Story: As a user, I want my sensitive personal information to be protected with additional verification so that my financial and contact details remain secure even if someone gains access to my account.
Our user profile application currently displays all user information openly once authenticated. With increasing security concerns and regulatory requirements, we need to implement an additional layer of protection for sensitive data.
Current Profile Sections:
- Personal Information (Name, Date of Birth)
- Contact Information (Email, Phone)
- Address Information (Post/Home Address)
- Banking Information (Bank details)
- Social Media Links
Problem Statement: Users are concerned about the security of their financial and contact information. If someone gains access to their account (shared computer, shoulder surfing, etc.), all sensitive data is immediately visible.
As a user,
I want my sensitive personal information (contact details and banking information) to be protected with additional email verification
So that even if someone gains access to my account, they cannot view my financial and contact details without additional authentication.
Given I am logged into my account
When I navigate to my profile page
Then the Contact Information and Banking Information sections should be marked as "sensitive" and locked by default
And other sections (Personal Info, Address, Social Media) should remain normally accessible
Given I am viewing my profile with sensitive sections locked
When I look at the Contact Information and Banking Information sections
Then I should see only the section header with a lock icon
And the section content should be completely hidden (no form fields or data visible)
And there should be an "Unlock Sensitive Data" button in place of the content
Given I click the "Unlock Sensitive Data" button
When the request is processed
Then a modal should appear with a professional UI
And the modal should display "A verification code has been sent to your email"
And there should be a 6-digit code input field
And Submit, Cancel, and Resend buttons should be available
And a 6-digit code should be generated and logged to the backend console (simulating email)
Given I have received a verification code
When I enter the correct 6-digit code and submit
Then the code should be validated against the backend
And if valid, all sensitive sections should unlock simultaneously
And the sections should show their full content and return to normal edit/view mode
And a 15-minute countdown timer should start
Given I have successfully unlocked sensitive sections
When the 15-minute timer is active
Then I should be able to view and edit sensitive data normally
And a persistent timer UI should show the remaining time
And I should receive a warning 1 minute before expiration
And when the timer expires, sensitive sections should automatically lock
Given I am using the verification system
When I interact with the security features
Then verification codes should expire after 5 minutes
And I should be limited to 3 verification attempts
And there should be rate limiting on code generation requests
And all security events should be logged for audit purposes
You have freedom to design the technical implementation, but consider these aspects:
API Design:
- RESTful endpoints for sensitive access flow
- Proper HTTP status codes and error responses
- Rate limiting and security headers
Frontend Architecture:
- State management for locked/unlocked states
- Timer implementation with visual feedback
- Modal/popup for verification flow
- Error handling and loading states
- All validation must happen on the server side
- Implement rate limiting to prevent abuse
- Secure token handling and session management
- Input sanitization and validation
- Comprehensive audit logging
- Email Integration: Skip actual email sending - log verification codes to console
- Security: Rate limiting and attempt restrictions as specified in AC6
Locked State Example:
┌─────────────────────────────────────┐
│ 🔒 Contact Information │
│ │
│ [Unlock Sensitive Data] │
│ │
└─────────────────────────────────────┘
Verification Modal Example:
┌─────────────────────────────────────┐
│ 🔐 Verify Your Identity │
│ │
│ A 6-digit code has been sent to │
│ your email address. │
│ │
│ Enter verification code: │
│ [□][□][□][□][□][□] │
│ │
│ [Submit] [Cancel] [Resend Code] │
│ │
└─────────────────────────────────────┘
Unlocked State with Timer:
┌─────────────────────────────────────┐
│ 🔓 Contact Information │
│ │
│ [Normal section content with │
│ edit/view functionality] │
│ │
└─────────────────────────────────────┘