It’s fine to protect customers from illicit activity, as long as you don’t end up protecting them from themselves, and creating lots of unwanted friction in their workflows.
I’ve been dealing with the customer support of PayPal Germany today, as I was experiencing problems logging in to my account, and I had urgency to do that for tax declaration purposes. I currently find myself abroad in Japan, using a different machine than the one I normally use, with a brand-new version of Mac OS installed on it. The new setup apparently triggered a security system mechanism, and I was required to submit a code that was sent to me via SMS, via the so-called two-factors authentication. My phone was initially switched off, and it took a few minutes to receive the SMSs; meanwhile, I submit multiple times the request to send me a new SMS. As a result, my account was blocked after a few minutes and I could not login anymore, even if the password was correct, with the code received five minutes later via SMS. This should not happen in the first place. Security measures are fine, as far as they are not going to create unnecessary friction. It is not the first time that I find myself trapped in such a situation while being abroad. I once could not login to my Gmail account because the SIM card I just bought required a PIN code and I did not have it handy. Sometimes ATM machines fail to work because of security reasons, and that’a a good reason why you should never travel abroad with just one credit card. Nevertheless, the fact that I am abroad shouldn’t be considered such an anomaly these days, and using a different device also doesn’t justify my PayPal account becoming unaccessible, with no information on how to resolve the issue, other than call the customer support. That was the only solution, since the call to action labelled “I am having difficulties to login” had the only effect of throwing me through a useless captcha loop, with no useful feedback given at any time. After almost 30 min doing my best to explain the situation to the customer support (German speaking only), the person I was talking to told me that he could not help me unblock my account, and he kept repeating that without a German IP address, I would not be able to login again; I should maybe try again later, but he was not able to tell me how many hours I should way, before making another attempt. I finally managed to solve the problem by calling again and talking to another person; I went through a verification process and I could finally login again. The second customer support representative did not do anything else then guiding me through links that were available on the PayPal website, but were not easily accessible at the time when they would be mostly needed. Should that be the case, it would have saved an hour of my time.
As a UX designer, this leads me to think that things like this happen when digital interfaces are implemented without a detailed map of workflows and user journeys being taken into consideration. I don’t know if that’s the case at PayPal, but as a matter of fact, all the major prototyping tools that are mostly used today offer no valid tools for creating user flows, with the exception of Axure RP. Axure has sadly fallen out of fashion at the time of writing, for a number of reasons that have to do with their incapability or decision not to adapt to market changes. That is one reason but another one is certainly the fact that many designers who call themselves UX actually come from a graphic design background, and are not aware of the reasons why flow diagrams are so essential.
This is the complaint that I’ve passed on to the PayPal customer support team:
“1) The security measures are too strict and also stupid, the only effect in this case was me wasting almost an hour of my time. Try to imagine if every accounting service did the same to let me login. I had a similar issue with Stripe and all I had to do was reply to a confirmation email. With PayPal, I had to make two phone calls. A more efficient system should be in place. You should also not assume that something is wrong just because I am using a new device. Passwords exist for a reason. I keep my password safe. Some people use weak passwords, but that’s their problem, they should know what happens when you don’t choose safe passwords.
2) Employees at customer support centres should not be incompetent people. Customer support for cases like mine should also work 24/7 (luckily the +8 hours time zone difference was not a big deal in this case, I only had to wait half an hour, but it could have been worst).
3) Both the security questions and the password strength indicator are not safe at all. Your user experience designers seem to ignore that asking pre-set questions is a poor method, as those questions don’t always fit a person’s story and memories; user-defined questions could be used, instead. You also don’t seem to acknowledge that in order to make passwords safe, you should not ask to add numbers or special characters, that doesn’t necessarily make passwords safe. A long password made of letters-only can be much safer than a short one made of alpha-numeric characters. Do we still have to share with you the horse-battery-staple article? I thought that should be a given nowadays, at least among developers”.
A few more considerations.
PayPal does offer the tools to get out of a situation like this. The fact is, nobody has sat down to define what would be the best user interface to guide the users through a resolution, in a situation like this. If they did, this would not happen. I understand a service like PayPal must be overwhelmingly complex to maintain, but I also presume that they have a fully-fledged team of UX experts available. This leads me to one of the most frustrating realisations as an independent UX consultant working with many different teams: nobody seems to care about scenarios. User stories are created that are somewhat similar to scenarios, but in today’s agile processes and so-called “continuous improvement”, teams are not focused on the overall picture: delivering a flawless product, making a list of high-priority and medium-priority scenarios, and having UX people double check to make sure that after delivery, those scenarios are all met in detail. Instead, I see a proliferation of project management and scrum-focused roles that do nothing but making sure that the scrum methodology is applied properly, who cares if the end product is mediocre because nobody has been considering usage scenarios and double checked that they are taken into consideration. And of course personas are always available somewhere (as forgotten documents that nobody wants to read), except there’s no scenarios associated to them.
A final note on the obsession for privacy in Europe, where they’ve just come up with the silliest form of regulation that they could possibly conceive, it’s called GDPR. They are all concerned about your privacy and security, companies are threatened to keep their users safe and respect their privacy, even when privacy and security should not be such a big deal. So we end up clicking endlessly to dismiss useless cookies consent banners on every new website that we visit, then dismissing newsletter pop-ups, notifications pop-ups, pop-up chat windows, and whatever. Every time that you login from a different place you get a warning email, and there’s online services that enforce two-factor authentication on their users, without asking them. I mean, what the hell!