Strengthening digital security with seamless authentication
Strengthening digital security with seamless authentication
Strengthening digital security with seamless authentication
Strengthening digital security with seamless authentication
LEAD PRODUCT DESIGNER / USER RESEARCH
2025
LEAD PRODUCT DESIGNER / USER RESEARCH
2025
LEAD PRODUCT DESIGNER / USER RESEARCH
2025
LEAD PRODUCT DESIGNER / USER RESEARCH
2025
Project details
Project details
Project details
OVERVIEW
OVERVIEW
OVERVIEW
M&S is a major UK retailer with 7M+ digital users. With account takeover cases rising (+76% in 2024) and a cyberattack occurring mid-project, they needed to strengthen security without adding friction.
M&S is a major UK retailer with 7M+ digital users. With account takeover cases rising (+76% in 2024) and a cyberattack occurring mid-project, they needed to strengthen security without adding friction.
M&S is a major UK retailer with 7M+ digital users. With account takeover cases rising (+76% in 2024) and a cyberattack occurring mid-project, they needed to strengthen security without adding friction.
M&S is a major UK retailer with 7M+ digital users. With account takeover cases rising (+76% in 2024) and a cyberattack occurring mid-project, they needed to strengthen security without adding friction.
I designed new MFA flows across mobile and desktop — mapping verification points and shaping clear, low-friction experiences. This included balancing ease with security, working within legacy technical constraints, and ensuring language and error states supported user confidence.
I designed new MFA flows across mobile and desktop — mapping verification points and shaping clear, low-friction experiences. This included balancing ease with security, working within legacy technical constraints, and ensuring language and error states supported user confidence.
I designed new MFA flows across mobile and desktop — mapping verification points and shaping clear, low-friction experiences. This included balancing ease with security, working within legacy technical constraints, and ensuring language and error states supported user confidence.
I designed new MFA flows across mobile and desktop — mapping verification points and shaping clear, low-friction experiences. This included balancing ease with security, working within legacy technical constraints, and ensuring language and error states supported user confidence.
Client
Client
Marks & Spencer
Marks & Spencer
My role
My role
Lead designer
User testing
Developer handoff
Lead designer
User testing
Developer handoff
Lead designer
User testing
Developer handoff
Team
Team
1 designer
1 project manager
4 developers
1 designer
1 project manager
4 developers
1 designer
1 project manager
4 developers
Duration
Duration
2025
2025
Status
Status
Work in progress
Key Challenges
Key Challenges
Key Challenges
Strengthening security during a period of heightened risk (including a live cyberattack) without adding noticeable friction to everyday sign-in
Strengthening security during a period of heightened risk (including a live cyberattack) without adding noticeable friction to everyday sign-in
Strengthening security during a period of heightened risk (including a live cyberattack) without adding noticeable friction to everyday sign-in
Strengthening security during a period of heightened risk (including a live cyberattack) without adding noticeable friction to everyday sign-in
Designing MFA flows that worked across both legacy systems and new platform components, with limited flexibility in back-end logic
Designing MFA flows that worked across both legacy systems and new platform components, with limited flexibility in back-end logic
Designing MFA flows that worked across both legacy systems and new platform components, with limited flexibility in back-end logic
Designing MFA flows that worked across both legacy systems and new platform components, with limited flexibility in back-end logic
Communicating why verification was needed in a way that felt reassuring, not alarming — especially for less tech-confident users
Communicating why verification was needed in a way that felt reassuring, not alarming — especially for less tech-confident users
Communicating why verification was needed in a way that felt reassuring, not alarming — especially for less tech-confident users
Communicating why verification was needed in a way that felt reassuring, not alarming — especially for less tech-confident users
Ensuring consistency across mobile, desktop, and email/SMS touchpoints to prevent confusion or phishing concerns
Ensuring consistency across mobile, desktop, and email/SMS touchpoints to prevent confusion or phishing concerns
Ensuring consistency across mobile, desktop, and email/SMS touchpoints to prevent confusion or phishing concerns
Ensuring consistency across mobile, desktop, and email/SMS touchpoints to prevent confusion or phishing concerns
How might we strengthen account security in a way that feels reassuring, seamless, and aligned with M&S’s trusted brand experience?
How might we strengthen account security in a way that feels reassuring, seamless, and aligned with M&S’s trusted brand experience?
How might we strengthen account security in a way that feels reassuring, seamless, and aligned with M&S’s trusted brand experience?
How might we strengthen account security in a way that feels reassuring, seamless, and aligned with M&S’s trusted brand experience?
Our approach
Our approach
Our approach
Defined success criteria
Defined success criteria
Defined success criteria
Established shared goals — secure enough to prevent attacks, simple enough to feel effortless, and aligned with M&S’s trusted brand tone
Established shared goals — secure enough to prevent attacks, simple enough to feel effortless, and aligned with M&S’s trusted brand tone
Established shared goals — secure enough to prevent attacks, simple enough to feel effortless, and aligned with M&S’s trusted brand tone
Established shared goals — secure enough to prevent attacks, simple enough to feel effortless, and aligned with M&S’s trusted brand tone
Assessed the current landscape
Assessed the current landscape
Assessed the current landscape
Audited existing sign-in and verification flows and reviewed competitor benchmarks to understand patterns users already trust
Audited existing sign-in and verification flows and reviewed competitor benchmarks to understand patterns users already trust
Audited existing sign-in and verification flows and reviewed competitor benchmarks to understand patterns users already trust
Audited existing sign-in and verification flows and reviewed competitor benchmarks to understand patterns users already trust
Validated design decisions through user testing
Validated design decisions through user testing
alidated design decisions through user testing
Validated design decisions through user testing
Ran UserZoom tests to learn which MFA methods felt most trustworthy and used tree testing to refine language and information hierarchy
Ran UserZoom tests to learn which MFA methods felt most trustworthy and used tree testing to refine language and information hierarchy
Ran UserZoom tests to learn which MFA methods felt most trustworthy and used tree testing to refine language and information hierarchy
Ran UserZoom tests to learn which MFA methods felt most trustworthy and used tree testing to refine language and information hierarchy
Designed for the full ecosystem across multiple touch points
Designed for the full ecosystem across multiple touch points
Designed for the full ecosystem across multiple touch points
Designed for the full ecosystem across multiple touch points
Mapped verification touch points across sign-in, sensitive actions, recovery, and account settings — ensuring consistency across mobile and desktop.
Mapped verification touch points across sign-in, sensitive actions, recovery, and account settings — ensuring consistency across mobile and desktop.
Mapped verification touch points across sign-in, sensitive actions, recovery, and account settings — ensuring consistency across mobile and desktop.
Mapped verification touch points across sign-in, sensitive actions, recovery, and account settings — ensuring consistency across mobile and desktop.
Synthesizing user testing results to uncover insights that informed clearer, more trusted, and frictionless MFA flows.
Synthesizing user testing results to uncover insights that informed clearer, more trusted, and frictionless MFA flows.
RESULTS
RESULTS
RESULTS
RESULTS
Unified and predictable multi-factor authentication experience
Unified and predictable multi-factor authentication experience
Unified and predictable multi-factor authentication experience
Unified and predictable multi-factor authentication experience
Delivered a streamlined sign-in and OTP flow that reduced friction for everyday use while strengthening verification for sensitive actions.
Delivered a streamlined sign-in and OTP flow that reduced friction for everyday use while strengthening verification for sensitive actions.
Clear and supportive error handling, created in close collaboration with developers to ensure messages reflected real system behaviour—helping users understand what happened and how to fix it without confusion.
Clear and supportive error handling, created in close collaboration with developers to ensure messages reflected real system behaviour—helping users understand what happened and how to fix it without confusion.
RESULTS
RESULTS
RESULTS
RESULTS
Introduced the account security hub to simplify how users manage sign-in methods, reset credentials, and review their security status
Introduced the account security hub to simplify how users manage sign-in methods, reset credentials, and review their security status
Introduced the account security hub to simplify how users manage sign-in methods, reset credentials, and review their security status
Introduced the account security hub to simplify how users manage sign-in methods, reset credentials, and review their security status
Created a clear, user-friendly space for managing MFA settings, increasing transparency and giving users a stronger sense of control over their security.
Created a clear, user-friendly space for managing MFA settings, increasing transparency and giving users a stronger sense of control over their security.
RESULTS
RESULTS
RESULTS
RESULTS
Scalable MFA pages for future verification methods
Scalable MFA pages for future verification methods
Scalable MFA pages for future verification methods
Scalable MFA pages for future verification methods
Built reusable patterns that support current SMS verification and easily extend to future methods (authenticator apps, push notifications, biometrics).
Built reusable patterns that support current SMS verification and easily extend to future methods (authenticator apps, push notifications, biometrics).
Project Takeaways
Project Takeaways
Project Takeaways
Project Takeaways
Balancing security with usability
Balancing security with usability
Balancing security with usability
Balancing security with usability
Strong security doesn’t have to mean a clunky experience. By simplifying flows and reinforcing trust through design, we reduced friction without weakening protection.
Strong security doesn’t have to mean a clunky experience. By simplifying flows and reinforcing trust through design, we reduced friction without weakening protection.
Strong security doesn’t have to mean a clunky experience. By simplifying flows and reinforcing trust through design, we reduced friction without weakening protection.
Strong security doesn’t have to mean a clunky experience. By simplifying flows and reinforcing trust through design, we reduced friction without weakening protection.
The importance of language
The importance of language
The importance of language
The importance of language
Clear, human wording made MFA feel less intimidating and helped users understand why steps were necessary. Small shifts in phrasing had a big impact on reassurance.
Clear, human wording made MFA feel less intimidating and helped users understand why steps were necessary. Small shifts in phrasing had a big impact on reassurance.
Clear, human wording made MFA feel less intimidating and helped users understand why steps were necessary. Small shifts in phrasing had a big impact on reassurance.
Clear, human wording made MFA feel less intimidating and helped users understand why steps were necessary. Small shifts in phrasing had a big impact on reassurance.
Designing within technical constraints
Designing within technical constraints
Designing within technical constraints
Designing within technical constraints
With SMS as the only available method initially, I learned to design flows that worked within today’s limitations while leaving room for future MFA methods.
With SMS as the only available method initially, I learned to design flows that worked within today’s limitations while leaving room for future MFA methods.
With SMS as the only available method initially, I learned to design flows that worked within today’s limitations while leaving room for future MFA methods.
With SMS as the only available method initially, I learned to design flows that worked within today’s limitations while leaving room for future MFA methods.
Security is an emotional experience
Security is an emotional experience
Security is an emotional experience
Security is an emotional experience
Beyond compliance, MFA touches on fear and trust. Designing recovery paths and error states with empathy was just as critical as creating the happy path.
Beyond compliance, MFA touches on fear and trust. Designing recovery paths and error states with empathy was just as critical as creating the happy path.
Beyond compliance, MFA touches on fear and trust. Designing recovery paths and error states with empathy was just as critical as creating the happy path.
Beyond compliance, MFA touches on fear and trust. Designing recovery paths and error states with empathy was just as critical as creating the happy path.
Hiya! Have an idea
or opportunity?
© NICOLE LOZANO 2025
Hiya! Have an idea
or opportunity?
© NICOLE LOZANO 2025
Hiya! Have an idea
or opportunity?
© NICOLE LOZANO 2025
Hiya! Have an idea
or opportunity?
© NICOLE LOZANO 2025