Following recent security incidents, Cashrewards launched the Security Program of Work with aims to strengthen account protection while maintaining usability. Key priorities included implementing Multi-Factor Authentication (MFA) and making mobile numbers mandatory for all accounts to reduce unauthorised access risks and enhance user trust.
By embedding security within the existing user experience, the initiative strived to balance compliance, fraud prevention, and ease of access, while ensuring security measures supported both users and business operations.
Focus
Security Experience Design
Duration
April - September 2024
Insight
Over 30% of accounts lacked a verified mobile number, leaving the platform exposed to credential stuffing, brute force attacks and a breach that exposed 7,000 members' data.
Key Solutions
Rather than following a traditional step-by-step design process, this initiative required an iterative and collaborative approach, balancing security enhancements with usability, business needs and technical constraints. The following highlights key design implementations that contributed to the success of the Security Program of work.
Driving Mobile Adoption for Security
To prepare for the introduction of MFA and strengthen account security, mobile number verification was introduced through a phased rollout. The experience evolved from light-touch notifications to a mandatory full-screen prompt at sign-in. Each phase was designed to balance urgency with flexibility, guiding users through the change while minimising disruption to their shopping journey.
Read more
Securing the Sign-up Flow for SSO Accounts
A critical compliance gap in the sign-up flow allowed users registering through Google, Apple, or Facebook to bypass mobile verification. To address this, the flow was redesigned to capture mobile numbers across all SSO entry points. The updated experience balanced platform constraints with a low-friction onboarding process, resulting in higher verification rates and a more secure sign-up journey.
Introducing MFA for Sensitive Features
Access to sensitive features, including password resets and stored gift cards, was previously secured through email-only verification. To reduce risk, SMS-based MFA was added to high-risk actions using a modular OTP flow. The design aligned with user expectations by placing verification at natural friction points, improving account recovery success while supporting platform-wide consistency.
Establishing a Unified Error System
Inconsistent error messaging made it difficult for users to understand issues and slowed down support resolution. A streamlined error code system was introduced to improve clarity while protecting sensitive information. Codes were integrated into existing UI patterns to maintain a simple, secure experience across the platform.
Key Metrics & Impact
📱 65% of users linked a mobile number, enabling the rollout of MFA and strengthening account security
📉 ~20–30% drop in account access-related tickets, reducing support load post-launch
✅ 94.6% verification rate across SSO sign-ups, closing a major compliance gap
🔁 MFA added to password resets and gift card access, improving protection for high-risk actions
🧩 Modular flows supported phased rollout across platforms, balancing security and usability
Strong security shouldn’t come at the cost of user experience.
A key challenge was striking the right balance between strengthening security and maintaining a seamless user experience. With new features introducing friction, even in small ways, my focus was on minimising disruption while guiding users with clarity. By rolling out designs in phases and layering in contextual education, we supported user adoption without overwhelm.
