Rethinking account security
A new Security Settings tab wasn't on the team's roadmap, but I led its redesign and had it successfully launched. Three years later, the framework I designed still shapes the page 4 billion users land on.
The security tab, three years later...
While some of the proposed redesign didn't ship, the framework I established for the team (the principles, the IA, the patterns) has visibly shaped how Google's account security page evolved.
Four key decisions are still present today:
The renaming. "Security Settings" became "Security & sign-in," directly reflecting the framing I championed: organize around how users sign in, not as a generic settings dump.
"How you sign in to Google" as a consolidated section header. The current page uses this exact framing, organizing 2SV alongside passkeys, password, Google prompt, and recovery options in the structure I designed.
Chip-based affordance for adding sign-in methods. The horizontally scrolling row of chips ("Recovery contacts," "Authenticator," etc.) is the interaction pattern from the P0, preserved through three years of iteration.
Warning alerts for items needing attention. Inline warning badges (e.g., "Verify [recovery email]") still surface action items directly within the relevant row rather than in a separate experience.
Google's security UX has continued to evolve since I left, but these framing decisions have persisted.
The current security tab in 2026
Project outcomes
25% increase in 2SV adoption among users who landed on the new entry point - directly de-risking Google's Secure by Default rollout that followed.
40% lift in users adding additional sign-in methods - a chip-based affordance for adding methods drove significant diversification in the leveraged sign-in options than the prior list pattern.
Led a UX driven initiative across product, engineering, UXR, and UXW, successfully securing leadership buy-in and cross-functional alignment.
The redesign gave leadership confidence that Secure by Default would succeed. The user-facing experience was no longer an open question.
Google prides itself in being a leader in account security
Google has invested heavily in security infrastructure, building industry-leading features to protect billions of users: Security Checkup, 2-Step Verification, Titan Security Keys, Advanced Protection, and more.
Google's Security Paradox
Google offers industry-leading security features, but users struggle to understand and adopt them, making the ability to improve a user's account security overwhelming for most users.
Unclear hierarchy
While Security Checkup provided tailored recommendations, the "Recent security events" card appeared inconsistently and offered no actionable insights.
Fragmented core features
Account access controls were split into two confusing sections: "Signing in to Google" and "Ways we can verify it's you." These appeared competitive rather than complementary.
No clear narrative
Users couldn't easily understand what to prioritize or how the features connected to their overall account security.
The Security Settings tab before the redesign
User insights reinforce the concern
Feeling vulnerable
"You never really know; you always have a feeling that there is somebody out there who could hack you or something."
Overwhelming complexity
"[Account security] feels like work. Kind of like 'Inception' – you click on that, you then go deeper. I don't feel that I can go into it any further, because I'd get lost."
Confusing language
"I'd have to just give up. When I read all these words, I don't really understand what I'm reading. There's lots of words."
Ensuring users are Secure by Default
Google was preparing to auto-enroll all 2SV-capable accounts as part of a "Secure by Default" initiative, meaning 4 billion users would soon be automatically enrolled in 2-Step Verification.
The goal
With engineering focused on authentication infrastructure and 2-Step Verification enrollment, I led a UX initiative to simplify how users understand and manage these foundational security features.
Provide Google users with a simple approach to their Security Settings, clarifying our obscure security offerings with a clear authentication focus.
How you sign in to Google
More visual emphasis on Security Checkup, providing tailored security recommendations
Combined recovery options and authentication methods into one "How you sign in" card
"More sign-in options" CTA will lead to contextual education page
Pushing boundaries with educational content
I championed a "What sign-in options are right for you?" page based on research showing users wanted more context around security features. Working with my UX writing partner, I organized authentication methods by priority (most secure, convenient, and backup options) while prioritizing security over convenience.
A landing page for users to explore and learn more about the multitude of sign in options available
Minimum recommended methods for 2SV to be highlighted above
Progressive disclosure was incorporated to reduce cognitive load and encourage user engagement. When expanded, each section provides short summaries about the value of each method, plus educational links.
"Learn more" links open educational wizards I previously designed for the Advanced Protection enrollment flow. These in-context moments keep users engaged rather than losing them to external Help Center articles.
P0: 2SV Onboarding Entry-point and Suggestive Chips
After socializing this concept across PMs and engineering leads, leadership saw the clear user benefit. With Secure by Default's timeline approaching, the full redesign wouldn't ship in time.
I worked with PM and engineering to scope a P0 focused on the 2SV onboarding entry point (the central focus of the redesigned tab) and negotiated a suggestive chip pattern to highlight additional authentication methods. Together, we outlined a phased approach to incrementally improve users' security posture.
Designing for the users security tools weren't built for.
Account security experiences tend to be designed for the users who already care about security. The Secure by Default population was not. It consisted of the 4 billion users about to be enrolled into something they hadn't asked for. Designing for that audience taught me to start with users who avoid the feature, not the ones who adopt it.
Look outside of the product roadmap to lead the most strategic efforts.
Secure by Default was an engineering-led effort where the UX had a narrow scope. As I started thinking about how we framed our security narrative on the settings page, it became clear that there was a wider gap to address and I pushed the team to address it. I constantly look for these gaps in every new project I lead.