Creating proto-personas (Telenor)
UX Design / UX Research / Methodology
On DevOps teams, it's not uncommon to tackle problem-solving by taking a stakeholder-centered design approach. This means that we tend to focus only on responding to a stakeholder request, and we may accidentally overlook key end-user needs.
At Telenor, when we were asked to implement 2-Factor or Multi-factor Authentication in our SSO solution, we decided to first ask:
• What issues are 2FA or MFA really trying to solve for our end-users?
• What can we do for our end-users, which at the same time resolves our customers' requests?
• What can we do for our end-users, which at the same time resolves our customers' requests?
To kick-off the project, I conducted this "Creating proto-personas" workshop with my team of 15 people – including managers, developers and designers – to take our focus away from customer/stakeholders requirements only. We used this time to discuss and build alignment while developing empathy for our end-users. The follow-up process included another one-day workshop, but with stakeholders.
Framing our problem
What problem were we actually trying to solve?
On the need for security awareness: How might we ensure users’ understanding that they need 2FA/MFA?
• User's Point-Of-View (POV): I need to understand the risks of not protecting my account to be encouraged to take security measures.
On the need for enhanced security: How might we argue to users that our 2FA/MFA options are secure?
• User's Point-Of-View (POV): I need to have ways of protecting my account to make it harder for attackers to gain access to my data.
2-day workshop walkthrough
• User types – approx. 15 minutes
• Grouping user types – approx. 15 minutes
• Building personas – approx. 30 minutes
Break – 1 hour
Break – 1 hour
• Building anti-personas – approx. 45 minutes
• Anti-personas misuse cases – approx. 15 minutes
• HMW (How Might We) questions – approx. 30 minutes
• UX maps – approx. 2 hours, on day 2, with stakeholders
Activity 1 – User types
Individually, think of how one or more people act or are engaged to online apps and services. You can base your assumptions on someone close to you, a friend, family member, neighbour and so on. What types of users are they? Write your assumptions down in post-its.
Tip! Consider people’s behaviours on security:
• Habits on password creation and management;
• Level of concern on privacy;
• Technical knowledge; etc.
But also on general habits:
• Values on convenience/time/utility;
• Level of frustration when facing UI friction; etc.
Activity 2 – Grouping user types
Everyone together start grouping the post-its into users’ categories/types/behaviours:
• Group the post-its by similarity;
• If inspired, create new and complementary assumptions.
Dot voting: Individually, vote in 3 of the categories/types of users you feel are more important to address and cannot be ignored in this workshop. Each person is given three dots to vote for the three types they feel we should focus on first.
Activity 3 – Building personas
Split into groups (for example, for 15 people, 3 groups of 5). Use the persona template below as an example of canvas for this activity. Each group will be assigned to one of the most voted types of user types. Then:
• Organize the user assumptions into a person that represent some of our target users – combine the assumptions that are complementary;
• Create, if needed, new assumptions about this person.
Activity 4 – Building anti-personas
What are anti-personas? They are people that, within our service/app, will not follow the normal rules. Unlike legitimate personas, anti-personas are the ones for whom we want to make life difficult – we ultimately do not want them to achieve their goal:
• They can be hackers/fraudulent users;
• Or even a legitimate user who has a reason to break into the system (a child hacking into her/his parents account).
Part I
By yourself, start thinking on how one or more people can damage other users’ online experience, and what are their personal traits. Write assumptions down on post-its and place them on the wall. When the number of post-its increases, together, start grouping them into users’ categories – you can group and rearrange your teammates post-its as well.
Part II
Split yourselves into different groups (from Activity 3). Use the anti-persona template below as an example of canvas for this activity. Each group will be assigned to one of the most voted type. Then:
• Organize the user assumptions into a person that represent some of our anti-users – combine the assumptions that are complementary;
• Create, if needed, new assumptions about this person.
Activity 5 – Anti-personas misuse cases
Still with your anti-persona group, think of misuse cases for your anti-persona:
• As an attacker... (attacker type)
• I want to try to... (try to do something bad)
• So that... (I can steal or damage sensitive information or some other bad thing, etc.)
• As an attacker... (attacker type)
• I must not be able to... (do something bad)
• So that...
Activity 6 – HMW (How Might We) questions
With your group from Activity 3 (Building personas), take the persona created by another group.
Ask questions:
• How might we make it clear for users that… ?
• How might we show users that…?
• How might we easily teach users to…?
• How might we encourage users to...? Etc.
Expanding our questions:
• What’s stopping us from...?
• In what ways could we...?
• What would happen if...?
• How can we avoid…? Etc.
Activity 7 – User Experience maps
How to introduce cyber security measures to our users? In groups, map out step by step the experience you expect your assigned persona will have within our two POVs.
• Avoid limiting yourselves to the flows and interactions that we have already developed in our product;
• Think of the experience as a whole, including the moments when the user is not directly interacting with our product;
• Add each step in the map until the user’s goals have been reached.
