Stronger Logins for a Safer headspace Experience

As digital security becomes increasingly critical, headspace sought to bolster the protection of its user accounts by introducing Multi-Factor Authentication (MFA). With a focus on Young People and Family & Friends account holders, the project aimed to provide a secure and user-friendly login experience that aligned with contemporary expectations for data security.

In addition to improving user account security, the initiative supported headspace’s Data Governance Framework and ensured compliance with internal policies.

The objectives for this project included:

  • Enhancing security for headspace account holders.
  • Supporting data governance and compliance with headspace policies.
  • Aligning account functionality with modern data security standards and user expectations.

Our approach

Portable worked closely with headspace to design and implement an MFA solution tailored to their user’s unique requirements. The project was structured around the following key steps:

Discovery and requirements gathering

We collaborated with headspace stakeholders and key suppliers, MH Interactive and AltasOpen, to define and prioritise the project requirements. Through this process, we defined our technical requirements as:

  • Enabling users to log in using a 2-step authentication process.
  • Providing IT Managers with the ability to toggle MFA as mandatory or optional, supporting compliance with evolving legislation.
  • Ensuring MFA could be configured to use multiple communication channels for enhanced accessibility.
  • Designing prompts to encourage MFA adoption among users, both at launch and through regular intervals.
  • Reducing user effort during account registration and MFA setup.
  • Supporting flexibility by allowing users to update their MFA preferences and methods, verify their identity during changes, and recover authentication codes.

Technical implementation

Our development team integrated MFA into headspace’s existing digital ecosystem, encompassing the website, CMS, and hAPI. 

Back-end changes

  • Integrated new APIs and updated existing APIs to support MFA
  • Updated existing login request to handle MFA flow if enabled on account

Front-end changes

  • Added new MFA form to handle submission and re-requesting of MFA code
  • Updated existing login entry points to handle redirecting to MFA form if required

Testing

  • Added test cases that cover new user flows and edge cases
  • Validated compatibility with existing authentication mechanisms

Testing and deployment

Portable adhered to our standard, rigorous testing process ensured the implementation met all security and usability standards. This phase included comprehensive User Acceptance Testing (UAT) with headspace stakeholders to validate functionality, usability, and alignment with project objectives. Feedback gathered during UAT was instrumental in refining the implementation and ensuring a seamless experience for end-users. The MFA feature was rolled out with minimal disruption to users, supported by clear documentation and guidance for both account holders and administrators.

Critical partners

To successfully implement Multi-Factor Authentication (MFA) for headspace account holders, we collaborated closely with key technology partners who play an integral role in headspace’s digital ecosystem.

MH Interactive, a longstanding partner on headspace projects, contributed their expertise in the Dynamic Health platform and were responsible for developing and refining the necessary APIs to support secure authentication. Their deep understanding of headspace’s digital infrastructure ensured a seamless integration between MFA and the broader health services offered online.

We also worked alongside AtlasOpen, who maintain hAPI, which connects headspace’s digital platforms with its extensive network of in-person centres across Australia. Their involvement was crucial in ensuring that MFA not only functioned effectively for online interactions but also aligned with the operational needs of headspace’s centre-based services. Through this partnership-driven approach, we were able to deliver a secure and frictionless login experience that balances strong data protection with accessibility for Young People and Family & Friends account holders.

Outcomes

Since the launch of MFA, voluntary adoption has steadily grown, with nearly a third of new client accounts created since November opting-in to the additional layer of security. Among those who have enabled MFA, 68% have chosen SMS and 32% have opted for email, demonstrating that users are engaging with the feature and making active choices about how they protect their accounts. This uptake reflects a positive step toward strengthening digital safety for young people accessing headspace services.

Key features delivered included:

  • Seamless User Experience: MFA was designed to prompt users to opt in during login and at periodic intervals, ensuring consistent engagement.
  • Flexibility for IT Managers: Admins were empowered to configure MFA as mandatory or optional, providing adaptability to changing regulatory requirements.
  • Robust Functionality: Users could recover lost authentication codes, switch MFA methods, or remove MFA (if optional) through their account settings.
  • Cross-Platform Compatibility: MFA was enabled across all login scenarios, including integrations with applications like PiP.

Portable’s deep understanding of headspace’s digital infrastructure and long-standing partnership ensured the success of this project. By balancing technical rigor with user-centered design, we delivered an MFA solution that met both security and usability goals. This implementation not only enhanced the security of headspace accounts but also set a new standard for secure and user-friendly digital experiences.

Reflections

The successful delivery and launch of MFA couldn't have been done without the close collaboration of all the wonderful and committed people involved in this project between Portable, headspace, MH Interactive, and AtlasOpen. Communication is important, especially when working with multiple vendors across the technical aspects of implementing MFA. As a Developer, my experience was very positive. There was clear, regular, and open communication between the vendors from technical planning, integration, to launch. Technical challenges were approached with a collaborative mindset, and technical information and expertise was provided in a timely manner.

Tam Ho, Developer

Team

  • Tam Ho, Developer
  • Ruth Taylor, Technical Lead
  • Jeff Basilio, QA
  • Danielle Emond, Senior Producer
  • Sam Bury, Production Lead

Sign up to our email newsletter to get updates about our events, work and research

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.