount of malicious activity, thereby reducing the risk to Kiva users and Kiva itself. 
Final designs
A new security layer that protects Kiva accounts from hackers with one or multiple verification methods.

How we got there

Success metric

What % of Kiva account holders set up 2-step verification?

Project goals

  1. Create secure user flows for mobile web and desktop
  2. Motivate users to set up 2-step verification
  3. Educate users on how to use 2-step verification


I gathered insights from external research studies on 2-step verification and highlighted the key takeaways:

I also conducted competitive research on 9 companies with industries in social media, banking, and email to analyze how they were using 2-step verification.
Mapping out the user flows helped me visualize the various pathways per action. I annotated common UX patterns, requirements per security method, email triggers, and how they were educating users. 
Before designing, understand the UX first
To help me grasp the complexities of 2-step verification, I created a list of questions to tackle before I started designing:
  1. How does Auth0 (an authentication and authorization service used by Kiva) work?
  2. What does the flow look like when setting up 2-step verification? 
  3. What does it look like when turning off or editing security methods?
  4. How can things go wrong?
I created multiple iterations of the 2-step verification user flows and sought feedback from product, engineering, and customer service teams. Valuable points were made on technical feasibility with Auth0 and edge cases.
High level overview of the final user flows

Design explorations

2-step verification
One of the main goals when designing was to answer this question: “how can I make the user feel secure and confident in their actions when going through the flow?”

My attempt at this was to use minimal designs in order to direct the user's attention to the instructions and to work with our copywriter in creating succinct, yet informative copy that educates the user throughout the 2-step verification journey.
Spec & Handoff
Finally, I used Figma to spec and handoff the V1 Guest Checkout flow to our engineering team.


  1. Diving deep into the trenches of 2-step verification pushed me to think more about edge cases. You should always be thinking of how things could go wrong so that you could best prepare and take the necessary precautions, both from a technical and project perspective.
  2. Documenting complex workflows on various attempts and why they didn’t work was extremely helpful to refer back to as a reminder for design decisions. Future designers or other team members will also be able to reference these conversations to understand context and reasons as to why we did or didn’t go with a certain solution. 
  3. Work with the customer service team more often! Their close relationship to users, provided a fresh perspective as they were able to shed light on various edge cases, giving me the opportunity to adjust and strengthen my designs.