Overview

Authentication within CVS Health is structured across two levels of assurance. LOA1 supports basic access, allowing users to sign in and complete retail shopping.

LOA2 enables higher-trust access and introduces PHI (Protected Health Information), allowing users to securely manage sensitive features such as caregiver access, prescription refills, health records, and MinuteClinic scheduling.

For Caremark and Specialty, users are registered directly into LOA2, ensuring immediate access to experiences that require elevated authentication and protected health data.

File management & shared libraries

I aligned experiences across three engineering teams supporting CVS Health, Caremark, and CVS Specialty to ensure consistency across platforms. This work directly supported the One App initiative by establishing shared patterns and behaviors regardless of entry point.

I maintained a single, shared Figma library, aligning all screens on a common grid so teams could easily compare designs, identify inconsistencies, and standardize solutions. This structure improved collaboration and helped product and engineering teams align on a unified experience.

My role

1. Identify opportunities
   I reviewed metrics-driven recommendations from the product manager and partnered with the UX Lead and copy strategist to assess proposed changes within the flow, raising early technical and usability questions.

2. Validate feasibility
   I collaborated with the product owner, architect, and lead developer to resolve open questions, align on technical constraints, and confirm feasibility.

3. Present design solutions
   I explored and mocked up multiple design concepts, aligning them with current branding and accessibility guidelines through ongoing collaboration with the UI kit team. I presented recommendations to design leadership and cross-functional stakeholders for review and alignment.

4. Finalize and hand off
   I refined approved screens and delivered developer-ready Figma files, including detailed annotations, accessibility considerations, user flows, and assets to support implementation.

Two-step sign-in

I designed the first screen to capture the user’s email and the second to prompt for their password.

By separating these steps, I validate the email before requesting a password. If the system recognizes the email, the flow continues seamlessly to password entry. If not, the experience redirects users to create an account or register—depending on the appropriate path—reducing confusion and unnecessary friction.

One time passcode (OTP)

I designed the one-time passcode (OTP) experience as a two-step process. First, users confirm the email or phone number where the code will be sent. Then, they enter the received code on the following screen to complete authentication.

This flow verifies user identity while maintaining a secure and streamlined sign-in experience.

Create an account

Users who do not yet have an account begin at LOA1 (Level of Assurance 1). At this stage, they create a basic CVS Health account that enables secure sign-in and retail access.

1. Enter your username
   Users begin by entering their email or phone number to verify whether an account already exists.

2. *Create an account

   Users complete required fields, including first and last name, date of birth, phone number, password, and the option to join ExtraCare.

3. One time passcode
   User confirms their identity by entering a one-time passcode sent to their verified email or phone number.

4. Successfully signed in
   Upon verification, users gain access to their account.

Results

• The “Create an account” flow achieves a 90% overall success rate.

Registration

Users enter registration when they need LOA2 (Level of Assurance 2) authentication to access protected services.

1. *Introduction
   I present a legal overview outlining the benefits and permissions users receive as they proceed.

2. *Enter information
   Users complete required fields, including first and last name, date of birth and phone number.

3. One time passcode
   User confirms their identity by entering a one-time passcode sent to their verified email or phone number.

4. *Consent
   I collect user consents and permissions, enabling CVS Health to personalize and tailor future experiences.

5. *Successfully registered
   Based on selected consents and system constraints (such as ID associations), I display the most relevant next-step tiles—up to four personalized options—to guide users forward.

Results

• The “Registration” flow achieves an overall success rate of approximately 80%.

Sign in

1. Two step sign-in
   Users enter their email or phone number. The system validates the credential and prompts for the next step.

2. One time passcode
   Users confirm their identity by entering a one-time passcode sent to their verified email or phone number.

3. *Create passkey
   If users opt in, I enable passkey setup using device-based biometric authentication (such as facial recognition). This allows future sign-ins to occur automatically, creating a faster and secure experience.

4. *Created passkey and signed in
   The system confirms successful passkey setup and provides a link to continue where the user left off.

Results

• Weekly traffic of 498K.
  471.8K are successful making it a success rate of 88.29%

Registration

1. Two step sign-in
   Users enter their email or phone number. The system validates the credential and prompts for the next step.

2. One time passcode
   Users confirm their identity by entering a one-time passcode sent to their verified email or phone number.

3. *Create your account
   Users complete required fields, including email and password, to establish their account.

4. *Successfully registered
   The system confirms successful registration and grants access to CVS Caremark services.

Results

• Weekly traffic of 21.3K.
  18.1K are successful making it a success rate of 84.99%

Registration

1. Two step sign-in
   Users enter their email or phone number. The system validates the credential and prompts for the next step.

2. One time passcode
   Users confirm their identity by entering a one-time passcode sent to their verified email or phone number.

3. Create your account
   (For visuals, refer to the Caremark section)
   Users complete required fields, including email and password, to establish their account.

4. *HIPAA Consent
   Users provide voluntary consent allowing CVS Specialty to use or disclose their Protected Health Information (PHI) for routine treatment, payment, and healthcare operations.

5. *Successfully registered
   The system confirms successful registration and grants access to CVS Specialty services.

Results

• Weekly traffic of 9.3K.
  7.9K are successful making it a success rate of 84.93%

Dev hand off

Annotations

I prepare developer-ready designs with clear annotations to ensure engineers understand which components from the design system are being used and how they should behave. Accessibility guidance is embedded directly in the files, including semantic structure, action types, and input requirements such as required fields and keyboard behaviors.

This approach reduces ambiguity, supports accessibility standards, and helps teams build with confidence.

Full flow

Comprehensive user flows were created in collaboration with engineering and architecture to ensure end-to-end alignment. These flows documented key states and edge cases, retry attempts, and system nodes, supporting accurate and predictable implementation.

Error handling

Not every user journey follows a happy path. Designing effective error handling requires close collaboration with engineering to understand system limitations and potential failure states. While the goal is always to guide users toward the most helpful outcome, certain error conditions may limit available responses. In those cases, the focus shifts to reducing confusion and preventing frustration through clear, intentional feedback.