basically a user entering the wrong information gets errors like "Strange state: failure"
Would be nice to say something more detailed here, like 'invalid credentials' or 'invalid user' or the like.
I think there are two issues here:
The failure page is completely unstyled, at least on src.fedoraproject.org. It's literally a white, blank page with "Strange state: failure" in the default font. That's turrible.
IMHO a failed login should use typical failed-authentication patterns: return the user to the credentials prompt, restyled to display the failure message in red, as well as highlighting the incorrect field if possible. (More on that in a second.)
This is likely a bigger problem than people might be thinking, because a lot of users will have their credentials auto-filled by the browser — and those credentials may very well use their email address as username. That was my situation. I kept getting authentication failures, even though I "knew" that at least the username was correct because the browser supplied it, and it'd been working for the past three years...
The bigger worry isn't users entering their email address, it's logins suddenly failing for users who continue to have their email address supplied by the browser, same as always, with no indication that it should no longer work. (TBH it even seems prudent to have some client-side validation show a warning anytime the username field contains an @ sign, without even submitting the auth request.)
to comment on this ticket.