Q1. What is the problem that you are trying to solve?
Logging in from a new device seems to currently requires an email link, which an admin must initiate or a user must keep around from their initial account setup. This causes headaches for experienced users who just want to log in on a new device.
Q2 - Who is impacted?
All users activating a new device and admins who are currently required to initiate a recovery link when users want to use a new device.
Q3 - Why is it important and/or urgent?
This is important as it decentralizes the administration of user accounts in a way that can be documented and followed by each user (i.e. send out a PDF with instructions and the server automates the rest) rather than performed by an admin.
Q4 - What is your proposed solution? (optional)
Use this section to be describe how you would solve this problem if you have a preference or ideas on how to move forward. The more complete the proposal the better, so feel free to add:
Assumptions:
User already has an account
User has their recovery key file
User has not logged into the current device
User has been provided or knows the server address
Hello @JingleheimerSE and welcome to the forum!
Sorry if I’m wrong, but I think this is already implemented.
If you open your server page in a new browser, it should ask for your email, and if you are registered, you will receive an email and can provide your key file.
I’ve had a chance to evaluate PassBolt a bit more and in particular looked closer at the links being provided by email. You are correct that a user can go to the server address and request new links be sent. This is certainly an improvement over what I had originally thought.
That said, I still think the sprit and title of this feature request holds true. Put another way, I feel there is a lot of room for improvement in the initial login workflow after having evaluated a handful of password managers for our organization. For example, PassBolt is pretty upfront that the extension is required (kudos on clarity here!) and that it’s central to the technical workings, yet I found that I couldn’t actually log in using only that extension like I can with other products. Trying to do so only redirects you to the PassBolt public page telling you to go to your email with no mention of the alternative to use the web browser like you mentioned. That’s problematic for two reasons:
If my email login is stored in PassBolt, I wont be able to open my email on a new device until I first login to PassBolt, thus I have a chicken and egg problem.
If it has been a long time since I first created a PassBolt account, I might not have that initial email so I would need the alternative option, which again isn’t mentioned.
Looking over my screen shot again, I think I would still recommend something along those lines. If that were implemented I avoid both issues just mentioned. Additionally, having a form like this in the extension as a landing page would add a lot of structure to the login process to help new users know what info is required of them.
Lastly, I’ll reiterate my appreciation for the hard work that has gone into PassBolt, of the several options I tested, I think the vault UI is by far the cleanest and most intuitive! My motivation for creating a feature request like this really is to help iron out what I think are some of the bumps that could keep others from getting to use that nice UI. Thanks again!
Hello again @JingleheimerSE . If you’re looking for a landing page where people can join with information about Passbolt instead of the login page like now, here’s a feature request where you can vote:
As for the login flow, I think it’s fine how it works right now. If I understand you, you suggest merging all the steps into one that should be shown in the extension, instead of having the current flow where each field of the proposed form is asked separately and explained what it is for.
I mean, for example, you suggested adding a server URL to the form in the extension. This will make it mandatory to know the URL, so if you don’t know it, no matter if you enter the URL in the browser or in the extension, you won’t be able to log in.
Also, as you get into the real flow, Passbolt asks for your email, checks if it exists and you are the owner, asks for your key, and asks for your colour and letters… For me, this is more intuitive than merging everything because you have explanations about what corresponds to each requirement of the process.
Also, if you don’t know your initial email as you mentioned in scenario 2, I think you still won’t be able to log in with your form since it requires a lot of fields that your users may not know about.
In short, in my opinion, I agree with adding a landing page, but I think the actual flow is more intuitive than switching to adding them all together in the extension.
For your users, I recommend a training session to explain how Passbolt works, in the same way you would teach them about opening phishing emails or other cybersecurity-related issues.
I do like the idea of a landing page when visiting the server directly but I don’t think that really impacts the issue I was trying to solve. Stated another way, I am just looking for a workflow that allows logging in without the need for the email links.
I can appreciate your point that having each field be prompted for separately rather than all on one form gives the chance to explain what each field is. I’d certainly be up for that as part of this solution as I don’t think having them all on one form or separate really changes the issue, which is that I can’t login without email given known information.
Regarding the URL and being able to enter it, I think that is the key request of this feature as it is what would allow a person to avoid email to start the login process. Yes, the user would need to know the URL but I would consider that a byproduct of any self hosted solution (Vaultwarden for example requires this as well) and that is something that is likely easy to translate as its pretty short (e.g. passbolt.company.com). Additionally, unless you can access your email on the new device you are trying to log into and are able to click the link directly, you will need to know or copy the server URL anyway.
To walk through an example and compare. Here is what I experience as a new user, with an existing account, logging into a new device:
Current:
Install extension
Open extension
Extension opens the passbolt.com website and tells you to go to your email.
Since you are on a new device and your email password is stored in Passbolt, you can’t access your email yet and will need to use a second device with existing email access to find the email.
Best case scenario: You found the email on your other device.
How do you open the link on the new device now? The link must be moved somehow:
You could copy the link to a text file and put it on a USB drive next to the GPG key, put it in your new device, and paste it into the browser. Doable but clunky.
You could manually type the link into your browser on your new device. Also doable but clunky.
Since the welcome link is the server URL, this is the same info I am proposing be on the form but asked for directly.
Worst case scenario: You don’t have the email
You are given no instructions on what you need from this point. Call up your admin and ask general questions like “What should I do?” will likely be assumed.
Once the link has been opened, enter your email address.
Go back to your other device to find the email with the recovery link. Do either:
Copy it to USB and move it to the new device
Manually type the link into the browser on the new device
This gets really clunky as the link is now the URL AND two GUIDs:
What I am proposing (with the individual prompts rather than the everything on one form)
Install extension
Open extension
Extension prompts for the server URL
Its possible a new user wouldn’t know this but finding this specific piece of info would likely result in more pointed questions to the Admin or others on the team like “What’s the URL?” as opposed to the open ended “What do I do?” Admin support questions like in the current step 4 Worst case above.
This is also something that an organization can easily document and share screenshots of in a training guide rather than rely on an individualized email.
Extension prompts for email address
With the URL and the email address, the extension can now negotiate with the server to generate links if necessary
Extension prompts for GPG key
Enter passphrase
Pick security token
You are now logged in!
Hopefully this illustrates what I am proposing a bit better. Maybe this is an improvement and maybe not, I’ll defer to the devs and community to decide that.
I do agree that training is required for any organization changing tools. My hope with this feature request is to streamline the login process so that:
Its more familiar for those coming from other tools (self hosted Vaultwarden prompts for URL, 1Password uses a keyfile but doesn’t require email links, etc.)
Can be documented in training material with ideally one screenshot showing the static info like the URL (attention spans are short haha).
Doesn’t require outside tools that may or may not be available yet on a new device when logging in like email
Is self contained within the extension to reinforce that it is a key element of Passbolt
Minimizes open ended questions to admins
Open ended questions like “What do I do?” after not finding the email(s) are usually phone calls to admins that take several minutes to address whereas “What is the URL?” is a pointed questions that will likely be a chat message and take seconds to address.
Even small improvements in workflow can significantly reduce IT team workloads.
Must have: this is critical for me to have this
Should have: this is important for me to have this
Could have: this could be nice to have
Won’t have: we should not schedule this (explain why)