I would like to see various aspects of the onboarding process (specifically for organizations) improved.
This post will break the request in About the Feature Requests Category to “Be Specific” because I would like to encompass the entire onboarding process so it can be considered as a whole.
The current process:
- Org Admin invites user(s) [through directory connector in my case]
- User receives an email with an invitation link [user may or may not already have a Bitwarden account, for the rest of this post I will assume they do not]
- User clicks the link in the email and is asked to either login or create an account
- User clicks create an account, their email is populated, they enter their name and pick a master password, and check the box agreeing that nobody reads ToS [sorry for the sarcasm]
- User is prompted to re-enter their username (beginning of standard login process)
- User is prompted to re-enter their password
- User is prompted to enter a 6-digit email verification code [Org Admin enforced 2fa policy requirement]
- User is presented with their web vault for the first time (end of standard login process) [I’m OK with everything so far, but from here I see areas of improvement]
- Org Admin receives an email notice to confirm the new user into the organization [which seems to serve little actual purpose, given the billing for the user starts when the invite is sent, rather than when the invite is accepted - this should probably change! if possible, don’t bill until the user is fully joined to the organization - also, an admin has to send the invite, so the admin already expects the user to be joining the organization, so confirming the user after they create an account feels like a lot of back and forth]
- The vault displays a message asking the user to click a button to verify their email address [even though we received an invitation via email, and then also a 6-digit email verification code - this should probably change! any user who joins via an email invite link has pretty much already confirmed their email by using the invite link - further, if the admin requires 2fa the default method is email, so the 6-digit code used in the process above is additional confirmation that the user’s email is valid]
- User receives an email with a link to verify their email address, which when clicked shows a small message toast indicating the email has been verified, but the page itself is a login page. User does not need to login, but User does login because that’s what’s in front of them. Login process involves another 6-digit email verification code [2 factor is great, but showing the login page at this point is misleading this should probably change! just show a simple “your email has been confirmed” page and instruct the user that they can close this tab now]
- There is no “welcome modal” or anything informing the user what they might need/want to do next [this should probably change! maybe show a welcome modal that starts with "don’t forget to install/setup this browser extension, based on your user agent you need X and link to the appropriate browser extension - maybe the web vault could display something that looks like the yellow email verification card saying “Click here to setup your browser extension” using color to draw attention, and if the browser extension is installed it could interact with the vault to hide the browser extension card automatically - maybe also consider a guided tour along the lines of “this is where you click to do X”]
- User installs a browser extension, clicks login, enters username and password, and is then instructed that a 6-digit email code has been sent, and the user should click “yes” to pop the window out of the extension modal (or “no” to have a bad time and lose their progress and have to start the extension login process over) [this should probably change! maybe if the user clicks the extension icon while not logged in, just open the pop-out, no questions asked. always do the pop-out for the login process, this would greatly reduce user friction with getting logged into the extension - if the user closes the extension hover-over while trying to get the 6-digit email verification code they have to start over and are prompted to request a new 6-digit code, potentially leading them in a loop of accidentally closing the hover-over and repeating the process]
- User is finally done with onboarding (assuming they do not need to import passwords from a previous provider - but I do not have any issues with the current process for importing passwords from a previous provider)
In the process of onboarding ~150 users, I allowed many to self-serve, and somehow many of them managed to successfully sign up for an account but not accept the invitation to the organization. I am not positive where exactly this could have broken in the process, but in doing so, they also ended up skipping enrolling in the 2-step email verification. Future invites sent to the users then inform the user that they cannot accept the invite until they enable 2-step, but the user is not taken to the page to do so. Once the user makes it to the page to enable 2-step and completes the process of enabling 2-step email verification, the modal looks like this:
It’s pretty, but the “Turn off” button being blue kind of makes it feel like the next step is to click the blue button (which would undo the progress made in turning ON email 2-step verification). This is kind of just a visual design nitpick (the eyes tend to gravitate towards the button that looks more actionable as the logical next step).
THEN the user can finally go back to their email and click the invitation link again, login again, and finally be told they have accepted the invite and must be confirmed by the Org Admin. this should probably change! Maybe, in the web vault, display something along the lines of a “pending organization invitations” so the user doesn’t have to return to their email.
Please excuse any cynicism in the way I have described the process above. I do not intend this to be an angry post directed at the developers. As the IT admin tasked with rolling Bitwarden out to a large group of very many non-technical users (after advocating for Bitwarden), I would love to see this process looked at less like a puzzle and more like a coloring book. I want new user onboarding to be as frictionless as possible so that future onboarding can be a greater success and happen quicker, especially at larger scale than what I have done so far. I understand that some of what I am mentioning (guided tours) could annoy some of the power users who love Bitwarden for NOT babying new users, but this puts the burden of hand-holding users on the IT staff in charge of rolling everything out. This may not be an issue for small teams, but at scale, improvements would be appreciated. Also, I am more than willing to discuss any other ideas suggested to improve the onboarding process, and I recognize some of the intricacies are imposed by the organization 2fa requirement policy (which I addressed above with a possible suggestion to improve).
Thanks for reading!
p.s. the only other pain point for me leading up to this post was having a Google Workspace with multiple “secondary domains”, and using the BW Directory Connector only allows importing users from one domain at a time. The program has an option to “Remove disabled users during sync” which actually removes any users the sync cannot see based on which domain is being synced. ex: sync example1.com, then sync example2.com with the box checked, and users from example1.com are removed, so they now have an invalid invitation in their email - this can be a separate topic/feature request, but really just better wording (“Remove users not found with these sync settings” or something), and/or make it red.