I was invited to be an emergency contact. I got an email that said click here to accept. It wanted my login and master vault password. Realising this isn’t particularly safe, I logged in independently but couldn’t see the invite in the UI anywhere obvious. Double checking url’s etc I followed the only method that seemed available but this does feel like a vulnerabiliity for the majority of less technical users.
Could an approach that forced a login through the website independently of the link, then a signposted experience that alerted a newly logged in user to an invitation that should be accepted or rejected (or perhaps silenced)?