The login form should handle incorrect password inputs gracefully. When a user inputs the wrong password, the system should notify the user that their password is incorrect and allow them to try again.
Acceptance Criteria
Limit Attempts: Allow up to 5 wrong password attempts.
On the 5th wrong attempt, display a warning message.
Warning Message:
The warning message should prompt the user with "Have you forgotten your password? Would you like to reset it?"
The message should include options: "Reset Password" and "Try Again".
Reset Password Link:
If the user clicks on "Reset Password", they should be redirected to the password reset flow.
Implement the logic to handle redirecting the user to the password reset page.
Try Again Option:
If the user clicks on "Try Again", allow them to enter their password again, but if the subsequent login attempts are wrong, reset the counter after a predefined timeout (e.g., 30 minutes).
Notify the user about the lockout and the timeout.
User Feedback:
Provide immediate feedback for each wrong attempt, such as "Incorrect password. You have X attempts remaining."
The error message should be displayed in a visible and prominent location on the login form.
The error message should disappear when the user starts typing in the password field again or focuses on it.
Field Reset Behavior:
The login form should not reset all fields; only the password field should be cleared to allow the user to try again without re-entering their username.
Logging:
Log these attempts for security auditing.
Log when the prompt is shown and the choice made by the user.
Implementation Notes
Backend:
Modify the login endpoint to track the number of attempts per session.
Implement a mechanism for resetting the attempt count after a successful login or a timeout period.
Frontend:
Display warning messages and options (Reset Password, Try Again) after the 5th wrong attempt.
Implement the necessary UI/UX to show feedback for wrong attempts and lockouts.
Additional Notes
Ensure that the user experience is not hampered for genuine users who might repeatedly enter the wrong password by mistake.
The warning message and options should be clear and easy to understand.
Test this feature thoroughly, including edge cases like network issues, session timeouts, etc.
What
The login form should handle incorrect password inputs gracefully. When a user inputs the wrong password, the system should notify the user that their password is incorrect and allow them to try again.
Acceptance Criteria
Limit Attempts: Allow up to 5 wrong password attempts.
Warning Message:
Reset Password Link:
Try Again Option:
User Feedback:
Field Reset Behavior:
Logging:
Implementation Notes
Backend:
Frontend:
Additional Notes