Resolve various points of confusion upon authentication

[markmhendrickson]

This issue details the broad friction I encounter whenever trying to re-authenticate my account. I'm curious if others encounter the same and what they think we can or should do about it. Perhaps this issue is already represented in part or full by other issues, I'm not sure. But I have to imagine the below UX problems are affecting a ton of our users and crippling their ability to trust in their Blockstack IDs, let alone understand them.

Step-by-step, here's how I usually flow through the process:

First, I see the "Enter Secret Recovery Key or Magic Recovery Code" modal:

And my first thought is "Bleh, I can't remember which one I've actually saved into 1Password – why do we have two of these again??".

But my second thought is, "It's okay, I should be able to grab either of these from 1Password, copy and paste it into here, hit sign in and be done with it. I guess it's good we have two options if they both serve the same purpose".

So I open up 1Password:

And I think "Great, they're both there! I might as well just grab the first one" while spotting "password" out of the corner of my eye and feeling a bit disturbed that I have a third password-like thing that I feel responsible for (bleh).

So I copy and paste the secret recovery key into the modal and hit submit, upon which I hit this modal:

And here, I unfailingly think "W.T.F. is this about? Create a password? Why now? Why at all? I already have (a useless) one!".

A month ago, I was still wondering if I had to go "back" since maybe I actually took a wrong turn somewhere and started through the "create account" flow by mistake. But I've been through this enough to know now that it's not the case. Blockstack wants me to continually remake my password for some unknown and annoying reason.

So, I do it, since I want to use the app! But I do it by just grabbing the same password I have in 1Password for Blockstack, since I might as well. Copy, paste, past, submit and I see this screen:

"For. The. Love. Of. God. What. Is. This. Doing." Again, I would have wondered before if I'm accidentally creating a new account, but now I know "better". So I diligently enter my email again and submit:

"Ok, this is better...but 'restore'? Did I screw up my account at some point and now it needs to be rebuilt or something? Is that why I was asked for a new password and email and this is taking so long to process? Oh well...I hope my data is still in here and didn't get lost...".

"Hurray! It seems I'm in, and my account has been fixed, if it was indeed broken."

"That's weird you want me to view and save my secret recovery key though...I entered that earlier in the flow after all. I better look at it and compare it to the one in 1Password to make sure it hasn't changed, though this is a bit of a hassle".

"Oh hell, just (re)show it to me already"

"Thank you! But it's the same as before....why am I here then!". I hit continue, hoping it'll just take me to the app since "Back" feels like I might get lost and never make my way there.

I start questioning whether I want to even use the app...but sunk cost has a hold of me, and I'm an employee of Blockstack PBC. So I go back to 1Password, pick out the words and select them

"I....I already saw this...am I in the twilight zone?" I hit the button...and I'm finally done.

---

Now, I don't always choose the secret recovery key at the start of the funnel but instead grab the "magic recovery code", because frankly, I forget the difference. Because I have PBC knowledge, I know one is basically the "seed" but I have a 50/50 chance of knowing which one that is until I copy and paste from 1Password (and I presume that the seed one is better to use or faster, but that's just a suspicion).

So let's say I copy and paste the magic recovery code into the first prompt and submit, I then see this:

"Why why why? I just gave you a password-like thing. Why do we even have two?". I go back into 1Password and copy and paste the password, though, and submit:

"What. That can't be right. I literally just set this new password 5 minutes ago after going through authentication with my secret recovery key to write up this rant." So I copy and paste it again.

"Ok what, that can't make any sense. The password has to be right, doesn't it? But it does say 'Incorrect password or invalid recovery code' so maybe I actually saved my recovery code incorrectly in 1Password in the first place?"

I remember (fortunately) that this was emailed to me last summer so I search "magic recovery code" in my Gmail account, and voilà:

I cross-check it with my 1Password value and it appears the same. So I copy and paste it out of 1Password and search for in the page on Gmail just to be sure it matches exactly and it does. "Ok, what's going on here".

I go back to looking at the modal and look even closer, noticing it says at the bottom "The password you entered when you created this Blockstack ID".

I start to have self-doubt. "Have I always entered the same password when previously authenticating with the secret recovery key instead of the magic recovery code? Have I actually inadvertently saved a new password to my account that can't actually be used for anything since only the original works here? Does that make any sense? Why would a system ask for a new password if it can't be used in this situation?".

And I retreat with back buttons to the "Secret Recovery Key" flow, assuming my magic recovery code and password are basically worthless.

[markmhendrickson]

Side note: Is this statement even true in the first modal?

I see that the magic recovery code was emailed to me, but the secret recovery key? I don't see that in my archives and I remember it being something we intentionally don't email.

[moxiegirl]

The code is mailed and the email includes a link to recover the Secret Recovery key. @markmhx As of 11/30

[markmhendrickson]

@moxiegirl Ah cool, I think I didn't see that pop up since I searched just "magic recovery code". My bad!

[aulneau]

It's actually not accurate that the 'secret recovery key' was sent to you. we never send that anywhere.

[markmhendrickson]

I guess "a link to view your secret recovery key was sent to you" would be more accurate?

I just went back to search for it and found that the link for "Record secret recovery key" (since I seem to have a different variant than @moxiegirl) goes to a URL based on the https://deploy-preview-1268--reporter-beaver-73821.netlify.com domain.

That doesn't seem right. Any idea why that would have been the case, and are we sure this isn't still happening? Note that this was from June 4, 2018.

[zone117x]

@markmhx I ran into all the same stuff initially, and had the same confusion recently when having to "create a password" and specify my email address. I'm not sure which recovery code or seed I've been using from 1password. I've store both but never tried to figure out the difference.

I think the UX here can definitely be improved.

[hstove]

goes to a URL based on the https://deploy-preview-1268--reporter-beaver-73821.netlify.com domain.

The link is depending on what URL you signed up with. This means you were testing onboarding using this staging link.

[hstove]

I definitely understand all the confusion here. We have pretty solid decisions by why all of these screens are in place. What's missing is any explanation for why we do these things. It's easy to not understand why you need to set a password again (its to encrypt locally on your device). There is a lot we could do to improve this UX, and I think most of it is around messaging and documentation.

[markmhendrickson]

Education could help, though I'm still unclear why we can't take email and password out of this process entirely and simplify the whole thing around the seed phrase.

If we did that, we could call it something else (and do so consistently) for comprehension sake. We could even call it your "assigned password" and just make clear that unlike "regular" passwords, it's unchangeable and unrecoverable. Putting it all on the same line with dashes (e.g. "crocodile-splinter-dog-fairness-...") would make the notion of being a password even easier to understand.

What am I missing?

[stackatron]

We can remove it, but to claim it is all upside and no downside simply isn't true. It is pretty likely that change leads to more confusion and frustration.

And there are some basic complications introduced. We must encrypt locally, so we would need to do so with the key itself. That means whenever the user wants to spend bitcoin, stacks, upgrade, reset browser, or view the key (this feature would become pointless) we either need to ditch the security measures entirely or force them to reenter seed. Maybe this is worth doing, but it sounds pretty obnoxious to me. Furthermore all the other wallets, metamask, etc work the way ours currently works probably for the same reason.

I support pioneering a new method and new educational moments, we just need to validate these ideas and prove we actually have something that performs better. Listing out all the ways the current one isn't perfect doesn't prove much.

Side note: From the now 100s of sessions we've done on this, bugs, browser bugs, and protocol handler issues are 10x more frustrating to end users than thread above.

[Myer]

I cannot agree more on this issue. I too was struggling to understand why a new password was needed and what the difference between the "Secret Recovery Key" and the "Magic Recovery Code" are. Seriously, the sign-in flow is really confusing. It took me over two hours to search and research all this stuff and still I think I only understand like 20% why what is being used.

At the same time the documentation (https://docs.blockstack.org/browser/ids-introduction.html) also is full of typos and inconsistency. Sometimes it's also using different words. If you invent your own terms please always call them the same everywhere in your GUI otherwise it's only more confusing. Always call it "Magic Recovery Code" and don't just leave out the "Magic" or suddenly call it "identity recovery code". It's already similar enough to mix it up with the "Recovery Key" one.

Also the documentation once says "recovery code (in the order the words appear)". I thought the "Recovery Code" is the gibberish one and the "Recovery Key" is the one with the words?!?

As far as I understand it you created the "Magic Recovery Code" so you would not have to email the "Secret Recovery Key" in plain-text. Instead you encrypt the "Secret Recovery Key" (or some other information from my Blockstack identity) with the initial password. Now you have sort of split the "Magic Recovery Code" into two parts. You can safely send the "Magic Recovery Code" via mail since it's of no use without the password. Is that correct in any way?

I would suggest to solely rely on the "Secret Recovery Key" and completely remove the "Magic Recovery Code" and the initial password. If I understand it correctly the "Secret Recovery Key" is actually the only information you need to recover your Blockstack ID. There are other services online which also at some time during sign-up state to you that you as a user need to write down a certain key/passphrase to recover your account and that the service won't be able to help you if you lose it. I don't get what the use of the "Magic Recovery Code" should be if I could simply forget the password? Then the mail with it also is of no use anymore... Simply state that you need to save the "Secret Recovery Key" otherwise you are screwed.

Also please clarify the password situation. Clearly state that the initial password when creating the Blockstack ID and the passwords you create when you sign-in to the Blockstack browser with an existing ID are completely different and should not be mistaken. I almost replaced my initial Blockstack password (still from "Onename" times) in my password safe with the new one I created while signing in because I didn't understand the difference and as far as I see it the GUI doesn't say otherwise. It only says "create a password". Why don't you call these passwords "local password" and clearly state that it's only used for this browser session and that you will need a new one for every other browser?

Also: Am I right that the initial Blockstack password can't be changed? And one last question: Can a user change a 12-word "Secret Recovery Key" to a a 24-word one?

Sorry for the rage but why is it all made so confusing... 😕

tl;dr: Strive for Consistency

[markmhendrickson]

Thanks for your thoughts here, @Myer 🙏 And my apologies that you've been running into similar difficulties; we hope to clarify this all soon.

To your questions – you're right that you can't change your original Blockstack password (for use with your "Magic Recovery Code") and you can't change your 12-word "Secret Recovery Key" to a 24-word one either.

Can you explain a bit why you'd want a 24-word secret recovery key in particular? Extra security?

[Myer]

Yes, for security. The longer the better since you'd copy-paste it anyway from your password safe.

It looks like my "Magic Recovery Code" is already burned because every password I try does not work. (I've tried all passwords I've saved in my password safe when I created this identity sometime in 2015. I even tried the Onename-password which btw still works when I login to onename.com. I also found a 58-char long gibberish called "App encrypted secret" which I saved as a recovery file - I have no idea if this is still of any use. I have also no mails about this, the first one I have is from 2017 telling me to transfer my ID from Onename to Blockstack, which I did, nothing from earlier. So... maybe I never got a password to decrypt the "Magic Recovery Code" in the first place? Because it maybe has been introduced sometime later? ...)

Basically I could just throw away this very magic "Magic Recovery Code" and still would be totally fine because I have the "Secret Recovery Key". 🙄

[markmhendrickson]

The magic recovery code was indeed introduced later (around mid-2018) so if you transferred from Onename to Blockstack in 2017, I presume that you only received a secret recovery key and no magic recovery code. And as such, you'd need the secret recovery key to access your ID now.

You wouldn't have received an email after transferring to Blockstack either, since we didn't start sending emails upon (Blockstack) registration until mid-2018 (when the magic recovery code was introduced).

I'm not sure, though, what your "App encrypted secret" may have been. Perhaps something established originally with Onename? @jcnelson may have insight from those days since I wasn't around then.

Thanks again for this detailed feedback. I agree completely with the need to clear up all this confusion.

[Myer]

It's in a txt-file I have saved in my password safe which looks like this:

[markmhendrickson]

Password confusion related to this issue appears here on the forum as well https://forum.blockstack.org/t/doubt-on-passwords/8467