Enhancing customer security with Auth0 and multifactor authentication

Account hacking is one of the most common security threats with over 80% of data breaches involving the use of lost or stolen credentials. With the increase in credential stuffing and security threats, Catch decided it was important to improve the way we handled Authentication, with a specific goal of uplifting our Auth0 capability and enabling multifactor authentication (MFA).

The primary goal of this work was to bring our authentication capability with Auth0 up to standard, and to give ourselves the tools to turn on MFA. We needed to do this in a way that provided extra security to customers while causing as little friction as possible so it didn't impact the bottom line.

This project required working with the engineering team, an Auth0 expert consultant from Codez, and security stakeholders in the business.

Before kicking off the designs, I conducted a thorough competitor benchmark exercise to establish common security patterns and common interactions customers would be familiar with. The goal was to ensure a customer felt as comfortable as possible in this space, so any trends and patterns were a welcome inclusion.

Working closely with the engineering team, I designed the experience and UI for the various end to end journeys a user would go through depending on account type and objective. We shifted our login flows to use the Auth0 capabilities, leveraging a more secure and consistent login experience.

We uplifted our account security preferences, shifting all password and email updates to use the new service and provided customers with options to add authentication methods for SMS, email, a new authenticator app capability in Catch's native apps and 3rd party authenticators like Google.

Finally the customer support tools were given an update, with a new UI, to allow them to support our customers with password updates, blocking and unblocking accounts and resetting connected authenticators.

We successfully launched to all users in July of 2024, within a month we had 10% of users add MFA to their account with a spike after we send out communications to customers.

We tested enforcing MFA to users and saw an 18% impact to conversion within 40 minutes before returning it to optional, this confirmed to us that optional MFA was the way forward.

By December 100% of customers had a verified email, an important step in making sure we had at least 1 verified authentication method. This ensures a better, secure experience for customers, a reduction backend calls and less risk and for the business.