User Testing - Authentication

[bw-faststream]

When authenticating the webapp to get access for the first time - using a mobile call is very slow - while the text authentication is very fast.

[tomdoel]

@jemrobinson @JulesMarz I remember there being discussions about 2FA problems when logging into the safe haven environments.

The 2FA is provided by Azure so I don't think there's anything we can do to improve it, but we could modify the documentation to highlight any issues

[tomdoel]

Though I'm also noting @bw-faststream is talking about authenticating an account for the first time, which is similar but not quite the same as 2FA. But again it's provided by Azure/Microsoft.

[jemrobinson]

What's our recommended authentication method? I think that in order of reliability: push notification in the app > phone call > text.

[bw-faststream]

Agreed

[jemrobinson]

Maybe we should add instructions about how to set up the Authenticator app and drop the instructions about text authentication?

[martintoreilly]

I'm not sure how you've set up 2FA support in the web app, but when logging into the Safe Haven itself, only push notifications to the authenticator app and phone call are supported, as in both of these, the confirmation interaction occurs in the app/call "side channel". For test message or "generate code with authenticator app", support is required within the online authentication workflow to support entry and verification of the 2FA code.

[tomdoel]

The web app delegates to login.microsoftonline.com so any MFA is handled there according to how it's configured on the AD (the web app doesn't know about MFA).

But I think this issue mostly refers to the first-time login - this is actually what's described in the Safe Haven user guide.

What's happening now is that online classification occurs before the environments are created, so some users are going though the first-time login process when they log into the web app for the first time, instead of when they log into the environment for the first time.

This suggests we need to update the Safe Haven user guide, because presumably users don't need to go through SSPR if they have already done it when logging into the web app for the first time. It would probably make more sense to get users to log into the webapp rather than follow the SSPR link.

[bw-faststream]

I'm updating the safe haven user guide now

[tomdoel]

User guide has been updated. Closing this issue as the underlying usability issues are with Azure MFA and are the same as for safe haven access.