Error experience is not great

maxime-rainville commented 2 years ago

When a user puts in the wrong YubiKey, you get a somewhat bad experience.

It tries to log you in and fail without giving you a useful message. It just tries to have you log in again.

https://youtu.be/vIR77GRI8Do

maxime-rainville commented 2 years ago

@silverstripeux ^

clarkepaul commented 2 years ago

@maxime-rainville can we actually give more appropriate messaging? e.g. key not recognised, key not detected, timed out.... etc.

ScopeyNZ commented 2 years ago

The server relays the message straight from the underlying authentication library. I'm not sure how user friendly this message is. Right now it's ignored by the UI.

We could either:

Assume that the wrong key is the most likely message and reword the default message as such.
Pass through the message from the server straight to the user, which might be over technical
Do some work to map the messages that can be given to us by the underlying authentication library to user friendly messages we have control of. (The messages are probably all here: https://github.com/web-auth/webauthn-lib/blob/v3.3/src/AuthenticatorAssertionResponseValidator.php)

Last option would be nicest, but also the most work 😛

silverstripe / silverstripe-webauthn-authenticator

Error experience is not great #99