Balancing security with usability
01. Overview
Within the Enterprise Identity Access Management System, I led an eight-week UX uplift focused on improving how MFA communicates, guides, and recovers. The system itself was technically sound, but the experience introduced unnecessary cognitive load, forcing users to interpret inconsistent language, navigate unclear flows, and recover from errors with little to no support.
Client
Department of Health, Disability & Ageing (DHDA)
/
Duration
2 months
/
Year
2025
/
Role
UI/UX Designer
Welcome to MFA Setup
Pick a method that works best for you.
Use an app
Get a one-time passcode from any authenticator app
Secure
Set up
Face, fingerprint or PIN
Use your device to sign in faster with a passkey
Secure
Set up
Physical security key
Use a physical key you plug in to verify your identity
Very Secure
Set up
The more secure face and fingerprint login
Passkeys are encrypted digital keys you create using face, fingerprint or PIN. They can't be guessed or reused.
Choose where you’d like to create your passkey
Use this Windows device
Create a passkey secured with Windows Hello
Set up
Use another device
Create a passkey stored in your preferred device
Set up
Link app
Verify
Backup
You’re almost done. Let’s add a backup to avoid being locked out.
Emergency recovery codes for Authentication app
1
2
3
4
5
TbvIWgF8v3
nKEhCNPcNR
v1DAG6sCX6
11P4hBLXA1
1xEel6JybF
6
7
8
9
10
tXvXlGVDFP
yJ5d4qB3ec
dFfomehAt
pH9IceKF4f
8tby3RRKsh
Copy
Download
I have stored these codes in a password manager
Add a secondary MFA method
Done
Sign-in has been paused to keep your account safe
EIAMS support can help you get back in by verifying your identity to restore access.
Contact EIAMS
02. Role
Operating across constraints, not within them
My work sat inside the Enterprise Identity Access Management System, a core system responsible for securing access across government services. It handles authentication at scale, which means every interaction is tied to compliance, risk, and Salesforce platform constraints that can’t be casually redesigned. This was my first lead UI/UX role within an enterprise.
03. THE PROJECT
MFA user
experience uplift
Brief
The technical team is seeking a UX uplift of the MFA system, focusing on improvements in language, communication, interface design, and boosting user confidence in recovery. This discovery phase was designed to understand why users struggle with MFA setup, recovery, and ongoing management of authentication methods.
Approach
The research aims to uncover trust issues, cognitive load challenges, and points of hesitation, while identifying opportunities to reduce admin intervention and improve overall user confidence. Insights will guide enhancements that make the MFA experience clearer, more intuitive, and resilient in real-world conditions.
5 pillars of Human Centred Design Section, DSAI
Shape strategic direction: Start by understanding people and the problem space, using real insights to define what we’re solving and where the product should go.
Build the Case: Turn those insights into a clear direction, aligning user needs with business goals and defining what success looks like.
Design & Test: Design solutions and test them with users early, making sure they actually work and feel right before moving forward.
Test & Deliver Solutions: Refine and ship solutions through continuous testing, ensuring they are usable, accessible, and hold up in real scenarios.
Measure Impact & Improve: Track how the solution performs after release, using data and feedback to iterate and improve over time.
04. PROCESS
Discovery
Research Objectives
Do users understand what MFA protects, and trust this MFA’s legitimacy?
Observed comprehension patterns, user quotes, trust signals
Where do users hesitate, re-read or become unsure?
Observe time-on-task, confusion, re-read frequency
Research Objectives
How do users recover from error or lockouts?
Measure recovery success and emotional responses
What makes users skip or under-prepare MFA setup?
Behavioural insight, qualitative reasoning
Solution
Usability Testing - Sprint 1
To tackle this properly, I set up a quick discovery to concept sprint that compressed research and design into a tight, focused cycle. Sprint one was centred on understanding, not solutioning. I ran think aloud usability testing alongside a heuristic evaluation to break down how the MFA actually performs under real use.
Process Overview
01
02
03
04
05
Kickoff
DISCOVERY
SYNTHESIS
SOLUTION
SHOWCASE
Brief
Current state
walkthrough by
tech team and BAs
Create UX test
Gather participants
Heuristics eval
Conduct tests
Build findings report
Lean ideation
Feasibility
Synthesise
Create solution
Build final report
Recommendations
Showcase
05. Design Discovery
The art of testing
Discovery
Sprint 1
In this sprint, I took a deep dive into the current MFA experience, reframing four system flows into three core user tasks based on how users actually move through authentication.
User flows for testing
Registration flow
Primary user goal:
Set up MFA device for secure access
System Trigger:
No recognised registered account, first time login
flow branches:
Authentication application, windows hello or security key, passkey
Login flow
Primary user goal:
Authenticate and access portal
System Trigger:
Successful registration, User
flow branches:
Authentication application, windows hello or security key, passkey, Reset device, New device. Soft lock.
Reset device flow
Primary user goal:
Remove a lost device OR reset MFA account
System Trigger:
User-initiated after soft lock, or via device management
flow branches:
Removal of registered methods including OATH, Windows hello, passkey. Hard lock.
New device flow
Primary user goal:
Add backup secondary MFA
System Trigger:
User initiated
flow branches:
Step up authentication - then adding Authentication application, windows hello or security key, passkey
Usability Testing
Date: Nov 24 - Dec 10
Method: Remote, think-aloud scenarios
Participants: 10
User tasks
Registration options
There are two options for Multi Factor Authentication
One-Time Password (OTP) authentication uses a devices such as a smartphone app to provide a unique numerical passcode that is only usable for a limited time.
Windows Hello is an authentication technology in your laptop that uses facial recognition, fingerprint, or a PIN means to confirm your identity.
Next
Registration MFA task
Testing the registration interface, content and recovery codes.
Windows hello option is programmed to fail to test error message and user recovery
Testing authentication application and passkey registration flows
Type to search
My Passkey Device
OATH Device
Reset Device
New Device
Adding secondary device task
Testing ‘Step-up’ interpretation
Testing registration for passkey, windows hello and authentication application
Testing user’s mental modal of adding backup methods
Login Failure
Your Account has been locked.
You are unable to proceed with MFA Verification until your account is unlocked.
Please email eiamsoperations@health.gov.au for support. Transaction ID: [b849f-49fd-bd54-gm24-request-1]
Log in task (sad path)
Testing login and error messages with all MFA methods available
Testing soft lock
Testing hard lock
06. FINDINGS
Six gems of truth
Synthesis
Sprint 2
In this sprint, I used affinity mapping of all quotes from the 10 interviews to find about 12 themes which I condensed into 6 key findings which I’ll base my recommendations off.
Insight 1
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Insight 2
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Insight 3
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Insight 4
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Insight 5
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Insight 6
The wording is all over the place, so users are guessing what each button actually does and misinterpreting flows and information.
Violated usability heuristics:
Consistency and Standards
Match between system and real word expectations
View evidence
Design Concepts
Glimpse of a dream
I brought the vision to life with 20 hi-fi design
concepts, each offering a unique way to progress MFA
Language and Clarity
Tightening UX copy and reducing ambiguity across the system was another key goal. By simplifying language, aligning terminology, and making intent explicit, this direction aimed to remove cognitive load and make each step understandable.
Feedback and system response
The concepts addressed the lack of feedback across key moments in the journey. By introducing clear system states, confirmations, and progress indicators, this direction aimed to reinforce confidence and make the system feel responsive.
Welcome to MFA Setup
Pick a method that works best for you.
Use an app
Get a one-time passcode from any authenticator app
Secure
Set up
Face, fingerprint or PIN
Use your device to sign in faster with a passkey
Secure
Set up
Physical security key
Use a physical key you plug in to verify your identity
Very Secure
Set up
Link app
Verify
Backup
You’re almost done. Save these codes to avoid being locked out.
Emergency recovery codes for Authentication app
1
2
3
4
5
TbvIWgF8v3
nKEhCNPcNR
v1DAG6sCX6
11P4hBLXA1
1xEel6JybF
6
7
8
9
10
tXvXlGVDFP
yJ5d4qB3ec
dFfomehAt
pH9IceKF4f
8tby3RRKsh
Copy
Download
I have stored these codes in a password manager
Done
The Recommendation
After evaluating the system, it became clear that while MFA was technically sound, the experience itself was creating hesitation and low confidence for users. We saw a strong opportunity in reshaping how the system communicates and guides users, turning it into something far more intuitive and trustworthy without needing to change the underlying architecture.
07. RECOMMENDATIONS
Security
within UX
Solution
Sprint 3
In this sprint, we set out to generate innovative ideas
that deliver exceptional customer experiences and
uncover new business opportunities, all without
letting technical limitations hold us back.
UX Outcomes
•
UX Psychology Toolkit
•
Design Principles
•
Content Framework
•
Extended Design Exploration: Your Monthly Wrap-Up
Welcome to MFA Setup
Pick a method that works best for you.
Use an app
Get a one-time passcode from any authenticator app
Secure
Set up
Face, fingerprint or PIN
Use your device to sign in faster with a passkey
Secure
Set up
Physical security key
Use a physical key you plug in to verify your identity
Very Secure
Set up
MFA set up
The MFA set-up was redesigned to reduce hesitation from the first interaction, shifting from technical labels to clear, recognisable choices that users can understand instantly. Each method is supported with familiar icons and plain language, allowing users to compare options quickly and select what feels right without second-guessing.
Design Rationale
Use clear icons alongside each method for faster recognition and recall
Apply warm, plain language tone to lower anxiety during initial setup
Use secondary buttons to signal methods are not yet set up
Present all setup options consistently to support comparison and informed choice with secure labels
UX Psychology Applied
Cognitive Ease
Lowering cognitive load through simplified language and consistent patterns reduces hesitation and decision fatigue. This makes users less likely to skip or avoid secure methods, leading to stronger adoption of recommended authentication practices.
Enable back up
The recovery code step was redesigned to guide users through backup setup with clarity and confidence, positioning it as a supportive safeguard rather than an optional extra. By framing this moment as “almost ready,” the flow builds momentum at the final step and reduces the likelihood of drop-off, helping users feel close to completion rather than introducing friction.
Design Rationale
Use reassuring and friendly language to frame backup setup as supportive rather than mandatory
Introduce a checklist pattern to clearly communicate progress and reduce uncertainty
Show the final step as “almost ready” to increase perceived momentum and reduce drop-off
Gate the primary completion action until required steps are acknowledged, reinforcing safe behaviour
UX Psychology Applied
Perceived Progress + Completion Bias:
Framing the step as “almost ready” and using a checklist creates a sense of momentum, encouraging users to complete setup rather than abandon at the final stage.
Final attempt and soft lock
This moment was redesigned to handle failure with clarity and composure, turning a typically frustrating lockout into a controlled, understandable pause. Before users hit a soft lock, a clear “final attempt” message is surfaced inline, setting expectations early and giving users a chance to act more carefully rather than being caught off guard.
Design Rationale
Surface a clear “final attempt” message inline to set expectations before a temporary soft lock
Demote high-risk actions such as resetting methods, with secondary actions and supporting information
Frame the soft lock as a short security pause using warm, human language to reduce frustration and blame
Offer clear escape hatches and recovery options, including trying another method or setting a reminder
UX Psychology Applied
Expectation Setting + Loss Aversion::
Making the final attempt visible prepares users for potential lockout, reducing shock and encouraging more careful behaviour.
Control & Emotional Regulation:
Framing the lock as a temporary pause with clear next steps reduces anxiety, helping users stay composed and make better recovery decisions.
Error and Success Feedback
Error and success states were redesigned to feel clear, consistent, and supportive, removing ambiguity at moments where users are most vulnerable to confusion. Errors are now surfaced inline, directly beneath the input, making it immediately obvious what went wrong without forcing users to search for feedback.
Design Rationale
Place error messages inline, directly beneath the input for immediate visibility
Use calm, human language in error messages and headings to avoid blame and provide clear instruction
Use supportive iconography to visually signal blockers while maintaining trust
Provide a clear recovery path with a back action or alternative method
UX Psychology Applied
Error Recovery & Cognitive Clarity:
Inline feedback reduces search and confusion, helping users quickly understand and correct mistakes without breaking flow.
New
Project
Potential
Unlocked
This work opened up a series of opportunities beyond the initial MFA uplift, demonstrating how targeted UX improvements can scale across systems and teams.
Design System Integration
The outcomes created a strong foundation for integrating the Aged Care Design System, aligning patterns, language, and components across the experience to drive consistency and long-term maintainability. This task could take up to 3 months ensuring platform and product compliance.
Further Testing & Iteration
A second round of user testing was unlocked to validate improvements, refine UX copy, and iterate on flows with greater confidence, ensuring the system continues to improve based on real user behaviour.
Bolstering HCD Capability
The work showcased what a designer operating within HCD can deliver, shifting perception from interface design to system-level thinking. It highlighted the value of research-led design in shaping compliance-driven products and influencing how the wider department approaches digital experiences.
06. Closing
The lessons
Ultimately, this work reinforced that improving complex systems isn’t about reinventing them, but about making them understandable. While the MFA system was already functional and secure, the real opportunity sat in how it communicated, guided, and supported users through critical moments. Small shifts in language, structure, and feedback had an outsized impact on confidence and completion.
Winning Moments
Running a focused discovery sprint combining usability testing and heuristic evaluation allowed me to quickly uncover real behavioural patterns and translate them into actionable design decisions.
Working within a tightly constrained environment sharpened my ability to design solutions that respect technical and policy limitations while still improving the experience meaningfully.
This project highlighted that in security contexts, clarity is trust. Every decision, from copy to feedback states, directly influenced whether users felt confident or uncertain.
Lessons Learned
Inconsistencies in language and patterns compound across flows, so solving them requires system-level thinking rather than isolated fixes.
The most important moments in MFA are when things go wrong. Investing in error, recovery, and lock states has the biggest impact on user trust.
Everyone dislikes extra steps