search

element-hq / matrix-authentication-service

https://element-hq.github.io/matrix-authentication-service/
GNU Affero General Public License v3.0
24 stars 6 forks source link

Password recovery #13

Closed matrixbot closed 1 month ago

matrixbot commented 1 month ago

This issue was originally created by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/13.

Users should be able to recover their account via email.

Potential flows:

  1. Start the recovery, you get a code by email, you enter that code, you can set a new password
  2. Start the recovery, you get a link by email, you follow that link, you can set a new password

The first flow feels better at not disrupting the current action. If you're in the middle of a client login, it's easier to resume that login after that.

The second flow feels better at preventing social engineering attacks, as we would require the person to click a link and change the password on the same device they are checking their emails, whereas in the option 1., the attacker could just ask "can you give me the code you just got by email" and the user could overlook that it's for a password change?

Open questions:

Relevant design screens:

matrixbot commented 1 month ago

This comment was originally posted by @hughns at https://github.com/matrix-org/matrix-authentication-service/issues/13#issuecomment-1090159405.

After recovering and setting a new password the user should be given the option to log out all other sessions or leave them intact.

See https://github.com/vector-im/element-web/issues/2671 for discussion and context on this behaviour.

matrixbot commented 1 month ago

This comment was originally posted by @americanrefugee at https://github.com/matrix-org/matrix-authentication-service/issues/13#issuecomment-2122118449.

Here is the final design in Figma.