element-meta icon indicating copy to clipboard operation
element-meta copied to clipboard

Published 20 hours ago verified publisher icon element-hq

UX: is it "security-key.txt" or a Recovery Key

Open colemickens opened this issue 10 months ago • 1 comments

Your use case

What would you like to do?

On the heels of confusion about Key Backup, how mine got corrupted, what it means for "sessions failed to decrypt", etc...

I come across yet another UX thing that feels easy to fix, and could go a long way towards helping users (even ones trying to use Matrix for 5 years) not get confused.

When I (reset) and setup Key Backup today, I was prompted to download a 48-character ... thing... that was saved as "security-key.txt".

When I set Element X Android today, it prompted me for my "Recovery Key".

  1. Is there a document that lays out, plainly, how E2EE is meant to work, and the definitions of:

    • session
    • keys
    • key backup
    • "security-key"
    • "recovery key"
    • whatever the key backup "passphrase" is called
    • how cross-signing keys fits into this picture? I assume its not the same as Key Backup?

  2. Can y'all please document them precisely, and then commit to standardized names throughout, at the very least, Element properties?

Why would you like to do it?

  1. Idk, if someone explains it to me, I'll literally send PRs for it.

How would you like to achieve it?

  1. idk.

Have you considered any alternatives?

not any non-sarcastic ones

Additional context

I love Matrix, but it's a challenging love.

colemickens avatar Apr 16 '24 01:04 colemickens

Thanks for the feedback!

  1. "Recovery key" is the new terminology as we've seen in user tests that it works best among the options we tested.
  2. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.
  3. Element X will lead this change, Web will follow.
  4. We have an FAQ to explain what a "recovery key" is https://element.io/help#encryption16.
  5. We've taken measures to clarify that a "security key" or "security phrase" will continue to work https://github.com/element-hq/element-meta/issues/2402.
  6. We're further reworking Web settings (and are taking care in EX settings) to make these concepts easier to comprehend for users.

Hope this helps!

pmaier1 avatar Apr 23 '24 12:04 pmaier1

If people still see "Security Key" (or security-key.txt) being referenced in any applications, I recommend filing bugs in the relevant application-specific issue trackers.

richvdh avatar May 16 '24 16:05 richvdh

  1. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.

Can you clarify what is being dropped? Right now there are two things: an opaque string of characters (which I think is currently called "recovery key") and a user-chosen password to unlock key backup.

Getting rid of the ability to choose your own password for the latter would be a terrible idea. I want to be able to log in on a new device and input my chosen key-backup password to get access to my messages. To do that, I need to be able to choose that password so I can remember it.

BrenBarn avatar May 16 '24 19:05 BrenBarn

  1. "Recovery key" is the new terminology as we've seen in user tests that it works best among the options we tested.

So it was once named recovery key, then it got renamed to security key and now the plan is to rename it back to recovery key?

Croydon avatar May 25 '24 17:05 Croydon

  1. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.

Can you clarify what is being dropped? Right now there are two things: an opaque string of characters (which I think is currently called "recovery key") and a user-chosen password to unlock key backup.

Getting rid of the ability to choose your own password for the latter would be a terrible idea. I want to be able to log in on a new device and input my chosen key-backup password to get access to my messages. To do that, I need to be able to choose that password so I can remember it.

I don't understand the argument either. Just name it the same thing, no matter if it is Element generated or user-defined. For all processes afterwards it only matters that it is the correct one.

Croydon avatar May 25 '24 17:05 Croydon

So it was once named recovery key, then it got renamed to security key

I'm not aware of it ever being renamed in this way, no.

richvdh avatar May 28 '24 08:05 richvdh

TL;DR: It's a "recovery key". Please file bugs if you see people calling it a "security key".

We have more work on the way to be more consistent with our terminology.

richvdh avatar Jun 20 '24 15:06 richvdh

Related: https://github.com/element-hq/element-meta/issues/361

richvdh avatar Jun 20 '24 15:06 richvdh

So it was once named recovery key, then it got renamed to security key

I'm not aware of it ever being renamed in this way, no.

SIGH. Apparently I was wrong. https://github.com/matrix-org/matrix-react-sdk/pull/5533 did indeed rename from "recovery key" to "security key"

(╯°□°)╯︵ ┻━┻

richvdh avatar Jul 11 '24 15:07 richvdh

Filed https://github.com/element-hq/element-web/issues/27713 to sort this out on Element Web

richvdh avatar Jul 11 '24 15:07 richvdh