Rakuten Rewards
Authentication Modernization (PM + UX Contribution)
Rakuten’s authentication system had grown fragmented over years of monolithic development. Individual teams created and maintained their own login and sign-up forms, which led to inconsistent UX, orphaned legacy flows, compliance issues with social login providers, and challenges supporting account security and region-specific requirements.
The Legacy Problems
• Multiple teams built their own auth forms, resulting in inconsistent UI, validation, and error states
• No unified ownership; social login requirements were sometimes out of compliance because no one team managed updates
• Passwordless onboarding created complex account-status rules (earn vs. withdraw, timeouts, restricted actions)
• Web, iOS, Android, and WebView all handled auth differently
• No support for regions or GDPR/CCPA legal differences
• Account-verification flows (flagged accounts, timeouts, OTP to phone/email) lived in multiple places
• Hard to track usage because events and endpoints were scattered across the codebase
• No unified ownership; social login requirements were sometimes out of compliance because no one team managed updates
• Passwordless onboarding created complex account-status rules (earn vs. withdraw, timeouts, restricted actions)
• Web, iOS, Android, and WebView all handled auth differently
• No support for regions or GDPR/CCPA legal differences
• Account-verification flows (flagged accounts, timeouts, OTP to phone/email) lived in multiple places
• Hard to track usage because events and endpoints were scattered across the codebase
Designing Global Authentication (Figma)
With the new microsite in place for the US market, we began designing a truly global authentication system. I worked directly in Figma to:
• Create user flows for login, sign-up, password creation, password recovery, OTP, and region-specific variations
• Document edge cases and account-status rules (e.g., passwordless → restricted access → full access)
• Map regional logic for global vs. regional accounts (a moving target during the project)
• Incorporate GDPR and CCPA legal requirements into the flows
• Review the full design set with Legal and DevOps for compliance and system feasibility
• Document edge cases and account-status rules (e.g., passwordless → restricted access → full access)
• Map regional logic for global vs. regional accounts (a moving target during the project)
• Incorporate GDPR and CCPA legal requirements into the flows
• Review the full design set with Legal and DevOps for compliance and system feasibility
During this phase, we evaluated a single global account model that would allow users to authenticate across regions. This approach introduced significant complexity around regional consent, permissions, and payout eligibility under GDPR and CCPA, especially when users were authenticated via another country. To reduce risk and ensure compliance, the system was designed around region-specific accounts, simplifying legal enforcement and account state management.
Outcome
The authentication microsite was successfully rolled out and adopted, replacing fragmented legacy forms with a centralized, reusable system. Teams were able to integrate shared login and sign-up flows while preserving their specific business requirements.
This project strengthened my ability to manage cross-team alignment, resolve ambiguous requirements, and design high-stakes flows involving security, compliance, and regional logic.