mastodon icon indicating copy to clipboard operation
mastodon copied to clipboard

Published 20 hours ago verified publisher icon mastodon

Improve the sign-in flow to deter users from entering credentials into the wrong server

Open thomasmdickinson opened this issue 1 year ago • 3 comments

Pitch

At present, when logging into a Mastodon 4.x server, users click "Sign In" and are taken to an extremely minimalist sign-in page, where the only indication of what server they are actually signing into is in the URL bar.

sign in page on mastodon.social

Obviously, users should be attentive to the url bar, and they should understand what they are doing well enough to know that this page is not for them unless they have an account on this server. But I have reason to think that in a significant minority of cases they do not understand this, and this poses a security risk to them.

When attempting to follow a user on a different server, the prompt includes some explanatory text, followed by an On This Server subheading with options Sign In and Create Account, and an On A Different Server subheading with some additional instructions.

Attempting to follow @Gargron on mastodon.social

I find the offered explanation relatively clear, but it is naive to expect that even the best explanations will deter confused or careless users from entering their credentials where they do not belong.

I propose a revision to the sign in flow like the following, to make it more difficult for users to enter the wrong credentials by accident:

Proposed revision to follow prompt

  • Sign In
    • I have an account on mastodon.social (this would take them to the login form)
    • I have an account on another mastodon server (This could reveal the current "On a Different Server" subheading.)
  • Create an account
    • Create an account on mastodon.social (this would take them to the sign up form)
    • Find another mastodon server to join (this would take them to joinmastodon.org)

That’s my recommendation for the follow prompt. I also think the language “with an account on Mastodon” should be amended to “With an account on any Mastodon server”, as the former promotes a misunderstanding of what the user’s account is and who it is with, which could be confusing to new users and result in increased security risk.

I think an analogous prompt should also be encountered before signing in via the “sign in” link (outside the context of a follow). I don’t think a user should ever be confronted with an email and password field unless they have clicked a button affirming something like “I have an account with [server name].” (I don’t think the phrase “this server” holds the user's hand enough, I think the name of the server should be included for additional clarity).

Additionally, I think the sign in page should have language added reminding users which server they are logging into, and that they should not to enter their credentials into login pages other than the one they usually sign in on. My bank constantly reminds me of this. I realize a security mishap with bank credentials is obviously much more impactful than one with mastodon credentials, but given the number of mastodon servers with completely identical login pages, the likelihood of misunderstanding is very high compared to a bank login.

Motivation

At present, it is too easy for confused/careless users to enter their mastodon server credentials where they do not belong.

I have seen numerous cases on the /r/mastodon subreddit that motivated this concern. I’m not going to link to those reddit threads and comments here because that’s not really fair to those users and may cause them embarrassment, but if it’s truly necessary I can provide them on request.

In many cases confused new users don’t understand what it means to sign up for a “mastodon server”, particularly when they sign up through the mobile app. Some users sign up for a server, come the subreddit claiming they can’t sign in “to mastodon” or never got a confirmation email “from mastodon”, and then when they are asked what server they signed up for, they don’t know what that means. In one case, a user thought they were signing up for a service called “mastodon” and when prompted to select a server they thought they were being asked to select one or more “spaces” to use within that account (like subreddits and discord "servers"). This resulted in them signing up for a foreign language server who sent a confirmation email they could not read.

(I didn’t open this issue specifically to advocate for more clarity in the mobile sign-up process, although that is obviously needed, but I’m aware the problem is being worked on. Here, I only mention it as background context).

In several other cases, users have reported that they “tried to log in” on one mastodon server with their credentials from another server. This is very concerning… I’d have thought that users would know better than to enter their credentials for one website into a completely different website, but it’s possible that confusion (over what a federated service is and how it works) has them lowering their guards and thinking “maybe this is how it’s supposed to work.”

For instance, in one case, a self-described “email admin by trade” described seeing “a login page that’s identical to my home server’s login page,” thinking “I guess I use my Mastodon account credentials,” entering in the login for their home server, and getting the error “invalid email address or password”.

I find this behavior really distressing, particularly coming from a technically sophisticated user. It’s troubling that users misunderstand the nature of their own accounts badly enough that they are willing to enter their logins in any old form, and I can see this being exploited by phishing attempts in the future. One could blame the user but I don’t find that productive, I think the design needs to promote better understanding of when and where it is appropriate to enter their login credentials and encourage greater attention and caution.

Incidentally I think this needs to be tackled from both ends, sign up and log in. Users should not be encouraged to sign up without having an understanding of what they are actually signing up for. But I know work is already being done in the sign up area so I opened this issue to discuss the login problem.

thomasmdickinson avatar Nov 28 '22 20:11 thomasmdickinson

https://github.com/mastodon/mastodon/pull/20946

connyduck avatar Nov 28 '22 20:11 connyduck

I agree that some users likely get confused by the current dialog, I think the better option would be to re-enable support for OAUTH_REDIRECT_AT_SIGN_IN which was removed back in January.

wmandra avatar Dec 05 '22 18:12 wmandra

In the "On a different server" case, could you allow the user to input their home server, then redirect to the proper authorize_follow/share intent? Is leaking the user's server a concern?

Edit: For example, a link to a new DM. Right now this only works for users on the same server: https://mastodon.freshman.dev/share?visibility=direct&text=@[email protected]%20

Here's a mock-up which intercepts a parameter to ask the user if they'd like to switch servers: https://mastodon.freshman.dev/share?resolve=true&visibility=direct&text=@[email protected]%20

cfreshman avatar Dec 13 '22 09:12 cfreshman