Sky

How to make an worse experience better

Adding a feature that adds more friction to a journey is not something that a designer particularly relishes doing. It’s not glamourous. It’s not exciting and It kind of goes against our DNA. Sky needed to introduce SMS multi-factor authentication to their Yahoo powered email service and later their account management journey to bring security up to standard. Let’s face it, nobody likes being told to enter an SMS code before they do a task so it was a task of making a bad experience the least bad it could be. (This is how you know AI didn’t write this!)

My role

I was the sole product designer and researcher on the first stages of this project, integration with Sky Yahoo Mail. I later got some UI support from the Sky Design team when the MFA solution was integrated into the account section of the website and app as it was owned by different stakeholders.

Phase 1 - Multi-factor authentication for Sky/Yahoo email

When it came to MFA for Sky Yahoo Email boxes we were faced with several challenges. The inboxes were first introduced a long while ago in order to accommodate users that didn’t have an email already as Sky required one for communications. Even so, there were over 500000 regular users and many more that had mailboxes that could still be accessed. As it was a legacy product, it was a perfect place to start with our MFA solution. Obviously with the added bonus of increased security.

SMS MFA is obviously a common thing and has been for the past few years but we were dealing with a relatively old age demographic (estimated 60% over 55 although the data was...murky) so we were keen to make things as simple as possible and test with the appropriate users. The happy path was a simple journey but where things got complicated was the unhappy paths where a user can’t access their phone to receive their code. We needed a way that users could recover their accounts if this happened. It was a bit of an edge case and unfortunately we couldn’t predict how many users would actually need this feature but it needed addressing.

We had 3 options

  • Allow the user to add a back up email address so they could recover their code
  • Allow the user to add a back up phone number
  • Generate a recovery code which the user is prompted to keep safe incase it was needed
  • And the back up to the back up: Recover from account details (postcode, account number etc)

Recovery methods

We decided to test a few versions with users and ask them a few questions while we were at it about their familiarity of MFA, their comfort with using it and a few other questions. We had to settle on unmoderated remote testing using a prototype I built using Axure RP to utilise live text fields to give a realistic experience. Errors were also coded into the prototype to provide accurate feedback. We used Userbrain as we needed quick sign off on budget and getting sign off for a licence for anything more costly isn’t easy or quick in a big corporation. It proved to be a pretty good option for the kind of quick feedback we needed.

We established a few things from the results:

  • Users were all pretty familiar with both Email and SMS MFA
  • Users were very likely to have more than one email address
  • Users rarely change their phone number which meant that losing access to their device was probably unlikely

Survey findings

User testing results

Optional alternative email recovery along with a recovery code as a back up was the way we decided to go. As a fallback if neither one of those options could be used in the case of a user not being able to receive an SMS, the user could contact support when a series of security checks could disable MFA temporarily.

Unfortunately, alternative email recovery was taken off the table for back-end related issues but it was felt that the risk was low enough for just a recovery code to be a viable solution for recovery.

SMS MFA was launched to Sky Yahoo Email initially to 10% of the users. They were prompted to enrol on their next sign in. No issues were detected so it was rolled out gradually, eventually reaching 100% of the customer base.

Full Sky/Yahoo Mail MFA flow

Phase 2 - Multi-factor authentication for Sky/Yahoo email

After the success, or at least low impact of the email roll out, it was time to turn our attention to the Sky website and My Sky app. With around 13 million customers in the UK alone we had to be very careful about introducing a new friction point in any journey.

There were many conversations floating about as to where MFA was needed on the site. Security people had their ideas, product people had theirs. Marketing people didn’t want it at all! Of course, it wasn’t up to me to make the decision but I backed the idea of only using it where a high-risk journey was made. Within the ‘My Details’ area of the website and app where all of the account details are kept (email, phone, billing details etc). If a user made a change to these, we would ask them to enter an SMS code which would be sent to either a mobile number we had on record or one that they provided.

Sky MFA Happy path solution

This was the solution that won out in the end. There were some unique exception journeys that we had to cover before we could settle on the final UX and I worked in tandem with the direct communication UX team (they dealt with internal software that call centre agents use) to ensure that we had all bases covered and the user could recover accounts successfully and update details using both channels.

Some basic usability testing took place. Unfortunately not as much as was really required but at least we had some qualitative feedback which backed up our decisions. I collaborated with the Sky Digital Design Team to refine the UI and copy until we had a solution that was ready. After many delays. It was finally launched in early 2025, again to 10% of users, eventually and gradually ramping up to 100%.