Security Measures: 2 Step Verification in Gain

Today, content for more than 6,500 brands in 51 countries is managed in Gain.

Our clients deal with a lot of sensitive client data, and it’s our responsibility to keep that data safe and secure. Clients may trust in Gain with their intellectual property, brand reputation, financials, and more, and a security breach could be devastating.

The vision of our company is to simplify content workflows for everyone. And so, we think a big part of providing you with that ideal experience is not having to worry about your content is at risk. That is why, as part of a group of security measures, we decided to implement 2 step-verification (2 FA)

How are we going to approach the implementation of this feature? We identified 2 ways of doing this:

1. Individual users opt into 2FA on their own — each user decides when to opt-in/out of 2FA. This is the simplest one to build, but you can expect adoption to remain very low unless there are constant reminders or some kind of incentive.
2. Account owners can force all users of their account to use 2FA — this is harder to build, but offers the experience of empowerment to the owners, making us a credible enterprise platform.

This option also has another matter to discuss: whether owners of an account can exempt approver-only users from 2FA, adding 2FA to approvers means they’re not logging in “without a password” anymore (since the 2-factor effectively becomes a type of password.) so in this way, we will be giving away the effortless experience we have for approvers today

Problem:

• we don’t want to add an extra layer of login to approvers
• building the enforcement with exceptions will increase notably the size of the project
• want to offer some control to agencies to implement their security policies

How we solved this?

After brainstorming sessions, we landed with a solution that meets all the jobs we wanted to offer in a lightweight, where we will build option 1, but we will indicate for admins/owners the people in their team who has implemented 2FA, that way we stay within the time and cost of the project but yet we give control to the agencies to freestyle enforce 2FA if they need to.

The actual steps to set up the 2FA is pretty straight forward for both of the methods available, but up until deciding which one to use, Product has some questions to answer:

• How do we solve/encourage the user to set it up?
• How do we make this very complicated to understand process as easily as possible?
• Should we stick with only one method? (SMS / Auth app)
• Which method is best? Convenience vs security, they don’t go together, the more secure it is, it takes more effort for the user to set up
• Should we stick with only one authenticator app, so that we can walk through better?

Decisions:

We will present the steps to set up in a full-page wizard, using as a base, an existing library due that to make it in a modal it will have to be through an iframe and that solution is not optimal for us

The most intuitive place for a user to access to this feature is the Profile section, which we also changed its name to “Personal Settings”

Some protection is better than none: We will guide the user through the method of text message (SMS), which is the faster path for users, but as a secondary option we will offer the Authenticator app

Gain will marry with Authy, as the app we suggest, to have better control of teachable support documents (following Basecamp and Stripe approach)

Setting up 2FA from Profile

Elements of Design:

• The current profile page is outdated, it doesn’t use our Design System and it is presented in a modal that does not offer us the stability we need to add this new feature because it was built using a not longer supported technology.
• In an effort for consistency, the wizard steps for setting up 2FA will be designed/implemented with our Wizard layout used in other situations in the product
• Design an indicator to be presented in people’s page for Admins and Owners to differentiate people who have 2FA turned on

Profile Modal

Sketch of Page View Types

For this project, it was essential to present every step with informational support, so when we present the feature in the Personal Settings Page we reserved spaced to a breve explanation of the benefits of having 2FA set up, from that point further, we describe beforehand what is going to happen and how it is going to work, also to ease the frustration of people in their next login because they have added an extra step to their login.

Invest in informational support step by step

Another decision to highlight is that in most web products when they mention a mobile app, they present the Apple / Google app store button, but in our case, since this is not going to be available to set up in mobile, that button become useless, so instead, we present an illustration diagraming where to find the app in their phones.

Illustration diagraming how to find the app in user’s phones

We used the indicator element form our Design System to show both the user and admins when 2 Step Verification is active, a nice thing is that we managed also to showcase the method and so you get a quick status report at a glance

Indicator in Personal Settings page of a user and in Admins/Owners People’s page