Modify feedback behavior when credentials are incorrect #560
Description
Current behavior
With 2FA set to be enforced, when trying to log in with a user that does not exist, the feedback is immediate, warning the user that the credentials are invalid.
But when you try to log in with a user that exists but the password is incorrect, the system requests the 2FA code (or sends the 2FA code by email, depending on the configuration), and only after entering the 2FA code does the user receive feedback that the credential is invalid.
But the message is not clear, which makes the user think that they entered the wrong 2FA code, when in fact they entered the wrong password.
Desired behavior
We believe that the ideal is to provide feedback immediately when trying to log in with the wrong password, avoiding requesting the 2FA code and leaving the user thinking that they are having problems with 2FA.
Describe alternatives you've considered
If it is not possible to change this behavior, adding a clear message specifying whether the login issue was a wrong credential or a wrong 2FA code may help.
Thanks!