top of page
2AA Header4.png
ROLE

Design Lead

DURATION

5 months (Feb 2022 - Jun 2022)

Designing the future-proof request review framework for combating multiple attack vectors

Background

Meta Business Manager (business.meta.com) is one of Meta’s core tools for accounts management, which allows businesses to keep all of their Instagram and Facebook accounts and other valuable assets in one place under a single business account. Currently, attackers can take control of the business by compromising the Facebook of an employee with admin access to the business account. Once they are in the system, they can conduct powerful admin-level actions with only a few clicks. Without a compromise detection system, the attacker can exploit the businesses with no friction.

In H1’ 2022, our team launched the Second Admin Approval (2AA) initiative to combat security breaches and provide businesses with an additional layer of security to monitor important user requests. The 2AA feature is a compromise detection system that notifies a second admin in the same business account to review user requests and approve/reject them before they can be sent or completed, which allows the admin to detect and intercept potential breach scenarios. This initiative is a crucial step in preventing unauthorized activities and safeguarding the platform's integrity. Below is one example of an attack and how 2AA works to stop it:

Current.png
After.png

Responsibilities

As the design point-of-contact for this project, I was responsible for strategizing UX direction and aligning with stakeholders on a singular vision for our product roadmap. Additionally, I worked on clarifying product scope, gathering compromise use cases, defining product and user requirements and prioritizing features through working closely with design partners, research, product management, marketing, data science, engineering, and other cross-functional partners to ensure final alignment and shipping with high UX standards while meeting security, integrity, privacy, legal, and policy requirements.

Highlights

To help my team move fast in addressing urgent security threats, I adopted a systems-thinking approach to help ensure the product is scalable, customizable, and usable long-term, meaning it would satisfy multiple use cases beyond the current known scenarios. Using visual diagrams to illustrate the existing system and its underlying problems, I helped identify attack patterns across the Meta Business Suite ecosystem and uncover additional security loopholes that were pathways for breaches. We shipped a robust yet flexible 2AA framework design that is now capable of mitigating 10 attack vectors, and will be used to scrutinize more business-sensitive requests in the future. 

Impact

Since its launch in July 2022, 2AA has significantly reduced unauthorized access and activities, enabling businesses to become more safe and secure. This feature is released to 100% of target audience for the Credit Line Sharing use case. Within days of launch, 2AA has already stopped millions in leakage from unauthorized user requestsCredit Line Sharing is the first use case that gets protection from 2AA; in the future, more features will integrate the same framework into their product flows to mitigate attacks and prevent business compromises.  

bottom of page