Forgetting Admin PIN implies losing learner progress

[partha-basu]

Describe the bug I have forgotten the Admin 5 digit pin and can no longer log into my Admin profile of the Oppia android app. I tried to reset (choosing Forgot PIN option) but wasn't able to. See attached screenshot. The prompt warns that we need to uninstall and reinstall the app - also would lead to loss of progress across ALL profiles.

I'd still be OK if only Admin profile is reset but this resets for everything

To Reproduce Steps to reproduce the behavior:

1. Go to "Select Your profile"
2. Click on 'Admin' icon
3. Don't enter the PIN (assume you don't know) and click on "FORGOT PIN"

Expected behavior Some ability to recover or reset the PIN

Demonstration N.A.

Environment Device/emulator being used: Pixel 5 Android or SDK version (e.g. Android 5 or SDK 21): Android 13 App version (you can get this through system app settings or via the admin controls menu in-app): 0.9-beta-3f935261e0

Additional context Forgot profile PIN

[BenHenning]

Thanks for filing this @partha-basu. I agree that the experience is frustrating, and it's useful to capture that this scenario is actually affecting people.

For some context, the problem here is that resetting only the admin account would allow other profiles on the device to "circumvent" the admin PIN by simply resetting the admin flow and creating a new PIN for it.

That being said, one approach that might help is to introduce something like "security" questions that the admin pre-approves during onboarding that, when answered correctly, allows them to reset their PIN (if they can't answer these, however, the only option to proceed would be to reset all data). Do you have any thoughts or feedback on this @partha-basu?

[partha-basu]

@BenHenning - I wonder what is the point of the admin profile here. The Admin use-cases top of mind I could think of are: 1) Gate keep access to a learner account (to keep a class at a certain pace of learning) 2) Aggregated view of all learner progress (# of attempts, % completion of chapters/lessons etc., time spent) as teacher or a parent.

Current "Admin profile" is almost exactly like any other user except for the pin (learner profiles can set a 3 digit pin vs admin 5 digit pin + download settings?). Maybe I'm not able to understand the criticality of the Admin role.

Instead of Admin - should we have the ability to create a new profile (independently and without the need of admin). Each of these profiles can have their own PIN with a recovery process like - send OTP to mobile phone (which is more plausible) or reset link in email or a security phrase or image like you mentioned.

[BenHenning]

@partha-basu the original design of profiles was making the assumption that the administrator would be a parent or guardian, and that profiles would be children sharing the device. That concept has since extended such that the administrator may also be the learner in a single-user-device scenario, and that the administrator may be a teacher in a classroom setting.

This distinction is important because the whole premise for PINs was to avoid people being able to access others' profiles without permission. We further protect sensitive operations like allowing downloading content over cellular data, or adding and deleting profiles, behind an admin account that is expected to be used by an adult. These are protections put in place based on past feedback that we've collected around parents removing apps from devices that use too much storage or cellular bandwidth.

I think we need to revisit these original requirements and validate their need before making big changes like opening sensitive permissions to profiles as it's difficult to go back from that once it's changed in that way.

[BenHenning]

Also one follow-up: PIN recovery is inherently difficult without a remote profile syncing system in place because anyone on the device could recover any account (including for OTP). We need a way to validate one's identity which we can't actually do without a remote record of that individual. The best that I think we could do short of remote profile syncing is recovery questions (since those can help verify one's local identity, but perhaps not fully reliably).