Role
Lead Product Designer
sole designer
sole designer
I consolidated a confusing multi-PIN, multi-smart-card system into a single PIN per account for 300K+ users — and rebranded the product's core terminology to remove technical jargon people never understood. The goal was one clean mental model: one email, one account, one PIN.
Context — Digidentity is an eIDAS Qualified Trust Service Provider on the EU Trusted List, whose platform has created 25M+ verified identities across 180+ nationalities.
Digidentity's wallet let users accumulate a separate PIN for every smart card — even when those credentials were tied to the same email. The result was a confusing system where one person could end up juggling several PINs, and a login built around "smart card," a technical concept most users didn't understand or need.
For a product people use to prove who they are, that mismatch between the system's model and the user's mental model was a quiet but constant source of confusion and support tickets.
300K+ existing Digidentity wallet users on iOS and Android — individuals and business users who hold one or more credentials. Many didn't even realise they had multiple PINs; they just knew logging in sometimes felt inconsistent.
I started by inventorying the full landscape: seven distinct user states across new and existing users — single account with one card, multiple accounts each with one card, one account with multiple cards, and so on — and mapped single-PIN eligibility for each. A scenario matrix made the old vs. new behaviour explicit for every case.
The migration was triggered by credential renewal, so users moved to a single PIN as a natural part of something they already do — no jarring forced reset. I designed both the happy and unhappy paths, including the tricky edge case where a PIN could diverge during recovery.
The brief looked like a relabelling job: "smart card" was confusing, so find a friendlier word. Early drafts treated it that way — swap the term, ship it.
The real problem wasn't the word; it was the idea. Users didn't understand "smart card" and didn't need to. So instead of renaming it, I removed it from the login screen entirely and let the product speak in the model people already hold: one email = one account = one PIN. "Certificate" language now surfaces only where a legal or security requirement genuinely demands it — for example, upgrading to a higher assurance level like Level 4 eHerkenning.
On renewal, users migrate to a single PIN seamlessly. The happy path is calm and legible — log in → account updating → account active → wallet — and the unhappy path never strands anyone: an error leads to a clear retry loop, and if it still can't resolve, a clean handoff to the service desk rather than a dead end.
"Select a smartcard" became "Select a certificate," and the smart-card concept disappeared from the login screen. The terminology change was scoped carefully so it stayed consistent across the product and only resurfaced where compliance required it.
A single PIN per account for 300K+ users, and a login that finally matches how people actually think about their identity — one email, one account, one PIN — with the technical scaffolding tucked safely out of sight.
Note to self: add the strongest metrics here once confirmed — PIN-related support tickets and smart-card lockout rates, before vs. after launch.
The scenario mapping was thorough, but it was driven by technical analysis more than direct user input — I'd add user research next time to validate the model from the outside. A multi-pseudonym / multi-device edge case can still cause PINs to diverge; solving it fully needs backend work in a future iteration. And "certificate," while clearer than "smart card," is still a compromise — ideally users would never need to see it at all.