Element-web: Let me access or wipe "Security Phrase"

Created on 12 Jul 2020  路  6Comments  路  Source: vector-im/element-web

Description

Let me access or wipe the "Security Phrase". When I am logging in with a new session, I need my user password and then I'm always asked for my "Security Phrase" (which I lost). But I can proceed with my "Security Key" (which I have).

However, now I have this "Security Phrase" which has an unknown value which I cannot manage to retrieve or change. But an attacker might still be able to use it, then how would I even change it? There should be an obvious section in "Security & Privacy" that allows me to override/change the "Security Phrase". Or does that require resetting the entire cross-signing and secret storage? But if it does, why does it even exist when there is already the Security Key? Can one be derived from the other? It would be nice if the "Cross-Signing" section spelled the role of Security Key & Security Phrase out in a brief sentence, just as a reminder.

Steps to reproduce

  1. Create account via riot and enable E2E
  2. Remember your account password and Security Key/Recovery Key, but forget the Security Phrase
  3. Try to remove, or replace the Security Phrase in the Settings by going into "Security & Privacy", or to just find out what it's purpose was and whether regaining is possible at all and why/why not

There is no button that mentions the Security Phrase, or how to reset it if that is possible. Or to derive it again from the Security Key, if possible. If both aren't possible, maybe that should be spelled out in the "Cross-signing" section so that I know that resetting it all is the way to go. (Obviously, I am not interested in doing that unless it is obviously the only way forward)

Version information

  • Platform: web
  • Browser: firefox
  • OS: fedora linux
  • URL: riot.im/app
bug uux
Source
picture ell1e

Most helpful comment

They don't seem to be renamed everywhere in the UI as pointed out here: https://github.com/vector-im/riot-web/issues/14421#issuecomment-657086185 so that might help.

Additionally, I would suggest 1. docs changes as suggested above, 2. adding this above the "Reset cross-signing and secret storage" button directly into the UI: "Note: resetting your cross-signing and secret storage is the only way to recover or change your Security Key and Security Phrase, if lost." (or a similar wording.)

That would solve this particular UX nitpick I was making the ticket for, that it's not obvious from the settings how to change the security phrase and security key if needed.

picture ell1e on 12 Jul 2020
👍2

All 6 comments

I suggest that both Security Phrase and Security Key, and how to recover them (or not) and ever change them (or not) should also be explained here: https://about.riot.im/help#end-to-end-encryption Neither of them seem to be mentioned there for some reason, even though they're so central.

ell1e picture ell1e on 12 Jul 2020
👍2

The recovery key is derived from the recovery passphrase if you opted for one otherwise generated. You cannot change the recovery passphrase without changing the recovery key. The Encryption functions used only have one decryption key. You can use the reset cross signing and secret storage in settings to change your key.

t3chguy picture t3chguy on 12 Jul 2020

What is the recovery key? I only know "Security Key" (which I have) and "Security Phrase" (which I lost). Edit: I am using these exact names because I have saved a value, and it gets accepted in the exact dialog asking for a "Security Key", and rejected in the one asking for a "Security Phrase". So that is how I know Security Key is the one I have

ell1e picture ell1e on 12 Jul 2020

derived from the recovery passphrase if you opted for one otherwise generated

Assuming recovery passphrase is "Security Phrase", that means I might not actually have one if I skipped that? Interesting, I probably did skip it then since that would explain why I didn't write it down. It would help if all of this was explained in https://about.riot.im/help#end-to-end-encryption so there is less guessing / hazy memories involved

ell1e picture ell1e on 12 Jul 2020

Sorry, they were recently renamed to security phrase and security key as you guessed

t3chguy picture t3chguy on 12 Jul 2020

They don't seem to be renamed everywhere in the UI as pointed out here: https://github.com/vector-im/riot-web/issues/14421#issuecomment-657086185 so that might help.

Additionally, I would suggest 1. docs changes as suggested above, 2. adding this above the "Reset cross-signing and secret storage" button directly into the UI: "Note: resetting your cross-signing and secret storage is the only way to recover or change your Security Key and Security Phrase, if lost." (or a similar wording.)

That would solve this particular UX nitpick I was making the ticket for, that it's not obvious from the settings how to change the security phrase and security key if needed.

ell1e picture ell1e on 12 Jul 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

niedzielski picture niedzielski  路  3Comments
turt2live picture turt2live  路  3Comments
anoadragon453 picture anoadragon453  路  3Comments
turt2live picture turt2live  路  3Comments
ara4n picture ara4n  路  3Comments