At a client, we’re going to deploy the universal interface in a short while. While testing the client found an interesting flow concerning login and password recovery that is undesirable.
- In the universal interface, the user clicks the password recovery link.
- The browser is redirected to the indicium interface.
- The user enters their username/email and a token gets sent out.
- The user enters the token and new password en hits enter.
- The user enters a username and password to log in.
- The user enters their email TOTP token.
- The user gets redirected to the universal interface.
What happened during testing?
- Somehow the client manually went back to the indicium interface. And started the password recovery there. The process worked the same except he didn't get redirected to the universal interface as no redirect URL was available.
- They also tried to log in at the indicium interface, the login was successful but the client got stuck as they didn't have an application interface available. They we're in the Indicium interface that only provides options to log in, log out and reset passwords.
- Can we include a message on the general indicium login page to indicate that this only provides access for administrators? With a possible link to redirect people to the universal interface.
- Could we also change the logo as this will be running on a client URL and they would like people to understand that this is an interface to their systems?