Optimize revenue through Smart OTP
Revamp on the initiatives of Smart OTP to reduce the monthly SMS cost.
timeline
03 - 07/2023
role
Product Design
platform
iOS, Android
category
Fintech, Digital Bank
According to Vietnam News, in July 2019, several major Vietnamese banks adopted a new transaction authentication method called Smart OTP. Smart OTP is more secure than SMS OTP because it is generated on a dedicated device or app, making it more difficult for hackers to intercept.
It is also more cost-effective for banks because they do not have to pay for SMS messages. As a result, many banks are encouraging their customers to switch to Smart OTP.
Photo: Smart-ID
context
Cake by VPBank is a digital bank that offers a variety of financial services without fees. However, the bank is facing a tight budget due to the economic downturn caused by COVID-19. One of the bank's biggest expenses is SMS OTP, which costs more than 1 billion VND per month.
In addition, Cake's Customer Service department has reported that a number of users are having trouble receiving SMS OTPs. The messages are sometimes not delivered or are delayed by up to two minutes. The main reasons for this are poor network connection and problems with the bank's third-party partner system.
Finally, the current Smart OTP authentication flow has not covered the most edge cases as possible. As you can se below, the flow is quite simple to prevent cheating and fraud.
smart otp authentication flow - old version
challenge
SMS OTP has been the standard for two-factor authentication for over 10 years. As a result, users are accustomed to receiving OTPs via SMS. Changing this behavior can be challenging.
business perspective
Our data shows that the number of OTP requests in a month is huge. Most of these requests are for fund transfers and onboarding. Fund transfer is the main feature of any bank. Meanwhile, onboarding, as well as the authenticating process, is one of the most important steps in the customer journey, both are critical for detecting fraud and scams.
sMS OTP request (Jan 08 - feb 08, 2023)
result & impact
After two main deployment phases below, we achieved full utilization of Smart OTP by all users for transactions by October 26, 2023.
As a result, the expense of SMS decreased from 1 billion (May 1, 2023) to approximately 550 million (October 1, 2023).
Let's dive in the process
analogous research
To ensure a seamless user experience, we meticulously analyzed the information layout and flow of established digitalized banks in Vietnam, including TPBank, Techcombank, and VPBank.
We also evaluated various international digital banking apps for further insights, for example Liobank. This allowed us to gain insight into how they present information and structure their flow.
each bank may call it by a different term, but Smart OTP function is the same across all banks.
Insight #1 - Force new users
At TPBank, users are required to set up Smart OTP (eToken+) during the login process. If the eToken is not turned on, users cannot use any app services.
phone screen: tpbank
Insight #2 - Use login PIN code / Biometric verification
While Liobank uses the login PIN code, Techcombank replace this authentication step with both login PIN code and biometric verification.
The login PIN code is different from the login password. In the login flow, its function is the same as the biometric login, used in case of the biometric verification is turned off.
phone screen: liobank
Insight #3 - Charge fee
In comparison to other traditional banks, which primarily operate in rural areas and are not focused on digitalization, this action may seem minor. A quarterly fee will be charged to users who opt for SMS OTP.
Although the fee may seem small to some, it could encourage a significant number of users, particularly those with low incomes or students, to switch to Smart OTP.
user interview
We collaborated with the Customer Service team to gain more insight from end-users and record their feedback. We conducted a focus group interview with 10 active users over the course of 2 days. Their level of engagement ranged from mainstream to extreme users of Cake.
Insight #1 - Borderless access
One of the most significant insights we obtained from users is the international use case. Users appreciate the convenience of being able to pay bills or transfer money in Vietnam while being abroad. This is made possible by the fact that we generate the Smart OTP code in-house, rather than relying on a third-party partner such as M**.
Insight #2 - Cognitive load
Regardless of whether users can distinguish between the two methods of obtaining the OTP code or not, they do not see a clear difference in the security aspect of Smart OTP. In fact, they find it more difficult due to the need to remember another PIN code.
As a result, there is no compelling reason for them to switch from their familiar behavior. Additionally, some users feel that receiving their code via SMS - an offline method - is even more secure.
We have found that some users have set up their Smart OTP PIN to be the same as their Card PIN as a way to reduce the need for memorization.
Insight #3 - Speed
The last insight of using Smart OTP is that some users have reported faster transactions. In certain situations, they no longer need to pause for biometric verification.
solution - phase 1
Based on the insights collected from our researches, business and technical view above, we did a quick brainstorm to map out some opportunities and edge cases that we have not covered yet.
our drafts for different scenarios and entry points
Since we do not have login PIN code or biometric verification for flow authentication yet, we still stick with trying to force Smart OTP as much as possible. Of course, less annoying and less breaking flow as possible.
After discussing with business and risk/legal department, we did a grooming session with developers team to finalize the solutions and implementation
solution - phase 2
Retrospecting on data
After phase 1 has been on production on April 13th, we tracked the data and discovered some more insights of the flow "Suggest set up sOTP in the Login flow".
Based on the data above, current users remain hesitant to establish Smart OTP. The conversion rate in the login flow is only 33.37% in the first 2 months. This validates that the users are not willing to take action if it is optional.
Given the successful performance of implementing Smart OTP in the Sign up (Onboarding), we've chosen to force existing users to activate sOTP within the app.
Design
I have outlined a few approaches and evaluated their advantages and disadvantages during a grooming meeting with the development and quality assurance teams. The idea is to limit the access into specific features, in order to require the users to set up Smart OTP.
After discussing with the development team and taking into account technical constraints and the current context, we chose to proceed with option 2, which involves applying force from the beginning.
Nonetheless, recognizing the downsides of option 2, we conducted a thorough analysis of data tracking and decided to implement it only for Fund Transfer and Close Term Deposit flows, due to their high traffic volume. This approach will minimize annoyance and conserve our resources.
Side note, the Fund Transfer flow also includes the Fund Transfer by QR.
learning
Multiple user journeys
It was also interesting to see motivations, how many contexts and use cases triggered users to use, and also break the OTP flow for fraud.
There are always more edge cases to come
While working with the development team, we got a chance to rethink and change our thinking to a more logical point of view, especially when it comes to edge cases. Also, no matter what the entry points and use cases are, we should try as much as possible to use fixed ordinal steps.
Iteration is always on the go
Due to the fact that we were not able to cover all the edge cases in advance, thus, while implementing, we still have to continuously update the flow for edge cases
End of story
