Contrib.social

Disable Verify button on first landing to the tfa form

Open on Drupal.org β†’
Created on 23 August 2024, 3 months ago

Problem/Motivation

The tfa form has verify and send button enabled on the first load of the page. When the form loads first time there is no code to enter until the user hits send button. Keeping the verify button enabled might confuse the user and also does not make sense with the flow. The button should only be enabled after the verification code is sent by clicking the send button.
Also after clicking the send button, the button name should be renamed to Resend and this will give the user clear indication that the button has been clicked and the user can click again to Resend the code.

Steps to reproduce

  • TFA is turned on in the environment
  • Login as user for whom TFA is enabled
  • Two-factor authentication page is displayed after user enters correct password
  • Verify and Send button are enabled and both are functional.

Proposed resolution

Disable Verify button since it is not usable until the code has been send by the user.
Once the send button is clicked, enable the verify button and also change the value of the "Send" to "Resend"

Remaining tasks

User interface changes

Disable the verify button on first load of tfa form.

API changes

Data model changes

✨ Feature request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia Nadim Hossain

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @Nadim Hossain
  • Merge request !4[3469826-disable-verify-button] Updated tfa form and added a ajax callback to disable verify button on first load. β†’ (Open) created by Nadim Hossain
  • Pipeline finished with Success
    3 months ago
    Total: 192s
    #262209
  • Comment 3 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia Nadim Hossain

    Adding this patch version to get it used in the project for now -

  • Status changed to Needs review 3 months ago
  • Comment 3 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia Nadim Hossain
  • Comment 24 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jfurnas

    Would a better solution be to just send the verification code when the TFA activation form is first displayed?

    Seems counter-intuitive to have to click 'Send' first when you typically get the code sent automatically.

  • Comment 24 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    In a situation where there are multiple TFA methods enabled, the user might want to switch to another TFA method rather than Email. I think it is good not to send a TFA Email to user by default until the user explicitly click the 'Send' button.

  • Comment 24 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    Thanks @Nadim Hossain for the patch. Is it possible to have functional tests for the new feature?

  • Comment 24 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia mingsong πŸ‡¦πŸ‡Ί

    Change to 'Need work' as functional tests for the new feature required.

  • Comment 22 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jfurnas

    @mingsong I am not sure I entirely agree with this.

    The 'send' button is only rendered if email is setup as otp anyway (even with application code as well), so surely there's a way to trigger the automatic email if 'only' email otp is enabled. This is not only a user experience improvement but also a pretty standard practice.

    At the very minimum, adding in some messaging on the page to indicate the user must first click 'send' to receive the code should be considered as receiving the code automatically via email is a pretty standard practice in TFA, and without some messaging indicating users need to click it to even receive the first code isn't very use friendly.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024