Resetting security passphrase is too complex / error prone

[DAlperin]

Description

If I reset my security passphrase, the passphrase I just set will be immediately rejected when I attempt to use it to verify another session

Steps to reproduce

• Settings -> Security & Privacy -> Encryption -> Secure backup -> reset
• Enter a security phrase -> enter code -> reenter -> download backup codes
• Go to your profile -> click on another session to verify it -> Manually Verify by Text -> Verify Session
• Try entering the security phrase you just set. It says Invalid Recovery Key
• Try uploading or entering they backup codes you just downloaded. It says Wrong Recovery Key

Expected: The code I just set and the backup codes I just downloaded work
Actual: they do not work

Version information

• Platform: Tested on web and desktop

For the web app:

• Browser: Chrome 87.0.4280.141, Firefox 84.0.2
• OS: Ubuntu 20.04.1
• URL: app.element.io

For the desktop app:

• OS: Ubuntu 20.04.1
• Version: 1.7.16

[ksampolski]

Same error after resetting, after trying to enter new code i got error "Wrong Recovery Key "

[Azorlogh]

I have the same problem as well, which means there's no way for me to verify another session.

[jryans]

@DAlperin @SierraN @Azorlogh Sorry for the trouble here, can you try the following steps?

0. Consider exporting room keys to a file as a backup in an existing session via top left menu -> Settings -> Security -> Export E2E room keys (but you've said you don't have encrypted rooms at the moment)
1. Reset secure backup first (this should now succeed without confusingly asking for previous keys)
2. Reset cross-signing keys (this may prompt for security key / phrase, it's expecting the new one you just made)
3. On other sessions, you should be able to either verify the new session and receive new keys or go to Settings and "setup" Secure Backup (green button instead of the red "reset"), which maybe prompt for the new security key / phrase as part of downloading your keys

If that fails at some step, please submit debug logs and link to this issue so we investigate further.

[DAlperin]

Huh, that seems to work. What's happening differently behind the hood that makes that work instead of the regular reset?

[Azorlogh]

It worked for me as well 👍

[haslersn]

We were also affected by this issue. The workaround by @jryans worked, but it's not ideal for our users.

[jryans]

I'm glad to hear the steps above are working. 🙂

What's happening differently behind the hood that makes that work instead of the regular reset?

Cross-signing and secret storage have somewhat complex, cyclical dependencies between each other. At the moment, we offer two separate targeted reset buttons:

• You could reset just your cross-signing identity if a suspicious device was added to your account
• You could reset your secret storage key if it was compromised somehow

However, we don't really explain any of that in the UI today, so I assume most people don't know why they'd want one vs. the other.

Because of the cyclical dependencies between the two systems mentioned above, resetting one but not the other can lead to confusing prompts asking for a security phrase, but it might want the old one or the new one, which is quite confusing.

All of this suggests it might be simpler to only offer a single reset button that always performs all of the steps outlined above. This would no longer allow for a targeted reset of e.g. just cross-signing separate from the rest, but it would simpler for most people to reason about, I assume.

For now, let's keep this issue open so it's easy to find for any others with a similar problem, and we can evaluate potential improvements to the reset flow that might resolve confusion in the future.

[jryans]

As mentioned in #16879 (comment), there are quite a few issues where people have generally been confused by the process.

[opusforlife2]

All of this suggests it might be simpler to only offer a single reset button that always performs all of the steps outlined above. This would no longer allow for a targeted reset of e.g. just cross-signing separate from the rest, but it would simpler for most people to reason about, I assume.

@jryans A single master reset button is certainly the way forward, but you could also have a confirmation page for the master reset button with an Advanced dropdown menu, which reveals the two reset options for the users who know what they're doing.

[kittykat]

I'm going to close this issue for now as the workflow has been redesigned and was release a couple of months ago. Please open a new issue for further improvement. Thank you!