Capital One customers are quietly being protected by a layered authentication system every time they log in. For more risky tasks like wiring money, users are asked to complete a secondary authentication step to prove it's really them.

One of the more secure methods in our toolkit was Interactive OTP (iOTP), a verification flow where instead of an auto-filled code, users were asked to leave the app, go to their messages, and actively confirm their identity. While more secure than standard OTP, it introduced more friction.

The issue for the iOTP flow was that users kept dropping off. They wouldn't realize they were in a completely different flow, expected the code to auto-populate, and abandoned it when it didn't. Low completion by users meant low adoption by Capital One lines of business, meaning Capital One was left more exposed to risk.

Through looking at funnel analytics, the core failure point was that users didn't realize they had to leave the Capital One app. Since modern OTP had trained people to expect an autofill of the code, I often heard "huh, that's odd" when the code didn't autofill and the completion rate reflected it.

I designed three distinct flows, each exploring a different intervention:

• Adding an explanatory screen before the action

• Introducing a modal to interrupt and redirect attention at the critical moment

• Revising copy to set expectations earlier in the flow

Each flow was tested with 10 users on UserTesting.com and benchmarked against the original iOTP flow as a control (40 users total). I ran 2 rounds of iteration, refining based on what the data showed and technical feasibility rather than what I assumed would be best.

The winning approach combined three changes:

1. A modal at the critical moment - rather than a preparatory screen users could skim past, a modal interrupted the flow at the exact point where confusion was highest, forcing a moment of pause.

2. Revised copy - language that reframed the extra step as a sign of stronger security rather than an inconvenience. The goal was to make users feel like the friction was working for them, not against them. For users moving quickly through the flow, the copy provided a clear signal that iOTP was different from standard OTP.

3. One text instead of two - a behind-the-scenes optimization that reduced the number of SMS sent per authentication attempt, lowering cost per session without any impact on the user experience. Better UX and lower cost is a win-win!

The redesign projected a 20% improvement in user completion rates based on usability testing data, ahead of A/B test launch. SMS cost per session was also reduced, lowering operational overhead without any user-facing changes. These findings were then presented directly to the Capital One Card team, the largest line of business, with the expectation that smaller lines of business would follow suit once Card was on board.

With usability testing complete, designs were handed off to development and queued for A/B testing to validate the projected improvements at scale.

This project reinforced something I carry into every authentication or high-stakes flow: the goal is never zero friction. It's the right friction. Users need to feel that their bank is working to protect them and the design's job is to make that clear.