Overview
Bukalapak is one of a popular e-commerce platform in Indonesia, connecting millions of users with a wide range of products and services. It focuses on empowering small businesses and local communities through digital tools, making online commerce accessible for everyone.
This project focused on balancing cost-effectiveness with enhancing user experience, and it facilitated ongoing examination of sustainable alternatives authentication.
Role
Product Designer
Industry
Ecommerce
Background
In mid-2021, Bukalapak introduced passwordless login and registration using SMS-based OTP to simplify onboarding for new users. The initiative exceeded expectations, achieving strong user adoption and positive feedback. Despite this, OTP costs nearly doubled post-launch, posing a significant operational challenge. This was due to the following factors:
Goals
To reduce OTP SMS usage and transition to other more cost-effective alternatives.
So, the Product Management team came to me with a simple idea: ditch SMS for OTPs and just stick with WhatsApp because it’s cheaper. But I wasn’t totally convinced. Sure, WhatsApp costs less, but it’s not perfect—it still charges for OTPs, and there’s a small chance it could fail. Even a tiny error rate means some users might get stuck if WhatsApp goes down or has issues.
Instead of just going with the easy fix, I thought, “Let’s figure this out properly.” I started digging into other options for verification, looking for something that’s not just cheaper but also way more reliable. The goal was to make sure users wouldn’t be stuck relying on just one platform.
Our Current Verification Options Page
Here’s our current OTP page, where we offer only two options: SMS and WhatsApp. However, SMS is more prominently displayed than WhatsApp, which leads to higher usage of SMS compared to WhatsApp.
Root-cause Analysis
Why do some users frequently log in and out of their accounts on the platform?
Users frequently log in and out of their accounts because they fear that if they lose their cell phone, someone else might find it and gain access to their account, which is linked to e-wallets, credit cards, and other sensitive information.
We found that many large sellers often employ one or two staff members to help manage their store. Sometimes, these employees need to make personal purchases, requiring them to log out of the app and log back in with their personal accounts.
Exploring other cost-effective verification options.
This recommendation is based on my own research, either from reading articles on several websites or testing the options myself. Here’s what I found:
PIN: Widely adopted, straightforward, and effective. Tested the entire flow (creation and reset) with positive results.
Google Authenticator: Common in crypto apps but complex due to app installation and difficult resets (e.g., KTP, selfies, liveness checks). Not scalable for most users.
Single Sign-On (SSO): User-friendly but costly (often enterprise-grade). Banking apps use it, with PIN as a fallback for unsupported devices.
Biometric Authentication: Convenient and secure, used by banking apps. Falls back to PIN if biometrics are unsupported.
SMS Link: Easy for less tech-savvy users but costly and unreliable in areas with poor signal.
Implementing PIN as an additional verification option.
After evaluating development feasibility, cost, security, and user experience, PIN was selected as the best solution. It’s user-friendly, cost-free, and reduces reliance on expensive SMS OTPs.
This decision was made collaboratively with the team, balancing usability, security, and cost-effectiveness.
PIN Creation Flow
PIN Onboarding
This screen helps users understand why setting up a PIN for their Bukalapak account is a good idea. It’s all about keeping their account safe and making things easy to understand.
The design keeps it simple and clear, breaking down the benefits so users get why a PIN matters without feeling overwhelmed. Straightforward language and a focus on security help users feel confident and ready to take action.
Input PIN
This screen is designed to guide users through creating and confirming their Bukalapak PIN. The goal is to make the process simple, secure, and error-free.
The layout is clean and straightforward, minimizing confusion and ensuring users feel confident while setting up their PIN. By emphasizing accuracy and security, the design helps users create a PIN they can trust, enhancing their overall account safety.
PIN Provision
Inspired by research on memorable and secure PINs, this screen guides users to create a PIN that’s both safe and easy to remember. Key provisions include:
Avoid guessable combinations like "1234" or "0000."
Don’t use birthdates or public numbers (e.g., phone numbers).
Tips for creating a secure yet memorable PIN.
This approach balances security with user convenience, ensuring PINs are strong without being hard to recall.
PIN Usage Flow
This is part of the PIN usage flow, where users enter their PIN for secure transactions or account access. The flow ensures security while guiding users through errors progressively:
1st & 2nd Attempt
Simple error message: "PIN is incorrect. Please try again."
No additional actions, just a prompt to re-enter the PIN.
3rd & 4th Attempt
Error message: "PIN is incorrect. Try again or reset your PIN."
Introduces the option to reset the PIN, guiding users toward recovery.
5th Attempt
System activates a cooldown period, preventing further attempts temporarily.
Message: "Too many failed attempts. Please wait before trying again."
Last Attempt (-1)
Warns the user: "You have 1 chance left. Be careful!"
Creates urgency while maintaining a supportive tone.
Last Attempt Failed
Locks the account for 24 hours for security.
Message: "Account locked for 1 day due to multiple failed attempts. Reset your PIN to regain access."
So, how does this PIN affect the login and registration flow in reducing SMS OTP costs?
Registration Flow
Here is the registration flow where the user is required to create a PIN immediately after completing the registration process. This ensures that the user has a PIN set up after registration. Later, when they want to log in or perform actions that require verification, they can authenticate themselves using the PIN instead of relying solely on SMS for OTP.
Login Flow
This simplified login flow prioritizes user convenience and cost efficiency by encouraging PIN usage for existing users and minimizing reliance on SMS OTPs. If a user already has a PIN, they are required to use it for login, reducing the need for OTPs. For users without a PIN, the system first checks if they have WhatsApp to deliver the OTP, as it is a cost-effective and faster alternative. Only if WhatsApp is unavailable does the system fall back to sending an OTP via SMS. This approach ensures a smooth user experience while reducing SMS-related costs. Clear error messages and straightforward steps help guide users through the process efficiently.
Impact
Achieved a 72% reduction in OTP SMS costs, saving over IDR 70 million per month. 55% of users created and adopted the PIN system within the first month.
With PIN-based authentication, OTP messages are only used in critical cases (e.g., account recovery or new device login), which significantly reduces the number of SMS messages sent to users.
The reduced reliance on SMS for every login minimizes the overall cost of sending OTPs, while still offering a secure verification method.