Redesigning PayPal’s Account Recovery Experience

Restoring trust in moments of uncertainty

Each year, over 20 million PayPal users go through account recovery after a potential account takeover (ATO). For many, this is not just another product flow—it is a moment of uncertainty, where users question whether their personal information has been compromised and, more importantly, whether their money is still safe. At the same time, this experience carries significant business impact, contributing to over $60M in revenue loss and $30M in fraud exposure annually.

Despite its critical role, the existing re-securing experience was fragmented and largely invisible to users. While backend systems were capable of reversing unauthorized changes and preventing further fraud, the user experience failed to communicate what had happened or what had been resolved. As a result, users often felt confused, anxious, and unsure whether they could trust PayPal again.

Understanding the gap between system recovery and user trust

The early phases of the ATO roadmap focused primarily on technical fixes. The system automatically reverted unauthorized changes to user profiles and financial assets, ensuring that bad actors could no longer access compromised accounts. From a system perspective, the problem was being solved. However, from a user perspective, the experience felt incomplete.

Users were rarely informed about what had changed or what actions had been taken on their behalf. In many cases, they would log back into their accounts and notice differences—updated profile information, removed devices, or restored payment methods—without any context. This lack of communication led to confusion and, more critically, a loss of trust. Some users contacted customer support simply to confirm that the changes were legitimate, while others escalated concerns to their banks, creating additional operational cost and risk.

This revealed a fundamental gap:
The system could restore account integrity, but it could not restore user confidence.

Reframing the problem through research

To better understand user behavior and emotional responses after an ATO incident, we conducted qualitative research with affected users. What quickly became clear was that users were not primarily concerned with understanding every detail of what had happened. Instead, they were focused on a much simpler and more urgent question:

“Am I safe now?”

Financial uncertainty emerged as the strongest driver of anxiety. Users were far less concerned with profile changes or device activity than with whether unauthorized transactions had occurred and whether their money was at risk. At the same time, we observed that most users did not engage with detailed activity logs, even when those were available. Instead, they relied on high-level signals to determine whether their account was secure.

Interestingly, even when users chose to keep their accounts after recovery, many removed linked financial instruments or avoided storing balances. This behavior—what we later identified as “silent churn”—highlighted a deeper issue: restoring access to an account does not necessarily restore trust in the platform.

Navigating the core design tension

As we began exploring design solutions, we encountered a fundamental tension between two approaches. One direction emphasized full transparency, presenting users with a detailed, activity-based view of every change made during the recovery process. While this approach ensured completeness, it quickly became overwhelming due to the sheer number of assets involved—often more than twenty, spanning profile data, security credentials, devices, and financial instruments.

The alternative approach focused on simplicity, presenting a snapshot of the account’s current state. This made it easier for users to quickly assess their situation, but it introduced a different risk: by not showing what had changed, the system could appear opaque, potentially eroding trust.

This tension—between transparency and cognitive load—became the central design challenge of the project.

Learning from early design failures

Our initial designs leaned heavily toward activity-based transparency. We presented users with a detailed list of changes, such as restored phone numbers, removed devices, and re-linked payment methods. While this provided a complete picture of system actions, it required users to interpret a large amount of information during an already stressful moment.

In testing, this approach proved ineffective. Users struggled to understand what the information meant in aggregate and were unable to confidently answer the question of whether their account was safe. Rather than building trust, the experience created additional cognitive burden.

This failure led to a critical insight:

More information does not necessarily create more confidence.
In high-risk situations, clarity matters more than completeness.

Shifting to a trust-first design approach

We reframed the problem from explaining system actions to restoring user confidence. Instead of asking how we could show everything that happened, we began asking how we could help users quickly understand that their account was secure.

This shift led to the development of a Trust Snapshot model. Rather than listing individual changes, the experience presents a simplified, structured overview of the account across key trust areas: identity, financial assets, security settings, and devices. Each area includes clear, high-level signals indicating that information has been restored, secured, or verified.

At the same time, we preserved transparency through a progressive disclosure model. Users who wanted to review detailed changes could access a full activity log, but this information was no longer required to understand the state of the account. By layering information in this way, we were able to balance clarity and completeness without overwhelming users.

Scaling the solution across phases

This design approach became the foundation for Phase 3 of the ATO roadmap, which introduced a guided recovery experience. Users are now prompted to review their account through a structured flow that combines reassurance, verification, and action. Mandatory steps ensure that critical assets are reviewed and secured, while recommended actions encourage users to adopt stronger security practices such as enabling passkeys or two-factor authentication.

Looking ahead, Phase 4 extends this model into a proactive security system. Rather than limiting the experience to post-incident recovery, the platform begins to surface ongoing signals of account safety, including login alerts, device monitoring, and security progress indicators. This evolution represents a shift from reactive recovery to continuous trust-building.

Driving alignment across teams

Given the scale and complexity of the ATO problem, this work required close collaboration across multiple teams, including Product, Risk, Payments, and Engineering. Early in the project, the scope included a wide range of assets, including merchant-specific experiences that introduced significant complexity. To maintain momentum, I proposed a phased approach that focused first on core consumer scenarios, allowing us to establish reusable patterns before expanding into more complex domains.

Research insights also played a key role in reshaping priorities. As we uncovered the importance of financial reassurance, we worked closely with the Payments and Disputes teams to better understand how transaction visibility and dispute flows could be integrated into the recovery experience. This ensured that the design addressed not only account security, but also financial confidence.

Throughout the project, design served not just as an execution function, but as a driver of product direction. By grounding decisions in research and iterating through prototypes, we were able to align teams around a shared understanding of what trust means in the context of account recovery.

Impact and outcomes

While the redesigned experience is still evolving, we expect meaningful improvements across key metrics. By simplifying the recovery flow and prioritizing clarity, we anticipate an increase in completion rates and a reduction in support calls related to ATO incidents. Clearer communication around financial safety is also expected to reduce external chargebacks, as users gain confidence in PayPal’s ability to resolve issues internally.

Beyond these measurable outcomes, the most important impact is the shift in how we define success. Rather than focusing solely on task completion, we now consider whether users leave the experience feeling confident, informed, and in control.

Reflection

This project fundamentally changed how I approach design. What began as an effort to improve a recovery flow evolved into a broader exploration of how systems communicate trust.

In high-risk moments like account takeover, usability alone is not enough. Users are not simply completing tasks—they are trying to regain a sense of security. Designing for these moments requires a deeper understanding of human behavior, emotional context, and the relationship between transparency and confidence.

Ultimately, this work reinforced a key principle:

Trust is not built by showing everything.
It is built by helping users understand what matters.