Authentication / Login at TaxAct
- an offseason passion project -

Authentication method comparisons - image from Microsoft

↑
  • Tools
  • Figma
  • UserTesting
  • ChatGPT, Luvable,
    Vercel
  • Duration
  • 3 Weeks

The Problem

It took ~20 minutes just to log in to my TaxAct account --> the same amount of time it took me to file my entire return with a competitor.

My Contributions

Reviewed and documented the complete authentication experience for TaxAct. Proposed my insights and recommendations to management.

Impact

Unfortunately, management chose not to invest in the authentication space since they had already done so six months earlier.

View Prototype
1. Empathize: Discovery & Research

Objectives

  • Understand what the current experience is
  • Look at competitors and how TaxAct compares
  • Identify user pain points
  • Gain insights from analytics and customer service representatives

What is the current experience

Findings

  • Security risks found (including multiple AAL2 violations, and not meeting NIST & GDPR for ‘strong authentication’)
  • Bugs found (specifically, one that stops users from signing in)
  • Vague error states that doesn't help the users understand what to fix

Current Account Flow

Documented the current experience of account creation, sign in and forgot password.

Documented TaxAct's login flow

Security Risks

Creating an account before verifying email (email is the unique identifier)

  • Findings
  • Violates AALS (Authentication Assurance Level)

TaxAct violates AAL2 security standards by creating an account before verifying email ownership

Saying a code was sent to your phone when nothing was sent

- Violates AALS (Authentication Assurance Level), integrity and anti-enumeration protections

On the last page it says a code was sent to your phone when nothing was sent

Customers call in about these issues...

On top of these painpoints is when users call in and the agent gives further misleading information as seen below:

  • Customers call because they can't sign in but agents aren't aware of the real problem, so some agents tell customers to use a different browser, restart their phone, wait an hour and create a new account.

Code doesn't show up - rep suggests dif browser and restarting phone

Code doesn't show up - rep suggests waiting an hour

Code doesn't show up - rep suggests creating a new account

Bugs Found & Vague Error States

Valid password entered but cannot sign in and says 'Sign in error'

- No indication of what's wrong or how to fix the problem

Entered a valid password and tried to change to a new password meeting all requirements but shows an error

Customers call in about these issues...

"It's got to be the system.....I definitely feel like it's a site thing though because I've been going through this for days....How do we fix it? I do not not want this to happen again. Ever."

- User who called in for 27 minutes and said they haven't been able to sign in for days

How competitors compare

    TaxAct doesn't meet expectations compared to competitors and other financial companies.

    TaxAct compared to competitors

    TaxAct has 10 fields vs competitors with 4 or less fields when retrieving an account. With every number of field allows the opportunity for an error and

    Taxact asks for 10 fields when competitors ask for 4 or less.

    TurboTax and H&R login flows and notes

    Documented competitor screens and flows

    2. Ideate and Prototype

    Design Objectives

    • Translate findings into design concepts
    • Develop designs to map out user flows and interface structure
    • Create interactive prototypes
    • Propose solutions to stakeholders

    Design Mocks

    During this phase, I mocked variations of new screens trying to focus on necessity of information, level of security needed and simplicity of the experience. The final solution was to use email as a unique identifier for the account and implement passkeys to eventually remove future passwords from being stored on the servers.

    Ideation verifying both mobile and email during account creation

    Ideation using different security methods and designs

    Current experience and Recommended experience

    Initial ideations for introducing Passkeys

    Final sign on recommendation with Passkeys

    Creating an account without a password to remember or store on a server to get hacked

    3. Present findings and solution to stakeholders
    View Presentation Deck

    Summary

    Within just six months, there had been so much turnover that the director of product, product manager, and UX designer who had previously worked on account authentication were no longer in place to continue addressing issues. The CEO was reluctant to allocate additional budget to accounts, given recent investments, and the current IT leader did not believe any problems existed. Meanwhile, the customer service team confirmed my findings that account issues were a major driver of support calls. Ultimately, leadership did not view the problems as significant enough to warrant further investment.

    Why this didn't work

    • The company invested in changes to accounts 6 months prior
    • The employees that worked on accounts were no longer with the company and I'm not sure it was looked at to refine and iterate
    • Not every project gets buy-in from leadership to invest in
    • Some leaders in charge don't fully understand or agree with the magnitude of certain problems and the ROI on the possible solutions

    Takeways

    • It can be challenging to walk away from something you feel strongly about
    • Watching competitors invest in the future while your company stays behind is difficult
    i Live in OHIO