Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move to staged login form #34766

Open
rullzer opened this issue Oct 24, 2022 · 3 comments
Open

Move to staged login form #34766

rullzer opened this issue Oct 24, 2022 · 3 comments
Labels
1. to develop Accepted and waiting to be taken care of design Design, UI, UX, etc. enhancement feature: authentication

Comments

@rullzer
Copy link
Member

rullzer commented Oct 24, 2022

The current login flow of Nextcloud is just a single form.
image

This is great and all. But it becomes a bit meh when using more advanced authentication. It just doesn't flow right.

For example 2FA.
image

This is always another click. Github and google follow this flow nicer I think. By directly probing you for your 'prefered' 2fa method.
I know this is something slightly different. But maybe for a followup we could look at the way we do 2fa. Take the notification method here. That could just always fire.

The login flow becomes even less nice if you wanna use webauthn
You have to press login with device. And then do your thing.

image

There are of course quite some design decisions and discussions. But like I said I feel the way that google/github/other big bag tech do it is something people are used to and would fit nicer. So more like an authentication flow.

  1. Enter your usename/email
  2. Check if we can use webauthn
    a. if we can. Show button "authenticate with device" (or whatever) ( use https://www.twilio.com/blog/detect-browser-support-webauthn for example, together with info about the user if they have webauthn enabled)
    b. If we can't or user pressed "no use password" show password field
  3. If authentication works directly show the 2fa choices
    a. as mentined above maybe remember the "prefered" way to always use that?

This would feel more modern and smooth IMO.

CC: @ChristophWurst as we talked about this a bit, @jancborchardt as always

P.s. I won't be able to drive this but wanted to get this out there
@rullzer rullzer added enhancement 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Oct 24, 2022
@ChristophWurst ChristophWurst added 1. to develop Accepted and waiting to be taken care of design Design, UI, UX, etc. feature: authentication and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Oct 24, 2022
@jancborchardt
Copy link
Member

Sounds good to me! We just need to make sure the password management of the browser (or 3rdparty) still works.

(This is the case with Google etc so I assume it's not an issue, but just in case. :)

@sunjam
Copy link

sunjam commented Nov 2, 2022

@jans23 should be of interest to you!

@jans23
Copy link

jans23 commented Nov 2, 2022

I guess this is intended already but just to make sure: If WebAuthn with PIN could be used successfully (in step 2) there is not need to ask for another factor (in step 3). (I assume 2FA is sufficient and 3FA is not desired.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of design Design, UI, UX, etc. enhancement feature: authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rullzer @jancborchardt @ChristophWurst @jans23 @sunjam