Security Feature to Prevent Account Takeovers

Security Feature to Prevent Account Takeovers

Overview

Mengantar is a logistics platform designed to provide online sellers, businesses, and individual senders with a seamless and data-driven shipping experience. We faced a rising number of account takeovers (ATOs), putting users at risk.

Role

Product Designer

Industry

B2B Logistic

Background

At Mengantar, we faced a growing problem: users were losing control of their accounts. Reports from Customer Support (CS) were piling up—users were frustrated, confused, and in some cases, completely locked out.

As the Product Design, I knew that security isn’t just a backend concern—it’s a user experience problem. If users don’t feel safe, they won’t trust our platform. And if they don’t trust our platform, they won’t use it.

At Mengantar, we faced a growing problem: users were losing control of their accounts. Reports from Customer Support (CS) were piling up—users were frustrated, confused, and in some cases, completely locked out.

As the Product Design, I knew that security isn’t just a backend concern—it’s a user experience problem. If users don’t feel safe, they won’t trust our platform. And if they don’t trust our platform, they won’t use it.

Understanding the Problem from Multiple Angles

Instead of jumping straight into solutions, I first immersed myself in the problem using multiple research methods.

Analyzing User Complaints & Support Tickets

I worked with the CS team to categorize user complaints. A clear pattern emerged:

  • Users weren’t aware of logins from unknown devices.

  • Users lost control of their accounts before they could act.

  • Phishing & weak passwords were common attack methods.

Reviewing The Data

I collaborated with the PM team to analyze suspicious login activities. Here’s what stood out:

  • Many takeovers happened from new devices & locations

  • Attackers often changed email & phone numbers immediately

  • Some logins came from suspiciously high-risk IP addresses

This data validated what users were experiencing: accounts were being accessed from new devices without their knowledge.

Defining the Problem Clearly

With all this data, I reframed the problem in a way that led to actionable solutions:

"Users feel unsafe because they don’t know when someone else logs into their account. They need a way to see, verify, and control their logins in real-time."

This helped me focus on both emotional and functional needs:

  • Emotional: Users feel insecure → We need to reassure them.

  • Functional: Users lack visibility → We need to give them awareness & control.

Provide a balance between security and user experience.

With a clear problem statement, I started brainstorming solutions using HMW (How Might We) questions. To create impactful HMW questions, I broke down the problem into three key themes:

Loading...

For each HMW question, I conducted ideation workshops with other stakeholders, especially developers, as they have more knowledge about what kind of solution would effectively address this security issue. From that brainstorming session, we came up with these solutions.

Loading...

Why These Solutions?

✔ Low friction → No extra steps unless an unknown device logs in.

✔ Fast & effective → WhatsApp alerts are more visible than emails.

✔ Gives users control → "Change password" action prevents full takeovers.

Implementing the solutions

WhatsApp Login Alerts and "Change password" action

WhatsApp Login Alerts are instant notifications sent via WhatsApp whenever there is a new login attempt on your account from an unrecognized device. This ensures users immediately know if someone else tries to access their account and can take action instantly.

New Login Detected → If someone logs in from a new device, an alert is sent to the user’s WhatsApp.

WhatsApp Login Alerts are instant notifications sent via WhatsApp whenever there is a new login attempt on your account from an unrecognized device. This ensures users immediately know if someone else tries to access their account and can take action instantly.

New Login Detected → If someone logs in from a new device, an alert is sent to the user’s WhatsApp.

Encourage users to utilize our security features with a real-time security check for their account

The Real-Time Security Check is a feature that helps users quickly review their account security status and take action if needed. To help users stay protected, we encourage them to take advantage of our Real-Time Security Check, a feature designed to provide instant insights into their account security status and guide them in securing their accounts from potential threats.

This feature helps users personalized recommendations to strengthen their account’s defenses. By integrating this security check, users can enjoy a safer and more reliable experience on our platform.

Design Validation

Although we have already designed it carefully and made sure we used the most common pattern for our users, we cannot stop yet. The next step is to make sure the design works before launching it to the mass market.In this testing, we have 3 scenarios to validate:

Although we have already designed it carefully and made sure we used the most common pattern for our users, we cannot stop yet. The next step is to make sure the design works before launching it to the mass market.In this testing, we have 3 scenarios to validate:

Scenario 1

Do users notice and understand how to access the security check?

Scenario 2

Do users understand what the security check does and why it matters?

Scenario 2

How do users feel about using Whatsapp alert feature? Does it make user feel safer?

Testing Insight

💡 The "AHA" moment

Many users have employees managing shipments, making it tedious to check with them for every alert.

Action to be taken: Add location information to the WhatsApp alert so users can easily identify if it's their employee or not.

Many users have employees managing shipments, making it tedious to check with them for every alert.

Action to be taken: Add location information to the WhatsApp alert so users can easily identify if it's their employee or not.

Some users felt the entry points were hidden, making it hard to find the entry point on the profile page.

Action to be Taken: Added a persistent shortcut on the homepage and a keep reminder banner in settings.

Some users felt the entry points were hidden, making it hard to find the entry point on the profile page.

Action to be Taken: Added a persistent shortcut on the homepage and a keep reminder banner in settings.

Refining the Design After Usability Testing

Add location information to the WhatsApp alert

To enhance account security and help users quickly recognize unauthorized logins, we have added location information to the WhatsApp Login Alerts.

Why is This Important?

🔹 Adds more context – Knowing the device and location makes it easier for users to confirm whether the login was legitimate.

🔹 Enhances trust and security – Users feel reassured knowing they have visibility over their account activity.

To enhance account security and help users quickly recognize unauthorized logins, we have added location information to the WhatsApp Login Alerts.

Why is This Important?

🔹 Adds more context – Knowing the device and location makes it easier for users to confirm whether the login was legitimate.

🔹 Enhances trust and security – Users feel reassured knowing they have visibility over their account activity.

Added a persistent shortcut on the homepage

To make it easier for users to access important security features, we have added a persistent security shortcut directly on the homepage. This ensures users can quickly check their account safety without digging through settings.

To make it easier for users to access important security features, we have added a persistent security shortcut directly on the homepage. This ensures users can quickly check their account safety without digging through settings.

Try the prototype

Impact

+75.43% Users verify their phone number and activate trusted device