Various improvements on the account linking flow
Closed this issue · 7 comments
Preflight Checklist
- I could not find a solution in the existing issues, docs, nor discussions
- I have joined the ZITADEL chat
Describe your problem
You made significant improvements in the account linking. Thanks @livio-a, this is already a huge step forward.
We tested the complete flow and have a few things we think are still confusing for the user.
Our setup:
We have one IDP (Microsoft) and we do not allow registration of new accounts in the settings of our organisation.
Problem 1:
The user clicked on the Microsoft-Icon and did the authentication. Then he ends up on this screen:
Here we see the following problems:
- Our users do not know about their username, but just the E-Mail address. Therefore the username may be confusing, as it is not always in this readable format as we have it on this screenshot.
- The button "Andere Optionen" does lead to a complicated form where the user can link to a different account then the one matching to his e-mail (which does not make sense in my opinion, as he is the owner of this email-address and there is an account with this email, we do not want him to link to something elsen). And even worse he can create a new account (which is disabled in our org settings). We think the perfect solution here would be to just hide this "Andere Optionen" button, if it is not possible to create accounts on the organisation. Or do I miss something here?
Problem 2:
After clicking on "Verlinken" I get to this page. When clicking on the "Back button" on the top left, I end up on the beginning of the login flow, which is wrong as I would expect to be back on the screenshot seen in "Problem 1"
Problem 3:
After entering my password I do see this screen. Here I can see the following issues:
- There is a typo in the default title "Benutzerkonto verknpüfen"
- What is the expected behaviour of the "Abbrechen"-Button? Currently the result is the same if I click on "Abbrechen" as if I click on "Weiter". I think we could just remove the "Abbrechen".
Problem 4:
This is maybe more a question than a problem. We have enabled two factor authentication on our accounts. So after the account linking I then have to enter my second factor defined on Micromate. Does this make sense? Shouldn't that be covered by the second factor on my Microsoft account? Or are there any security-considerations behind this?
For me as a user I find it a bit confusing to see the micromate two factor as I would expect all of that to be handled by my Microsoft Login.
Problem 5:
Lost in "Two factor auth". When having my Microsoft Account linked and trying to login using this account I see (as described in Problem 4) the two-factor screen. When I do want to use the back link on the top left I'm not able to leave this screen. The only option to get away is actually to clear my cookies. Here how it looks like:
TwoFactorLost.mp4
Describe your ideal solution
Having a solution where our users are not somehow lost in a account-mess.
Version
No response
Environment
ZITADEL Cloud
Additional Context
No response
Hi @sschoeb
We need to have a look at the different things you mentioned.
Problem 4 you can already solve:
You can configure in the login policy if you only want local accounts to be forced for mfa or all accounts.
@hifabienne Thank you very much for your reply. Let me know if you need any further details on something.
Problem 4:
Didn't know about this setting. Great, thank you.
@hifabienne As an update on this. Just had again a user who was able to create a mess with his account by using the "Andere Optionen"-option.
He was able to create a second account (event with this option disabled on the Login-form settings). Which then obviously ended up in a mess as he was confused. Would be great to have somehow a solution on just this problem.
@hifabienne As an update on this. Just had again a user who was able to create a mess with his account by using the "Andere Optionen"-option.
He was able to create a second account (event with this option disabled on the Login-form settings). Which then obviously ended up in a mess as he was confused. Would be great to have somehow a solution on just this problem.
Hey @sschoeb I checked, but could not yet find the issue, resp. reproduce it. Could you maybe send the details (user ID / username, ...) via mail?
I've discussed this with @livio-a and he could help us out with the basic problem. To solve the issue that the user can create accounts you have to disable the
With this configuration our users at least are not able to create additional accounts, which is already a good improvement. But checking the remaining flow, we think there is still some work to do:
In case the users clicks on the "Other options"-Button. He does end up on this screen:
The texts are subject to change. I've adjusted them as good as possible for now. But the problems we have with this screen:
- The checkboxes do not make too much sense here
- We do not see the use case, where a user does have an account with the same e-mail linked to another account with a different email. If the user does use this UI to link himself to another micromate account then the one with the email, then the user again ends up in a very confusing situation.
Solution proposal:
- Do not show "Andere Optionen" button if there is no registration possible.