Industry
B2B SaaS
Client
iThemes Security
Role
Sole Product Designer, End-to-End Design
Passkeys Security - Early Adoption
30%
Reduction in login recovery emails
65%
Reduction in login time
x2
Doubled login success rate compared to the password model.
📝 Project Introduction
Our user base, primarily agencies, developers, and power users managing multiple client sites, faced a pervasive, costly security problem: the password itself.
Users and their clients were forced to use passwords every time they logged into their WordPress sites, leading to increased anxiety over potential breaches. This poor password hygiene generated a corresponding business problem: a spike in brute-force attacks and late-night sessions for our experienced users, who had to unblock authorized clients locked out by their own forgotten passwords interacting with our existing security features.
We recognized that the underlying issue was not just a lack of security features, but a critical friction point in the login process. To address this support burden and security exposure, our challenge was to integrate Passkeys, a novel security technology, into our plugin ecosystem quickly and intuitively.
Goal
The primary objective was to launch Passkeys as an early industry adopter to differentiate our product, iThemes Security, from competitors
Results
Reduced login time by 65%
Improved login security for our clients.
First to launch passkeys in the WordPress security industry.
Doubled login success rate.
30% drop in login recovery emails.
😁 My Role
Sole UX UI Product Designer, owned and led end-to-end feature launch.
Project Type
B2B SaaS Feature, Cyber Security Feature
Team Size
3 Engineers, a Project Manager, Myself (Sole Product Designer)
Tools
Figma, Maze Testing, Zoom
Context & Business Challenge
The Problem
Our users and their own user bases were forced to use their passwords every time they logged in to their WP sites. Users also experienced regular phishing and brute-force attacks due to the existing password model. This all led to increased anxiety around passwords being stolen and forgotten passwords. This has led to more password reset emails on our infrastructure and increased effort from our users to set new passwords.
Initial Ambiguity
We were unaware of what interacting with the new Passkeys technology looked like. No other company in WP Security had adopted it, and the large companies like Microsoft and Google had not yet launched their own Passkey feature.
Defining Success Early
We decided to measure success by using qualitative interviews to understand how much quicker and easier the Passkeys made logging in. We also decided to review our own infrastructure for password resets and support tickets related to security breaches stemming from phishing or brute-force attacks.
Discovery & Research (Unearthing the Opportunity)
Our Initial Hypothesis
My initial understanding of the problem mainly focused on login effectiveness. As a Security plugin, we consistently advised users to reset passwords regularly, but we often struggled to get them to follow through with that best practice. When I first discussed the idea of introducing passkeys with my Lead Developer, who was already familiar with the technology and highly supportive of it, and our Project Manager (we did not have a product owner at the time), I presented Passkeys as a solution to the recurring password reset issues our users faced.
User Research
We decided to skip extensive user research to prioritize speed to market. Our goal was to be the first WP Security plugin to introduce Passkeys. However, we still wanted to validate our assumptions and explore other ways Passkeys could benefit our users and their clients. So, we met with only five current users, discussed login security with our support team, and held additional collaboration sessions with our Lead Developer, who had a strong understanding of the subject.
I sourced a handful of users through our email list. I included a preliminary survey to ensure we were getting experienced users, since we wanted to dive deeper than the obvious improvements to login time on task. What we found validated our assumptions and made the possibility of launching Passkeys a reality for our roadmap.
Sourcing for User Interviews
I met with experienced users who mostly used our security plugin on their own sites and their clients’ sites. We met with them to better understand how their day-to-day operations were affected by login issues, both on their own site and for their clients.
Key Findings
All the experienced users I met shared a common issue. They also struggled to get their clients to reset passwords regularly, which led to late-night sessions unblocking authorized users solely because of password problems and interactions with our security features like brute force protection and the blocked users list—something we only realized after meeting with users and noticing a similar pattern in support tickets.
We also noticed that users didn’t use the existing two-factor feature to the level we hoped. Only two of five users used the two-factor authentication feature, leading us to assume their clients were not using it either.
We measured how long users took to log in to their sites. For users who had their passwords saved to a password manager, they logged in very quickly without delay, but for the users who did not have a password manager, they took on average 25 -30 seconds to log in.
