Improve UX of factor login pages when 1 factor is enabled

[alexmorrisnz]

The cancel button on login pages takes the user to a different factor if one is configured, when there is only one factor enabled or no factors left to try clicking the button takes you to a 'Unable to authenticate' error page explaining what has happened.

It has been raised that it may be a better user experience if we had this button removed when only one factor is enabled, but this wouldn't show the user why they are unable to authenticate so there needs to be some thought around:

1. If that 'unable to authenticate' page is required when one factor is enabled, perhaps it can be removed outright.
2. If it is, is there a better UX that can be had by removing the cancel button?

[abias]

Thanks, Alex, for documenting this issue.

I would like to add two things:

1. It's the 'I don't have my security key' button on the MFA login page, not the 'cancel' button which takes you to the 'Unable to authenticate' error page.

2. The 'Unable to authenticate' error page isn't generally wrong as it provides the correct information to the user why he couldn't log in and what he should do now (get your security key / TOTP device again and log in again or contact your admin). However, it is still an error page which surprised our test users when they first clicked this button. If you decide not to remove this button completely as long as just one factor is configured (which would be understandable), a possile UX improvement could be to modify the 'Unable to authenticate' error page in a way that a) it uses the bootstrap info color instead of the error color and b) it shows a factor-specific (instead of general) string to tell the user why he cannot log in without providing the security key / TOTP key and c) maybe change the "Logout" button on this page to a "Log in again" button to give the user a better call-to-action.

Thanks, Alex