Skip to content
← All work
One of the UK's biggest insurersNDA-safe

How do you get people into a regulated account with the least friction and the most trust?

Registration, login and passwordless one-time links for the MyAccount experience of one of the UK's biggest insurers, plus the redesign work I took the journeys through beyond what shipped.

Project frame: One of the UK's biggest insurers: registration, login and passwordless access for MyAccount

Role
Senior UI Designer · UX Designer
Team
Design system team · Product · Engineering · Compliance
Year
2024 to 2025
Platform
Web · iOS · Android · FCA-regulated
Register
the hardest journey

Matching new users to an existing policy on sensitive fields, with validation that prevents errors before they happen.

Magic link
passwordless entry

One-time, time-boxed links so people get in without a password to forget or reset.

FCA
regulated by design

Compliance and data-use needs built into the flow from the first draft, not bolted on at review.

Every state
focus, error, disabled

Each field shipped as a small state machine, with accessibility structural rather than a final-pass audit.

One of the UK's biggest insurers: registration, login and passwordless access for MyAccount cover image
01 · Context

The problem

Account access is the front door to everything a customer can self-serve, yet it is where regulated journeys quietly lose people. New customers must be matched to an existing policy using sensitive details, and a single unclear error or forgotten password sends them to a call centre instead of their account.

02 · Evidence

What shaped the direction

Where journeys actually fail

Registration, not login, is where account access breaks down. People abandon on the fields they hesitate over, like date of birth and postcode.

The support signal

Forgotten passwords are a leading driver of account-access support contact, which made passwordless more than a convenience.

Regulated constraint

As an FCA-regulated journey, wording, consent and data use had to be right, so I partnered with compliance from the first draft.

Multi-brand system

Patterns had to hold up across brands and themes, so they were designed against the design system rather than as one-offs.

03 · Process

How it came together

The brief

At one of the UK's biggest insurers I worked on MyAccount, the place customers go to manage their car, van and home cover. My focus was the way in: registration, login and passwordless one-time links, with a hand in the account home itself. Account access sounds simple. In a regulated business it is one of the highest-stakes flows there is, because the alternative to a smooth login is an expensive phone call.

Anonymised MyAccount login screen with email, password and a one-time link option
NDA-safe reconstruction of the shipped MyAccount login. Email and password, with a one-time link as an alternative way in.

Registration is the hard part

Everyone talks about login, but registration is where account journeys actually break. A new customer is not creating an account from nothing; they are being matched to a policy that already exists, using details like surname, date of birth and postcode. Get the matching wrong and they are locked out of their own cover. So the flow keeps each step small: confirm your email first, then the details we use to find you.

Registration step one, entering an email address with a valid-state tick
Step one keeps the ask to a single field, with validation that confirms the moment the email is valid.

The details step is where care matters most. Date of birth and postcode are the fields people fumble, and a vague error is enough to make someone give up. The flow validates each field and speaks plainly when something is off.

Registration details step showing surname and date of birth valid, and a postcode field with an inline error
Inline, specific validation. The postcode error sits next to the field and says exactly what to fix.

Once details check out, we confirm rather than leave people wondering.

A check your email confirmation screen shown after registration
A clear hand-off to email, with a spam-folder nudge and an obvious way to retry if nothing arrives.

Getting people in without a password

The strongest lever on account access is not a better password field; it is removing the password. The experience offers a one-time login link alongside the classic email and password, and mirrors it with password reset, so nobody hits a dead end on a small screen.

Three mobile screens: login, reset password and one-time link request
The mobile set: login, reset and one-time link. Each is a single, calm task on a phone.

The one-time link email itself is part of the design. It has to be reassuring, unmistakably from us, and safe by default.

A one-time login link email with a single primary button and an expiry note
One job, one button. The link is single-use, time-boxed to fifteen minutes, with a safe-to-ignore note for anyone who did not request it.

The account they land in

I also had a hand in the account home. The goal is instant reassurance: what is covered, and what to do next. Everything else is secondary to that first glance.

MyAccount home showing a policy card and a get a quote panel
MyAccount home. Cover front and centre, with a low-pressure route to add more when the customer is ready.

Where I took it next

The screens above are what went live. A good deal of my work ran ahead of them. This is the registration flow rebuilt around one idea: reduce the moments where a real person hesitates.

A redesigned registration details step with progress, a sub-labelled date of birth, positive validation, why-we-ask copy and trust markers
The redesign: a visible step, a forgiving date-of-birth input, positive validation, a plain reason for every sensitive field, and trust signals exactly where doubt shows up.

None of that is decoration. Each change maps to a specific place people stall.

The redesigned registration annotated with seven design principles
Seven decisions behind the redesign, from progressive disclosure to errors that recover, each aimed at avoidable drop-off.

Designing every state

Regulated journeys are won or lost in the states most designs skip. I treated each input as a small state machine and specified the edges, then made accessibility structural rather than a final-pass audit.

An input shown in default, focus, filled, valid, error and disabled states with accessibility notes
One field, every state, with accessibility built into each: visible focus, errors that use text and icon rather than colour alone, and autocomplete that speeds real people up.

Passwordless, promoted

The live product treats one-time links as a secondary option. I explored making them the default, so the safest way in is also the first one people see, with the password kept a single tap away for anyone who wants it.

A passwordless-first login concept with rationale and a how-it-works flow
Passwordless-first login. Lead with the link, keep the password optional, and explain the trade in plain terms.

What I would measure

Because this is account access, the numbers that matter are completion of registration, error rates on the fields people fumble, the share of logins that go passwordless, and the volume of forgotten-password support contacts. I designed the flows so those are the things that move, and worked with product, engineering and compliance so the wording and consent were right long before launch.

04 · Craft

Decision trail

  • 01Treated registration, not login, as the real problem, because that is where people drop off when details do not match or errors arrive too late.
  • 02Designed validation to confirm as people go, not just fail on submit, so mistakes are caught and fixed in place.
  • 03Pushed for passwordless one-time links as a first-class way in, since the safest path can also be the fastest.
  • 04Built every field as a full set of states, with accessibility and FCA wording in from the start rather than added at review.
05 · Impact

Outcome

The shipped work gave customers cleaner registration, login and passwordless access to MyAccount. The patterns I designed on top, progressive registration, positive validation, full state and accessibility coverage, and a passwordless-first login, show where I took the journeys next.

3 journeysregister, login, magic link
Passwordlessone-time link access
WCAG 2.1 AAaccessible by default

Details are under NDA, shown here as outcomes and ratings without confidential specifics.

Next case study →QZee: one platform for service venues to run bookings, payments, and client admin