Secure login for Paytm-Trust is the key
A hackathon that revealed the biggest loophole in a financial wallet
It is 2016 and mobile payments has already disrupted the Indian market, the recent demonetization gave a boost to mobile and internet usage at the lower economic strata (of course, challenges too). The Indian government is encouraging the common man to go digital. But the adoption of mobile payments has a major roadblock, security.
During my year at Paytm — Paytm is an Indian digital wallet that is linked to a user’s phone number (thus, Aadhar card- Indian UID) to make digital transactions and payments — there was a design team hackathon to improve the UI of the login screen. I and another UX teammate- Ajay, we went on to dig deeper into the problem and gathered quick insights from our users.
Our users could be classified as banked, under-banked, and unbanked. In a recent user research study, we spoke to underbanked merchants of Paytm wallet who had used their wallets at least once a month.
Research Insights:
1.) The Denial:
Active Assistance- Most of the underbanked said that they had a Paytm wallet because of marketing and sales reasons and were assisted by Paytm Sales team. Once an account was set up, they only tried to used the app a few times but were unsuccessful because they do not know how to proceed forward and need active assistance.2.) The Reveal:
Value- Our merchants do not find using a wallet valuable as they do not know where to spend their digital money. Lack of knowledge, improper onboarding, customers not paying via wallets, unawareness of using digital money for bills and commodity payments via wallet are few of the reasons that users do not find value in keeping a digital wallet.3.) The Truth:
Trust- The major barrier for making a financial transaction on mobile is the lack of trust in digital wallets as they are using it for the first time. Users who were unsuccessful login-in to the wallet did not reset their passwords or try to reconnect with their wallets.
The digital wallet is not seen as a savings account — thus money in a digital wallet for an underbanked user is not valued- even for login in. Approachable and simple digital payment can help address the perceived lack of trust.
Consumers have not wholeheartedly accepted the payment technology. Widespread adoption of mobile payments can only be achieved when there is trust in the system. We decided to solve for Trust with our proposal.
Creating a system that is a parallel level of real-world security in the virtual world is a challenge. We proposed a strong authentication mechanism that binds the identity of the user to the authorization of their wallet. Even if one loses their mobile phone, their authorization to transact can never be stolen.
Introducing 3 level authentication
Phone numbers are truly becoming a user’s identity. All bank transactions, Aadhaar Number are all linked to a person’s phone number. Thus, it becomes vital for the users to be able to secure their account created via a phone number with their banks.
A user on Paytm opens an account using their Phone number and creating a password. We introduced another P in the authentication — Pattern- something is already available in Android phones as screen locks and on iOS as a fingerprint lock.
What we proposed takes into consideration the fact that users do forget their passwords, and they should be able to easily and securely be able to get back their financial account even if they forget their passwords.
Creating a secure login for first-time users
Users will be asked to verify their active phone numbers by verifying it via OTP. Thereafter the user would be able to create a password, choose a pattern, complete the profile. This is a one-time step that the user has to go through for ensuring maximum security.
As humans, we are forgetful.
Understanding the fact, that we are forgetful, one goal that the solution tries to solve is to simplify retrieving accounts without compromising safety and keeping the identity of the user intact.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Usecase 1: The user is unable to log in to the app.
User forgets their password, remembers the pattern.
The phone number becomes the first identifier for the user, OTP will be sent to the phone number, auto-filled, and verified by the system. The second authentication will happen when the user is asked to put their unique pattern. Once both steps are verified the user is able to log in and proceed with the app task. The user is also asked to set a new password.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Usecase 2: User is able to log in but unable to make transactions:
User forgets their pattern, remembers the password.
To ensure that the mobile number is not being misused, the user will be sent an OTP to the registered mobile number and enter their password again. Once both steps are verified the user is able to log in. Users will then be asked to create a new unique pattern.
Case 1 and Case 2 also help users to retrieve accounts on new devices with the help of their phone number and a combination of pattern or password.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Case 3: User forgets their password and pattern
In this case, the only authentication that user has is their phone number. To avoid single auth and give users the autonomy and simplicity to retrieve their account and authority to transact
Introducing Trusted Contact:
A trusted contact is set up by the user by adding ONE important contact from their contact lists where OTP will be sent the user then will have to take the OTP from their trusted contacts, use OTP sent to retrieve their account.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Implementation
The first MVP release was to implement the default lock screen that would use a device's in-built security settings. The idea was shipped in a week, building the pattern lock feature on top of the Android device lock.