Posted on 06/11/2025 11:26:03
Hi Jan
Yes, I think this is out of scope for support. Good one for the forums! Then others can also see the request, add their views on the matter and we can learn from each other.
The flow is made like that on purpose to keep it safer. We could report back that the username is wrong or your password is wrong - but that will also make it possible to start trying out different username and password sets for attackers. If we were to change this, it would be username in step one (with no validation), password on step 2 - and if any of them are wrong, we could write out that "Credentials are invalid". Username and password steps are also divided into 2 steps instead of one to increase security and make it more difficult to automate password attacks. I understand that it can be difficult for a user to see what is wrong - but it is to keep things safe and attack attempts are many these days. But I do understand the issue from a UX perspective.
Basically I would recommend to remove the password step completely (which is also supported) - in this way the user will just receive the OTP code (alternatively a link to finalize login). Another option is to use e.g. Entra login to re-use the security and UX of those platforms.
In the bigger picture we (like the most of the industry) plan to phase out passwords entirely as they har hard to remember and generally not very secure with the threats we see today. We implement this in steps as people have a very hard time to get used to new ways of doing things - customers love old days, even passwords, but there are a lot of initiatives in browsers, mobile devices etc. to phase out passwords to new more modern and secure ways of doing things.
Let me hear your thoughts.
BR Nicolai
