Retrieve password/user name in authentication window #856
Comments
|
Random comments. What you're seeing is a standard HTTP basic authentication prompt that's browser-initiated and can't be modified. I think we probably should fork this in to two issues: one for implementing a "forgot password" feature (initially on the "access denied" page), and one for switching away from the browser-provided HTTP basic authentication to a more traditional in-page user/password prompt. The latter needs #822 to be resolved before we can start. The former probably needs considerable design work – e.g. How do we verify that the person resetting a user's password really is that user? If SMS is already up and running, we could potentially send a verification code to the user via SMS; if it's not yet (say, the admin installed and then promptly forgot the password), it's a bit more involved and might be better done from the Windows launcher. |
ghost
assigned
|
Assigning to @abbyad to indicate need for feature triage/scheduling. |
|
I think part of the reason we are using Basic Authentication is because it simplified our automated data exports beause we can do authentication via URL. |
|
We should split this up accordingly into issues for:
|
abbyad
added
the
Status: Blocked waiting for design
|
That last one may overlap with #838, at least in the error pages case. It's probably possible to keep basic authentication for some of the automated / computer-to-computer use cases – i.e. move the UI over to a session cookie based authentication system, but keep basic authentication support for clients like SMSsync. Worth looking in to. |
|
Reassigning for further design work |
|
-- We need user stories/scenarios (e.g. a user who is offline is logged out and needs to log back in, see the password that you're typing/mistakes, what feels reasonable in terms of password requirements, resetting passwords, security questions. Retrieve Username/password in authentication window (some technical limitations). Marc has split this up into components in the comments above. Also related to issue #1471 -- Estelle is the dev person on this; Dave and Gareth have the most technical knowledge and can support. |
|
For CHWs, likely methods of getting a new password would be: a. visiting their local branch and getting IT support to issue a new token a sounds laborious; b would be suitable as long as the token was one-time (single-use); c would be difficult for the CHW as precisely entering a string of words or characters into a phone, while simultaneously on a call on that phone, would be fiddly |
|
@alxndrsn I presume we could make it an android intent link, and that link would be clickable on phones that are able to run android apps? |
|
@SCdF Sounds plausible! And obviously a standard internet link is not much use to app users 👍 |
|
Pinging @MaxDiz on this to help determine priority. |
|
Some additional information, questions, and UX suggestions on this topic can be found here: https://docs.google.com/document/d/1tgoRzN0DPMFupOy5VkjjH7qtoqACpGUJ-XMnPFhj210/edit#heading=h.wo98a2l6uybf |
this seems to be addressing a different security issue - lock screen |
|
@garethbowen can we combine this ticket with #1557? |
|
They should be considered together but they'll have slightly different use cases and implementations. I think it's ok to keep them as two related issues that may or may not be solved at the same time. |
|
Adding this for consideration related to remote onboarding for the covid response |
|
The earlier comment which mentions tokens or SMS could be realized using Magic Links as was suggested in this recent forum post, but with a form submitted out of band while not being logged in. |
Need a way for a user to retrieve a forgotten password or user name when logging in to Medic Mobile.
The text was updated successfully, but these errors were encountered: