-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
logging in with cross signing is very confusing #12593
Comments
okay keybackup doesn't have any affect on this and using two riot/develop session also doesn't change anything, but what I did notice is I was doing #12546 which made the modals popup from two different logins. |
Thanks for testing cross-signing as it stands at the moment. I guess I'll start by saying I am not surprised it's confusing at the moment: you are testing a half-finished feature that is still in active development. With that disclaimer out of the way, let's see how your feedback matches up with issues...
On the old device, you are seeing a toast to verify the new device which you could use if you skipped complete security on the new device. Complete security on the new device has been using SSSS at the moment, but that's really more like an "account recovery" method that is asking for the passphrase that guards your cross-signing identity.
Yes, this does quite exist yet in the way you are asking for. There are toasts for unverified devices, and you can manually check your device list to see new ones. Future work is planned to add a more robust audit trail of added devices.
Yes, this is unfortunate, but it's tracked in that issue as you say.
At the moment, that does not happen because we've been using the SSSS passphrase to verify during complete security as mentioned above. Interactive flows will also be added, see #11215 and #11217. As far as I can tell, everything you have reported is already tracked separately, so I don't think we need to keep this open. Thanks for testing and providing feedback on this work-in-progress feature! 😄 |
* Make config override other settings levels and add tests * fix documentation * lint * Use a const for finalLevel. * respect the explicit parameter * Use supportedLevelsAreOrdered for config overrides rather than a separate setting. * Fix typos * Fix mock in UserSetttingsDialog-test * Special case disabling of setting tos use config overrides. * remove logs
this is me trying to login into my account in a new tab with a logged in session right next to it
https://dmnd.sh:8448/_matrix/media/r0/download/dmnd.sh/lJRXjgMcyVvRzINymwzSelJi
Description
Logging into a new device is currently very confusing to me, especially this part confuses me, the old session talks about a one time code to verify, while the new login just wants me to enter my SSSS key. If I do enter that I am completely verified without having to ever do anything in another session and there is no big warning telling me that a new device has just been added in the other sessions :/
Also this whole process takes ages see #12376 but gives barely any feedback. In a previous attempt hitting the continue button here didn't seem to do anything even though things was happening in the developer console, but no feedback was given to me otherwise until the next modal finally opened.
I expected some otp confirmation and I guess that's really doing much when I enable Keybackups, but at the very least I would expect a big red sign telling me that a new device has been added, which you only get when you're currently logged in during this process. a
If someone would steal both my account password and SSSS password, it seems to me like they could login to my account, read and send encrypted messages and nobody would notice unless they actively check my devices.
Steps to reproduce
Version information
For the web app:
The text was updated successfully, but these errors were encountered: