Forgot Username is a flow that I identified as needing updates for security reasons. The previous designs returned error states that told the user if the phone number that they entered was associated with an account or not. This would allow bad actors to enter phone numbers that they gathered from databases and determine if an account existed. They can then proceed with using username and password combos from security leaks to attempt to hack into a user’s account.

 We gave the designs a face-lift, as well as completely rehauling the error states and content to better protect the user’s information. The content is now much more ambiguous and returns the same screen whether the account exists or not. Additionally, we added some additional security measures, like signing the user out of all sessions after returning the email address and sending an email to the account holder letting them know that their username has been recovered.