Closed matrixbot closed 1 month ago
This comment was originally posted by @hughns at https://github.com/matrix-org/matrix-authentication-service/issues/13#issuecomment-1090159405.
After recovering and setting a new password the user should be given the option to log out all other sessions or leave them intact.
See https://github.com/vector-im/element-web/issues/2671 for discussion and context on this behaviour.
This comment was originally posted by @americanrefugee at https://github.com/matrix-org/matrix-authentication-service/issues/13#issuecomment-2122118449.
This issue was originally created by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/13.
Users should be able to recover their account via email.
Potential flows:
The first flow feels better at not disrupting the current action. If you're in the middle of a client login, it's easier to resume that login after that.
The second flow feels better at preventing social engineering attacks, as we would require the person to click a link and change the password on the same device they are checking their emails, whereas in the option 1., the attacker could just ask "can you give me the code you just got by email" and the user could overlook that it's for a password change?
Open questions:
Relevant design screens: