Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I just tried entering a recovery code using a browser I'd not authenticated with.
It didn't give me any errors and took me to my account page. Does that mean it worked?
The form should output a message to confirm the code has been successful.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | 2483555-5-recovery-code-ui-feedback.patch | 1.19 KB | banviktor |
Comments
Comment #1
gregglesCan you suggest some copy?
Feels like a feature and re-stating the title to be a statement of what to do instead of what not to do.
Comment #2
joachim CreditAttribution: joachim commentedSubmitting a form should give feedback -- I thought that was a standard UX principle.
Not giving feedback leaves the user confused as to whether their action was successful or not. Therefore this is a UX bug.
> Can you suggest some copy?
'The recovery code has been validated. You are now authenticated.'
Comment #3
gregglesIs there an issue in core to add feedback from submitting the login form? Because it doesn't give any explicit feedback of the kind you mention.
TFA login is a new flow, but it's fundamentally part of logging in. The feedback that you have succeeded in logging in is that you are logged in.
If anything I think it's worth mentioning that the recovery codes are one-time-use and that the code they've just used cannot be used again. But saying "That worked, you are logged in" feels redundant to the fact that the UI has changed dramatically and the person is logged in.
Comment #4
banviktor CreditAttribution: banviktor at CARD.com commentedI agree with @greggles that the fact of a recovery code validation doesn't need any special feedback.
However I think it would be nice to inform the user about how many remaining codes they have and if they just used up their last one give a link too to the setup page.
Comment #5
banviktor CreditAttribution: banviktor at CARD.com commentedPatch added.