Bringing Feature Requests to Life: Duo Push Verification
When I started as a Masters of Business and Administration (MBA) Product Intern at Duo this summer, I had two goals: learn about product management and make an impact on Duo’s customers and business. For my project, my software engineering counterpart Marcus and I were looking at a feature request from customers to allow admins to send a Duo Push from our Admin Panel. For this blog post, I want to give you a look into the process of bringing that feature request to life.
Starting With the Customer
At Duo, it always begins with the customer. By my second week, Marcus and I were conducting phone interviews with customers, having in-depth conversations about their help desk processes and existing solutions they had in place.
In total, we spoke to over twenty customers of many sizes and industries, and we developed a deeper understanding of the challenges they faced every day: imagine you’re a help desk agent and an end user calls in, verbally identifies themselves, and then asks for a password reset. How do you verify that you are not speaking to a malicious actor?
I also conducted internal research and found that this was a problem that even our own help desk team, Duo Support, faced. We had struggled with a lengthy callback process and, to solve this, we pulled together a solution using our Auth API that allowed us to send a Duo Push to verify a user before continuing the call.
This new feature, called Help Desk Push, is coming soon to the Duo Admin Panel and will be available for all customers on September 28, 2018.
But What’s the Solution?
Once I had a good understanding of the problem, the next step was handing it over to Marcus and one of our product designers, Amy Afonso, to work on a solution. Despite the extensive customer research, there were outstanding questions, like: where should this feature live within the Duo Admin Panel? How do we best log that these events are taking place? We went to the whiteboard to start conducting design sessions in which we grappled with these problems.
In our research, we learned that during high-value events like password resets or sending bypass codes, help desk admins have already received a username or email as an identifier and are thinking in context of the user. Due to this fact, we decided to place the feature on the user page in the Duo Admin Panel.
A new Send Duo Push link opens a pop-up that allows you to choose the two-factor authentication device, send a push and receive a response. There are three possible responses - Approved, Denied, and Timed Out. If Duo Support receives anything other than Approved, our policy is to not proceed with the call for security reasons. Finally, for visibility, the result of every push verification is logged as an Administrator Action.
We knew this was the right solution because it solves both problems our customers were facing:
- It’s quicker than lengthy callback procedures and more secure than checking identity via security questions
- Push verification allows help desk admins to efficiently help users with low user friction
Building and Testing the Feature
Once we determined a direction, Marcus was able to start the real work of actually building the feature! We tested initial prototypes with real help desk agents to validate our decisions and made changes where necessary. Throughout this iterative process, I’m happy to report the feature will soon enter beta testing with some of the original customers we interviewed.
Over the course of this project, I got to work with great people and learn a ton about software product management. For my part, I learned that there are many solutions to a given problem, and my goal was to allow engineering and design to creatively iterate while being the voice of the customer when necessary. Closing off a vector for social engineering with this feature will make a real impact for our customers. It solves a problem they deal with every day, which I learned, is what product management is all about at Duo!
Learn more about how this feature works below: