session-desktop
session-desktop copied to clipboard
oxen-io
Remove ability to display recovery phrase after Session id creation.
It's fundamentally insecure to allow the recovery phrase to be retrieved with a few mouse clicks at any time.
This patch removes the option from Settings, and appropriately modifies the initial account creation dialogue to indicate the importance of noting down the recovery phrase immediately, as it will not be possible to display it again later.
Contributor checklist:
- [x] My commits are in nice logical chunks with good commit messages
- [x] My changes are rebased on the latest
clearnetbranch - [x] A
yarn readyrun passes successfully (more about tests here) - [x] My changes are ready to be shipped to users
@ianmacd We are working on improving the onboarding in the next few months (+- 2 months). This issue will be dealt with then 😄 Thanks for pointing it out though.
@ianmacd We are working on improving the onboarding in the next few months (+- 2 months). This issue will be dealt with then smile Thanks for pointing it out though.
It's not so much the enrolment itself, though, as it is not allowing the user to leave the process incomplete, which leaves the door ajar for compromise. A properly enrolled user doesn't need to use Session to retrieve his recovery phrase at a later date.
I don't know when it expires, but there is a survey relevant to recovery phrases:
https://www.surveymonkey.com/r/T5DHW7C
Source: https://nitter.net/session_app/status/1571712123830697997#m (2022-09-19)
Just to provide an update on this, we are actively working a feature similar to this PR right now in our onboarding project. It will offer users the option in the settings menu to make their seed permanently invisible in the Session UI. We consider this preferable to only displaying the user's seed during the onboarding process. This is because any misunderstandings during onboarding, such as a user accidentally dismissing the onboarding modals, would make recovery and linking of future devices impossible.
This has been completed on all platforms as part of the onboarding release (1.13.0) , see below