Wp-calypso: 2fa: Verify by App flow should be independent of phone number

Created on 12 Sep 2019  路  7Comments  路  Source: Automattic/wp-calypso

Steps to reproduce

  1. Starting at URL: https://wordpress.com/me/security/two-step
  2. Go through two-step authentication flow with the intent of using an app.
  3. Experience the weirdness.

What I expected

To be able to set up two-step authentication by app without entering a phone number.

What happened instead

I had to write in the input field to enable the verify by app feature.

Screenshot / Video

Screen Shot 2019-09-10 at 1 49 31 PM

Context / Source

Design Security [Type] Bug
Source
picture lcollette

All 7 comments

After testing the 2fa flows, I found that the phone number is required because SMS can always be used as a backup option for recovering app-based 2fa:
image

Assuming we want to preserve that, the phone number requirement is still needed. I think many users would still think they should be able skip phone entry if they want to choose Verify via App, so I think we can improve it by making the phone number entry a separate step from the verification method selection.

c-shultz picture c-shultz on 14 Sep 2019

I think this needs a bit more of research (maybe a P2 post?), since I'm expecting users to be more concerned about entering their phone numbers than confused about what's the chosen authentication method.

I see the ideal scenario for these concerned users would be one when we don't requite a phone number and the verification method selector is moved to the first step. If a user selects the auth app and doesn't enter a phone number, then they wouldn't have a backup option for recovering app-based 2fa.

But perhaps that backup option is there for a historical reason I'm unaware of, so that's why I think it might be worth it to do a further exploration first.

mmtr picture mmtr on 15 Sep 2019

since I'm expecting users to be more concerned about entering their phone numbers than confused about what's the chosen authentication method.

Yes, this. The ideal solution is for the verification method to come first and be independent of a phone number. If we can't do this at this time, I think keeping the existing flow is better than adding an additional step.

I'd like to get @xknown's thoughts here.

lcollette picture lcollette on 15 Sep 2019

@c-shultz Are you still working on this one? It came up in a bug scrub and there's what looks like a related issue at https://github.com/Automattic/wp-calypso/issues/36809 and PR in https://github.com/Automattic/wp-calypso/pull/36811 waiting for review (it might need refreshed due to age).

kriskarkoski picture kriskarkoski on 9 Mar 2020

@kriskarkoski ,

No, I'm not working on this one anymore

c-shultz picture c-shultz on 9 Mar 2020
👍1

@sixhours Pinging since this is no longer being actively worked on in case you want to adjust it on your board where it's marked as in Development.

kriskarkoski picture kriskarkoski on 9 Mar 2020

I'll move this over to our new Manage project list to be triaged. Thanks for the heads-up @kriskarkoski !

sixhours picture sixhours on 9 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TeniCola picture TeniCola  路  48Comments
dllh picture dllh  路  79Comments
KristinaKay picture KristinaKay  路  134Comments
supernovia picture supernovia  路  49Comments
gwwar picture gwwar  路  79Comments