[user experience regression] SSO device authorization flow new confirmation page

Hello,

We have desktop application which leverages the AWS SSO device authorization flow[1].

Until recently (days) the flow had been:

1. User clicks on "Login"
2. A new browser window is opened for the user.
3. User confirms the login attempt [3].
4. Desktop application is ready.

Today we noticed that this flow has been modified and a new user visible confirmation step was added:

1. User clicks on "Login"
2. A new browser window is opened for the user.
3. 1. User confirms the device code is legit [2].
   2. User confirms the login attempt [3].
4. Desktop application is ready.

I am perfectly ok with verifying that the device code is legit, however, from user experience point of view, there is no reason to have two steps... once the code is confirmed the user actually confirms the authorization request. While adding 3.1 the 3.2 step should have been removed and the text should have been moved to 3.1.

To summarize: Device code confirmation during device authorization flow provides better user protection, however, per user experience this should be merged with the authorization request confirmation and not added as a new confirmation step to the flow.

SSO is all about user experience, to make it easier to access a service without bothering the user (as much as possible).

I will be happy to know what other think about the modified user experience.

Regards, Alon Bar-Lev

[1] https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sso-oidc/client/start_device_authorization.html

[2]

[3]