"Forgot password" without signing out of all devices

[estellecomment]

After verification with security dept, what should be done on all devices :

• do not logout all devices by default
• the checkbox should mention "Déconnecter mes appareils et verrouiller mes messages (en cas de piratage de votre compte ou de la perte d'un appareil"
• a additional information should explain clearly what will happen when users choose to disconnect all their devices when resetting their password

The hypothesis is that most of the time, user accounts are not compromised, then they don't need to disconnect their devices and lock all their messages.

Status :

• [x] web : do not logout by default. https://github.com/tchapgouv/tchap-web-v4/pull/310,
• [x] web : update message : https://github.com/tchapgouv/tchap-web-v4/pull/369
• [x] ios : logout by default. https://github.com/tchapgouv/tchap-ios/issues/706
• [x] android : logout by default. https://github.com/tchapgouv/tchap-android/pull/799
• [x] templates server : https://github.com/tchapgouv/tchap-infra/pull/1551
• [ ] templates server : ticket à créer sur évolution : ne pas cliquer sur le bouton de la page template server mais proposer un refresh automatique au bout de quelques secondes. à valider pour sécurité
• [x] mettre à jour la documentation (faq etc...) https://tchap.beta.gouv.fr/assets/pdf/bonnes_pratiques_reinitialisation_du_mot_de_passe.pdf

History: Current situation : when you go to "forgot my password" on the login page, the complete flow logs out of all existing devices (this is a security feature). Unfortunately users tend to lose their keys doing this, it's complicated to do correctly.

Proposed change : on the "forgot my password" form, display a checkbox for "Sign out of all devices". If you leave it unchecked, you will avoid the loss of keys : you just change your password, and then you log in with the new password. Your other devices don't do anything special. If you check the box, you will get the same flow as before : the password will be changed, all devices will be logged out. They will show the login page (and maybe "You have been logged out, please log in again" or something)

Design problem : we have displayed, in various places, warning messages for the user, so that they don't fall into the trap. With the proposed change, these messages are unnecessary and confusing when the user did not check the "Sign out of all devices" checkbox. We need to remove this confusion, yet still support both flows (checked or unchecked).

---

The complete flow on web v4 : (with TODOs where we need changes, you can add TODOs if you see more things)

---

1. The form now has the checkbox.

---

2. If you click the checkbox, fill the form, confirm, you get an additional modal : (if you didn't check the box you don't get this modal)

For reference, in v2 you had something similar :

• [ ] TODO : text is long and I didn't read it. Maybe a diagram ? Or just less text ? Or some bold text to stand out ?

---

3. Then :

---

4. The email says the same thing whether or not you clicked the checkbox :

• [x] TODO : the email does not cover both cases, it is uselessly alarming when you did not check the box.
• [x] TODO : can we have different emails in the two cases ? NO.

---

5. You click the link, and you get this (same thing whether or not you clicked the checkbox) :

• [x] TODO : the page does not cover both cases, it is uselessly alarming when you did not check the box.
• [x] TODO : can we have different pages in the two cases ? NO.

---

6. Click the button, you get :

NOTE : when you click this button is when the password actually gets changed, and the other devices are logged out (if you clicked the box) sorry actually it's at step 7, not here

---

7. Go back to the original page, click "I verified my email"...

---

8. ... and you get :

[areox-net]

@estellecomment Thanks for raising this issue. I think your solution with the checkbox is a good one. However, it's clear that the flow needs to be simplified. We are talking to users who have a problem (forgot their password) and in providing a solution we create a new problem for them!

Another point is: will ANSSI be OK with the option to uncheck the "log out from other devices" ? If they are, let's not disconnect from other devices at all and make life easier to the users!

[estellecomment]

will ANSSI be OK with the option to uncheck the "log out from other devices" ?

Yes they are

If they are, let's not disconnect from other devices at all and make life easier to the users!

They are not OK with removing the option completely though :)

[estellecomment]

An interesting point : the choice to sign out devices is given to the user in the first screen (step 1, I numbered the steps for easier discussion) Technically though, the password change and the signout is done when they click "J'ai vérifié mon adresse mail/I verified my email" (step 7) Before that, if they stop the flow for any reason (change their mind, give up...), the password is not changed and the other devices are not signed out.

[areox-net]

What I like of your solution is that 90% of the users will not check the box. So it leaves them to a simpler flow, as long as we get a different message at the end :)

[estellecomment]

I confirm that we will have a single email and a single confirmation page for both cases (check or no check). That's because the backend sends them, and the backend does not know whether or not the user has checked the box, only tchap-web (or android or ios) knows.

[estellecomment]

In the current solution, we have multiple places in which we display the alarming message : in the warning modal at step 2, in the email at step 4, in the confirmation page at step 5. The actual "catastrophe" happens at step 7.

I'm not sure that displaying warnings everywhere is the best way. People might just ignore them even more since the information is repeated several times.

[estellecomment]

Other problem : We ask users to save their keys, but we don't tell them how. Would be nice to have a link to the help/faq page.

In this flow they are not logged in (that's the point, they forgot their password!), so we cannot send them directly to the action of exporting keys, which requires being logged in. They have to export keys from other devices, if they have any. If they have no other devices, then their history is already lost anyway.

Also, if they have other devices, they actually don't need to export their keys : they will be able to get them after they log in, by emoji exchange between clients. @Nivann @AmelAlili Is that what you tell people when they call support about this ?

[estellecomment]

Aaaaah no they will not be able to get them from other clients, if the other clients are all logged out by the procedure !! Ok.

[estellecomment]

I'm considering deploying this extra checkbox in prod before the whole work of redesign is done, because it is better than nothing. In this case, for now, when the box is left unchecked, we would still have all the alarming messages even though they are not necessary. If people read the warnings, they will export they keys (for nothing, but it doesn't hurt either) and if they don't read, they will finish the procedure without problem. It's a bit messy, I'm undecided. (suggestion from @jdauphant ) Thoughts ?

[areox-net]

It's a little messy but still better than loging out everytime.