Get started guides
Implementation guides
Users guides

Consumer implementation get started guide

Learn the 30,000 ft, bite-size overview of the Trusona system and customizations relevant to teams implementing Trusona for their consumers.

Mariel Piña
By

ABOUT: The Consumer Implementation Get Started Guide is a 30,000 ft, bite-size overview of the Trusona system relevant to teams implementing no passwords in their organization. It focuses on the Trusona Essential B2C product.

1. Bad news for hackers. Great news for the rest of us.

The Internet was not designed with security in mind. This should come as a shock to absolutely no one. What is shocking is that we conduct almost every aspect of our lives online, yet rely on a security solution that is anything but secure: passwords.

We’re here to change that. And the fact that you’re reading this means you are, too.

2. Why Passwordless?

Simply put, hackers can’t steal something that doesn’t exist. By eliminating passwords we’re removing their way in—and making password-related security breaches a thing of the past. Simultaneously, we’re vastly improving the customer experience. Never again will your customers need to enter a password on your site, or worse, reset one they forgot. The world is about to become a better, safer, happier place.

Welcome to the #NoPasswords Revolution.

2.1. Start

1. There are two ways to do this.

1.1. Option A

Registration requires a password.

1.2. Option B

Registration uses no passwords.

Step in the Identity Experience (iX)

Option A

Option B

New user registration

 Username / passwords

no passwords

Password reset

Username / password
—or—
no passwords

no passwords login

Users that chose
no passwords reset

You craft the strategy to roll-out
the no passwords option.

You can start with Option A and evolve to B.

1.1. Option A Registration requires a password.

Not ready to jump in with both feet just yet? No problem. This option allows you to add no passwords while still offering a username/password option for your customers.

In this instance, new user registrations still use usernames and passwords.

You then add a no passwords option to your “password reset” flow so customers have the option of selecting it rather than resetting their password. All they have to do is use your app to scan the code. And just like that, their password reset pain is gone.

Users who haven’t opted into the no passwords experience will see no changes to your homepage.

To avoid the password reset, users simply open your app and scan the code.

1.1.1. Frictionless password reset like never before.

No typing.

No usernames.

No passwords.

No remembering.

No calls to the contact center.

No knowledge based authentication

No “cognitive overload” (as the tech-y UX folks call it.)

See the no passwords login option.

Scan the code.

Accept or reject.

1.1.2. Your customers just experienced no passwords.

When users log in with no passwords for the first time through password reset, we recommend setting a browser cookie that triggers the #NoPasswords login button to be shown on the screen as an option.

Now this browser has a no passwords shortcut—simple.

When your user clicks the button, they’re taken to the Gateway to scan the code.

NOTE: Our UX best practices explain how this all works in a mobile browser.

1.1.3. How to throttle No Passwords deployment

To throttle deployment create two versions of your password reset flow.

  1. Version 1: remains the same as it does today.
  2. Version 2: give users a choice between resetting their password or going #NoPasswords from here on out.

You can then throttle the number of users sent to Version 2 by either:

  • number of users per day, e.g. 1,000 users a day experience Version 2
  • or, percent of all users, e.g. 10% of all users experience Version 2

1.2. Option B Registration uses no passwords.

Your current users will have a choice but new registrations will never know anything other than #NoPasswords—a hassle-free existence from the get-go.

1.2.1. Give only existing users a no passwords option. New users will never have a password.

Change can be scary. Rather than a mandatory shift to #NoPasswords, this option gives your users a choice to adopt #NoPasswords on their own—or keep their password if that makes them more comfortable. But new registrations will never know anything other than #NoPasswords. Those people will never have to worry about a lost password, or worse, an identity breach.

1.2.1.1. New users

A simple, consistent experience leads to loyalty. With #NoPasswords, when registering new users in your app on a new device, all they need to do is provide an email. That’s it.

Notice the simplicity of this Get Started scene? It’s not by accident.

Copious research (and common sense) has shown that reducing the number of form fields during registration increases the total registrations.

With #NoPasswords, the password/repeated password fields and associated friction are completely removed from your registration process.

Naturally, you can add your Terms and Conditions approval to the Get Started scene.

Get Started scene

1.2.1.2. Existing users

If your app has a long session, your existing users are still logged in. This makes things super easy.

#NoPasswords features are automatically enabled for them when your app auto-updates. Like magic.

We recommend you encourage users to use the new “#NoPasswords Login” scanner that’s now in the app menu.

See the UX best practices in this Guide for priming details.

App home scene.

Priming for the #NoPasswords experience.

#NoPasswords Login menu item

Scan the code.

(NOTE: Our UX best practices explain how this all works in a mobile browser.)

Guidelines

1.3. Ops guidelines

1.4. Sample deployment schedule

  • 12 wks Pre-kick off

  • 11 wks Kick off

  • 11 wks Production keys

  • 10 wks Refined customer experience plan

  • 9 wks Refined technical deployment plan

  • 8 wks Comms planning

  • 7 wks Readiness check-in

  • 5 wks Stakeholder review

  • 4 wks Send 1st wave comms

  • 2 wks Stakeholder review

  • 1 wk Send 2nd wave comms

  • As needed Syncs

1.5. 0 Soft launch

  • 0-1 wks Launch state

  • 2 wks Stakeholder review and GA launch plan

  • 3 wks Send 3rd wave comms

  • 4 wks GA Launch

  • 4-5 wks Launch state

  • 6-8 wks Weekly syncs

  • 3 mo Quarterly syncs and first NPS with Trusona

  • 6 mo NPS with Trusona

1.6. Relying party internal FAQs

No need to start from scratch.

Use this Q&A as a starting point to build your own internal FAQ for your implementation team.

Send it in email to your team or post it to your intranet.

1.6.1. Why should my company join the #NoPasswords revolution?

You already know passwords are not secure and password rage is real. 30% of customers who forget their password won’t come back to your site. And, according to Gartner, “UX is the only durable competitive advantage.” #NoPasswords increases security and decreases friction.

1.6.2. How do we let our customers know this is coming?

Email, social media and print ads (if applicable) are your best friends. We even have templates and suggestions to help you out. Refer to the communications section for more.

1.6.3. Is #NoPasswords more secure for us and our customers?

Extraordinarily so. People re-use their passwords across platforms all the time. Even if you haven’t been exposed to a breach, chances are your customers’ passwords are already in the wrong hands. Plus, bad guys can’t steal what doesn’t exist.

1.6.4. Who owns the project at [company]?

[Individual’s name or group name] at [email]

1.6.5. What if I have questions?

Contact [Individual’s name or group name] at [email].

1.6.6. What are the best practices for the #NoPasswords user experience?

Refer to the user experience guidelines. (Hint: focus on the human and keep it simple.)

1.6.7. What are the technical details?

We can explain them all. Please refer to the Tech guidelines and Tech assets.

1.6.8. What’s our program timeline?

Roughly 12-16 weeks from kickoff to finish of implementation. Refer to the [deployment schedule] for timelines.

1.6.9. How can I try this out so I know what it’s all about?

It’s a snap. Simply download the Trusona app from the App Store or Google Play Store then go to <www.trusona.com/try> and click on “#NoPasswords Login.” Voilà!

1.6.10. Does Trusona store our customers’ personal identifiable information (PII)?

Trusona only stores a unique user identifier, such as an email address or its one-way hash. Trusona Executive also stores our users’ names.

1.6.11. What changes can our users expect?

Users will see an option to go #NoPasswords at different parts of their journey with us. In mobile browsers they’ll “deep link” into our app and approve the login. On desktop browsers, they’ll use our app to scan a code that lets them in.

1.6.12. Does Trusona offer ID proofing, other than email verification?

Yes. For ID verification check out Trusona Executive.

1.6.13. Do our users need a smartphone to use Trusona #NoPasswords?

Yes but Trusona also has a “magic link” option where no phone is needed.

1.7. User experience guidelines

1.7.1. #NoPasswords Design Principles

1.7.1.1. Human

People are at the core of what we do. Take pride in having the most robust security catered to how people live today. You’re helping to make cybersecurity a seamless part of life, not an annoyance or cumbersome afterthought.

1.7.1.2. Priming

Take opportunities to positively influence users’ behavior with their best interest in mind. Eliminating passwords will seem foreign at first. Explain how #NoPasswords is more simple and secure. This is a great thing for everyone involved.

1.7.1.3. Omni-channel

The nature of #NoPasswords is omni-channel. Design experiences, not screens.

1.7.1.4. Simplicity

Take the difficulty out of cybersecurity. Simplifying language, experiences and processes will lower the barrier of entry, increase usage, decrease errors, and grow confidence in users of all digital proficiency levels.

1.7.1.5. Generational

Usernames and passwords have been handed down from one generation to another, twice! This has massive implications. Be mindful of this radical shift to end-user behavior when designing the #NoPasswords experience.

1.7.1.6. Fun

We love what we do (we’re visionary crime fighters!) and we want to make that love contagious by throwing out the boringness and unnecessary formality that accompanies most auth solutions.

1.7.2. Trusona’s core loops

The core loop is the three to four-steps in an app that creates the most value for the user.

The core loop of Instagram is: Take photo > add filter > share

The core loop of Trusona’s verification is: Scan or Tap > Accept > You’re in!

Some auth scenarios require different core loops and it’s helpful to use the core loop concept to talk about them.

1.7.3. #NoPasswords micro-copy

Micro-copy are the words in a user interface.

Confusing micro-copy was the number one mobile app customer experience pain point in the 2017 Banking CX Benchmark behavioral test with Wells Fargo, Chase and Bank of America conducted by usertesting.com.

It may sound small, but it’s HUGE because it can be the difference between engagement and abandonment.

These examples are based on observational and behavioral tests conducted with end users from around the world during the development of the Trusona app.

  • Scan in the Acme Bank app”, not “Scan in the app”.
  • Accept” / “Reject”, not “Yes” / “No”.
  • Acme Bank would like to verify your login to acmebank.com
  • What’s your email?”, not “Please enter your email”.
  • To complete registration, follow the link we sent to: jane@gmail.com
  • Allow fingerprint access
  • I don’t want to be notified

Do A-B testing with your target market to understand the words they use and the words they don’t.

Also consider the following recommendations:

  • Adhere to your brand’s voice and tone
  • Keep it simple and positive!
  • Place the outcome first, e.g. “To complete registration, follow the link we sent …”, not “Follow the link we sent to complete …
  • Ask yourself, “can this be worded more simply”
  • Use the #NoPasswords hashtag sparingly but prominently
  • Present imagery congruent with the message and feel

Keep an eye out for common grammar and spelling mistakes in auth lingo.

  • Login as one word is a noun, e.g. “Tap the login link”.
  • Log in as two words is the verb, e.g. “Log in to the Secure Portal”.
  • See the Glossary for other relevant definitions.

1.7.4. The Trusona “Get Started” experience

If you choose Option B, onboarding new users (formerly known as “signing up”) and existing users (formerly known as “signing in”) are one and the same — we call it “Get Started.”

In the examples below, Trusona only requires an email address (or other user-identifier).

The other data is not required by Trusona.

No password is needed.

1.7.4.1. Get Started scenes

Simplicity is key here. Don’t forget that.

Change “Registration” to “Get Started”

Delete “log in” or ”sign in” language.

Get rid of username and password form fields for good.

Remove unnecessary noise, words, lines, images and graphics.

If you require only an email to Get Started, combine the Continue button in the email field.

Activate the Continue button when the email field is completed to prevent errors.

Eliminate form redundancy by asking for email once.

Ask the user to confirm they entered the right email by showing them what they entered in a modal alert.

If you included other login methods, place the #NoPasswords login option first on screen and clearly delineate the #NoPasswords login from other methods.

1.7.5. Verifications

The confirmation of a user’s intent to perform an action, such as a login or transaction, is a verification.

There are three parts to a verification:

  1. Invoke
  2. Notification
  3. Accept or Reject

1.7.6. Invoke

Verifications can be invoked by users in three ways:

  • Scan a code
  • Tapping a “#NoPasswords Login” button
  • A relying party can invoke a verification (for example, from a call center)

1.7.7. Notification

If the user has allowed your app to send push notifications, they will get one for each verification.

Use push notifications if the user allows it.

1.7.8. Accept or Reject

To verify the user’s intent and approval to complete a verification, we recommend requiring the user to Accept or Reject it.

In some cases (such as scanning a code to invoke a verification) you may opt to not show the Accept or Reject options.

1.7.9. Verification syntax

1.7.9.1. The verification syntax for the push notification and Accept or Reject is:

[Company] would like to confirm your [transaction] to _[asset]_

The bold items are customizable per verification.

Accept reject scene.

1.7.10. Buttons

To make it easy for users to tap the buttons with one hand, we recommend placing the Accept and Reject buttons near the bottom of the screen.

The Accept or Reject verification step can also be removed. See the Tech guidelines.

1.7.11. Confirming verifications

We suggest that you follow the Accept or Reject scene with a full-screen confirmation of their selection, including:

  • Audio
  • Motion
  • Bold color

Accepted

Rejected

Timed out

1.7.12. Mobile information architecture

Make sure the #NoPasswords scanner is easy to find because your users will need it for all logins from a computer or other secondary screen (not a mobile device).

Here’s an example of how to make the #NoPasswords Login option prominent and easily accessible.

#NoPasswords Login option in the main nav

1.8. Tech guidelines

1.8.1. Three account and device states

To access the #NoPasswords world, the Trusona SDK links a user with their device during the “Get Started” experience.

We call this “binding.

After binding, we know the True Persona—their device identifier—and they have the option to go #NoPasswords.

1.8.1.1. 1. New account, new device

New account, new device occurs when a new user is using a device that hasn’t been bound.

If you choose to onboard new users with a password, you’ll still bind the user with Trusona so they have the option to scan a code to log into a second screen or scan a code to go #NoPasswords rather than resetting a forgotten password.

1.8.1.2. 2. Existing account, new device

Existing account, new device occurs when a user already has an account and wants to bind the account to a new device via “Get Started.”

1.8.1.3. 3. Existing account, existing device

Existing account, existing device occurs when a user already has an account and has been through the “Get Started” process. Once their app is updated with the Trusona SDK these users can use #NoPasswords. No extra steps are needed.

See the Communications section outlined in this guide so that users know about the new #NoPasswords features.

1.8.2. Mobile hardware encryption

So who is Trusona and how do we make this sorcery happen? At our core, we are a security company. Prior to creating #NoPasswords, we developed the world’s first and only insured authentication system.

Because we are fanatical about security, we recommend that mobile devices support hardware encryption when using the Trusona SDK.

If your user’s device doesn’t support hardware encryption, they can continue to use passwords.

1.8.2.1. Hardware encryption for dummies

Hardware encryption helps ensure that the data stored on the device can’t be stolen by malware or other attack vectors.

1.8.2.2. Apple iOS hardware encryption support

As of January 2018, approximately 90% of global iOS devices support hardware encryption.

  • iPhone 5S and later
  • iPad Mini 2 and later
  • iPad Air

1.8.2.3. Android hardware encryption support

As of January 2018, approximately 80% of global Android devices support hardware encryption.

  • Android API level 21 and later

1.8.3. Deep linking

Some integrations (such as integrations with Okta) require URLs to be whitelisted.

To ensure deep linking works properly, check your identity provider’s requirements.

1.9. Marketing guidelines

1.9.1. Priming through email, print and social media

By now you already know that a #NoPasswords login reduces friction, increases happiness and eliminates password rage. You can spread this joyous message to your customers and/or employees via your favorite communication channels. Considering that most people juggle dozens of usernames and passwords every day, you’re about to become a hero.

See the sample communications in this guide.

1.9.1.1. Assets

1.10. Tech assets

Now that you’ve joined the revolution, you have some powerful tools at your disposal, like the many sets of key/secret pairs your dev team will use to connect with Trusona.

Because your Trusona production keys grant access to your core system at Trusona they should be treated with the same security sensibility and protocols you use with your most secure internal systems.

Have your Trusona project coordinator set up a conference with our integrations team so we can walk you through the steps to ensure key security.

1.11. Design assets

1.11.1. Introduction

These are the core design assets for the Trusona system.

Design assets

Required

Optional

Login Buttons

Three options off the shelf

Trusona app

N/A

Gateway

Yes

Colors and images

Verify email

Colors and images

Login

Colors and images

Accept / Reject

 See the Trusona app

1.11.2. #NoPasswords Login buttons

We have three off-the-shelf #NoPasswords buttons #NoPasswords buttons for use on your site.

1.11.3. Trusona app

To get a feel for the #NoPasswords experience you can use the Trusona app (Apple App Store or Google Play Store) and log in now at <www.trusona.com/try>.

1.11.4. Motion design source files

The motion design Trusona uses can be delivered natively in iOS and Android with Lottie. We’ve done all the grunt work in After Effects and Bodymovin’ so you can use our Lottie files.

You can change the color of the Lottie files using the links below and never need to open After Effects yourself. Easy peasy.

Visit the links, edit the colors and download your updated JSON file.

1.11.5. Trusona web template

No heavy lifting for you here. The Trusona web template Sketchapp file contains all the elements your design and marketing teams need to mockup your gateway web page, verify email web page and login web page.

The gateway is the only web page that is hosted by Trusona and the only page we must have defined by you.

The verify email and login pages are not hosted by Trusona but are included in the template file so you can see how these experiences should be consistent.

Sketchapp symbols page

1.11.5.1. Gateway web page template

This is important. Most of your users experience the Trusona Gateway each time they login to your desktop or mobile website.

NOTE: If you’d like to create an experience that doesn’t use the Gateway, you can do that with the Trusona SDKs. Talk with your Trusona program coordinator to get the technical details.

On desktop, the Gateway is designed to be customized for your brand because it’s a core part of the user experience. You define the template variables and Trusona creates your branded Gateway.

On mobile, the vast majority of your users “deep link” directly to your app and won’t experience the Trusona Gateway. On some old devices or when universal links are not set up, the user will experience this screen below. The colors on this screen are not yet customizable.

Deep link Gateway web page

1.11.5.2. Verify email web page template

When you verify user emails during registration, you can use our email verification design template. This template matches the Gateway, login and in-app styles we also provide for accepted, rejected and timed out verifications.

1.11.5.3. Login web page template

Trusona doesn’t host your login page. But because consistency is vital to the customer experience, we’ve included a login layout, should you choose to use it.

Even if you don’t, we suggest you look through the login template and note the UI word choices and overall simplicity. There may be elements of this that you can leverage in your login.

1.11.5.4. Template variables

The colors used for your code must have a high contrast with the background. Generally, if your colors pass WCAG AA and AAA for large text, you’ll have a high enough contrast to make the code scan quickly.

You can also use the Trusona app to test that the colors will scan quickly.

Although you can specify six code colors we recommend that you list your primary brand color in at least three of your six open slots. This will weight your primary brand color more heavily so that it’s shown more prominently in the code.

We also recommend you stick with two to three main hues. Using too many hues can make the code look like camouflage.

  • Code color #1 and button color (format: hex)
  • Code color #2 (format: hex)
  • Code color #3 (format: hex)
  • Code color #4 (format: hex)
  • Code color #5 (format: hex)
  • Code color #6 (format: hex)
  • Code color #7 (format: hex)
  • Code color 1x1 dots (format: hex)

1.11.5.5. Foreground color

The foreground color is applied to the user assistance, “Scan in your Acme Bank app” and applied to the three waiting dots.

  • Foreground color (format: hex)

1.11.5.6. Background color

The background color is applied to the entire body of the Gateway.

  • Background color (format: hex)

1.11.5.7. Body text

The body text color is controlled in a “style” in the sketch file.

  • Body text color (format: hex)

1.11.5.8. Hero

The hero image is applied to the left side of the Gateway and is a full bleed on the top, left and right sides of the image.

  • trusona-gateway-hero.jpg (format: jpeg)

1.11.5.9. Hero alignment

The hero jpeg image is resized and cropped at various browser sizes and is aligned to your choosing.

  • Centered, top, bottom, left or right (format: choose)

TIP: If you want a smooth transition from the hero image to the background color, you can make the right side of the hero image fade to the background color then choose to align “right”. See the HBO example below.

Your logo is shown on the right side of the image.

  • trusona-template-logo (format: jpeg)

1.11.5.11. Working with the template

The design source file uses the industry standard SketchApp format.

Follow the instructions inside the SketchApp file to mock up and review your Gateway look and feel with your internal stakeholders.

When ready, send us your Gateway variables (hex values, choices and jpegs).

Gateway template examples

Subway Gateway (sample only)

HBO Gateway (sample only)

Bain Capital Gateway (sample only)

Trusona Gateway (sample only)

1.12. Communications assets

1.12.1. Social media announcement

Guess what? Now you never have to remember your [Company] password ever again. Yes, you read that right. We have just joined the #NoPasswords Revolution. Forgetting your password is now a thing of the past. Check it out at [company.com] using your [Company] app.

1.12.2. Coming soon email

Subject: Say hi to no passwords, lucky you!

[Customer name],

“I love entering a username and password every time I log into my account,” said no one ever.

Now that annoyance is a thing of the past.

We’re taking no passwords for a spin and you’re one of the lucky few selected to try it out first.

How does it work?

Starting [month] [date] on the “I forgot my password” page you’ll see a #NoPasswords Login button.

You can use this button to login without passwords!

No passwords on a desktop browser

After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use the no passwords Scanner in the [Company] mobile app to scan the code.

No passwords in a mobile browser

After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use your Company mobile app to approve.

Are you as excited about passwordless Login as we are?

After you try it out let us know how your experience was by replying to this email.

Looking forward to a [Company] without passwords,

The [Company] team

1.12.3. Coming soon email (GA)

Subject: Hello, #NoPasswords! — We’re joining the Revolution

[Customer name],

“I love entering a username and password every time I log into my account,” said no one ever.

Now that annoyance is a thing of the past. We are extremely excited to announce that [Company] has joined the #NoPasswords Revolution, so you can get to what you need faster and more securely.

What does this mean for you?

You no longer need to remember a password to log into [company.com]. Yes, you read that right.

Starting [Month], [date] you’ll see a #NoPasswords Login button on our homepage.

#NoPasswords on a desktop browser

After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use the #NoPasswords Scanner in the [Company] mobile app to scan the code.

#NoPasswords in a mobile browser

After [Month], [date] tap the #NoPasswords Login button on the [company] home page and use your Company mobile app to approve.

Bye bye, password rage. Hello, seamless existence.

When it’s available, take #NoPasswords for a spin and let us know what you think.

Yours,

[Company] team

1.12.4. App store “new release” copy

Bye bye, password rage. Hello, safety and security. With #NoPasswords you log in effortlessly using nothing more than the [Company] app. No password necessary. If it weren’t real, you’d think it was magic.

In the app, go to Menu and choose #NoPassword Login.

Integrations

Desktop
IAM and SSO
SCIM
PAM
Productivity
VPN
General

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service
Mobile Auth for Browsers Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other