😣 Help: No one uses this cool thing 😎 we built (Part I of II)
It took a village and was a total flop.
These days when you can pretty much be out for a whole day, grab a meal 🍴, make various purchases with just your phone 📱; and for those who have smart locks at home you don’t even need keys! It can be hard to imagine how we once all lived with 2-3 hard token devices for banking, work and other modern conveniences. I’m barely dating myself here, because these facts of life aren’t ancient history 🗿. Merely 10-12 years ago, hard OTP tokens were pretty commonplace.
A quick aside: My entry into product management was a lucky coincidence. 🍀 I happened to be in the right place at the right time. I didn’t have to try super hard 🤼 like folks do these days. I get asked this question ‘How did you get into product?’ a lot and I feel my response always leaves something to be desired…
Back in 2014, the first product I managed was the JPMorgan Markets ‘one stop shop’ platform. Institutional clients of the Markets business (think banks, fund managers, investors, traders) could access research, place orders & trade, perform post-trade settlement & reconciliation; all within one single platform 🖥️. Now the problem was financial regulations were (still are) behind the consumer tech curve, so to get our platform approved in international markets we had to work really hard to 🧑🏫 educate and influence many regulatory bodies.
Case in point, the Hong Kong Monetary Authority considered our platform to be in scope of e-banking regulations, even though these regulations were written with retail banking in mind, with the intention to protect mum & dad consumers 👪. Check out their Tech Risk Management regulatory circulars. In 2014 we had to work with rules published back in 2003 🤦♀️. As reference, the 1st-gen iPhone was released in 2007 and how rapidly did the world change from that point.
Under the HKMA regulations, our client users were permitted to use just a username & password (the first factor of authentication/ ‘1FA’) to consume non-transactional content eg. equity research reports, as these were considered non ‘high-risk transactions’. And the HKMA deemed all financial markets trading activities (eg. FX, commodities) ‘high-risk transactions' and only permissible with 2FA in place.
Let’s take a look at what 2FA requirements mean, in layperson terms…
Thanks to Twilio Authy, who does a nice explanation here of what the FAs could be (and these map neatly to HKMA’s viewpoint):
Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern - This is typically your 1st FA, so you need another FA from the other two buckets… 🤔
Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token - There you have it, blame this one for the weight on your keyring. 🫠
Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print - While obvious these days, back then this was sci-fi 🧪 to most people.
Remember back then everyone used and hated 🤮 hard tokens as the 2nd FA. There weren’t many less loathed but accepted alternatives in the market. It was also before soft tokens, email/ SMS OTPs became common. In fact, our hard token onboarding and login flow were so frictional in order to comply, it was the no. 1 client complaint - They couldn’t onboard; it was too hard they had to give up half way; or too painful to login on a day-to-day basis. As any customer-centric product teams, we took that to heart 💜 and threw everything at it to find a solution.
Some further context… Bear with me for the constant iPhone references, as I look back our product decisions were underpinned 📍 by consumer tech available at the time and iPhones certainly led the way and dominated our user base hence its relevance.
iPhone debut timeline:
We had to solve 2FA elegantly when:
The front camera resolution was 480p (Today’s iPhone 14 is 1080p, or 8x clearer than 480p.)
Touch ID or Face ID barely/ did not exist, not even as a concept for most people
Our quest to be rid of the hard tokens took us deep into the weeds of soft tokens, which was not approved ⛔ by regulators. We embraced the challenge and started working with a tiny Barcelona-based start up 🐣 which pioneered facial recognition authentication. We argued that 1) the user’s mobile phone was the ‘something you have’; and 2) their face was the ‘something you are’. The two together was our password-less 2FA.
This was truly innovative, outside-the-box thinking; way ahead of its time. It being a shiny new object 💎 helped obtain leadership buy-in and get it through the tedious internal approval gates. Also, I don’t want to overlook the fact that JPMorgan was a place flushed with money, so resourcing was abundant and available.
We did the right thing by engaging early with regulators, who… let’s just say brought a healthy dose of scepticism 🧐. We collaborated closely to build a solution that addressed security concerns, including what would happen if someone had a twin; or if the video of a face was played instead of the face being present. For months, we word smithed the best way to explain ‘fuzzy matches’ and the underlying tech.
Numerous back and forth and a whole year later 🕰️, we finally got the authentication method approved by HKMA 🍾. (I should qualify ‘approved’ here. For those inexperienced dealing with regulators, they actually never say ‘Approved, go ahead’. ‘No objection’ is as far as one’d get, albeit a pretty subdued response.) We geared up to launch 🎇 an industry-first password-less onboarding and login experience for an e-banking app. Marketing rolled out the red carpet, ready for the whole shebang.
BAM 🥁 - Off we go with this cutting edge innovation 🚀.
Except… Beyond the curious few, barely anyone used our sexy, futuristic facial recognition flow!!! 💀
😜 Stay tuned for Part 2 as I dissect the reasons behind this major flop and lessons learnt from it.
ps. There’s not one day that goes by without me feeling grateful 🙏 that I ‘fell’ into this intricate problem space from day 1 in my PM career. Mistakes are inevitable and better early than late, as long as you learn from them.