Hard to understand how to reset Security Phrase #1523
Comments
|
I suggest that both Security Phrase and Security Key, and how to recover them (or not) and ever change them (or not) should also be explained here: https://about.riot.im/help#end-to-end-encryption Neither of them seem to be mentioned there for some reason, even though they're so central. |
|
The recovery key is derived from the recovery passphrase if you opted for one otherwise generated. You cannot change the recovery passphrase without changing the recovery key. The Encryption functions used only have one decryption key. You can use the reset cross signing and secret storage in settings to change your key. |
|
What is the recovery key? I only know "Security Key" (which I have) and "Security Phrase" (which I lost). Edit: I am using these exact names because I have saved a value, and it gets accepted in the exact dialog asking for a "Security Key", and rejected in the one asking for a "Security Phrase". So that is how I know Security Key is the one I have |
Assuming recovery passphrase is "Security Phrase", that means I might not actually have one if I skipped that? Interesting, I probably did skip it then since that would explain why I didn't write it down. It would help if all of this was explained in https://about.riot.im/help#end-to-end-encryption so there is less guessing / hazy memories involved |
|
Sorry, they were recently renamed to security phrase and security key as you guessed |
|
They don't seem to be renamed everywhere in the UI as pointed out here: https://github.com/vector-im/riot-web/issues/14421#issuecomment-657086185 so that might help. Additionally, I would suggest 1. docs changes as suggested above, 2. adding this above the "Reset cross-signing and secret storage" button directly into the UI: "Note: resetting your cross-signing and secret storage is the only way to recover or change your Security Key and Security Phrase, if lost." (or a similar wording.) That would solve this particular UX nitpick I was making the ticket for, that it's not obvious from the settings how to change the security phrase and security key if needed. |
|
@ell1e : I think you should this as it does not actually concern a bug or lack of feature but only a misunderstanding of concepts. |
jryans
changed the title
Description
Let me access or wipe the "Security Phrase". When I am logging in with a new session, I need my user password and then I'm always asked for my "Security Phrase" (which I lost). But I can proceed with my "Security Key" (which I have).
However, now I have this "Security Phrase" which has an unknown value which I cannot manage to retrieve or change. But an attacker might still be able to use it, then how would I even change it? There should be an obvious section in "Security & Privacy" that allows me to override/change the "Security Phrase". Or does that require resetting the entire cross-signing and secret storage? But if it does, why does it even exist when there is already the Security Key? Can one be derived from the other? It would be nice if the "Cross-Signing" section spelled the role of Security Key & Security Phrase out in a brief sentence, just as a reminder.
Steps to reproduce
There is no button that mentions the Security Phrase, or how to reset it if that is possible. Or to derive it again from the Security Key, if possible. If both aren't possible, maybe that should be spelled out in the "Cross-signing" section so that I know that resetting it all is the way to go. (Obviously, I am not interested in doing that unless it is obviously the only way forward)
Version information
The text was updated successfully, but these errors were encountered: