Edit: this was originally a request for help.
I’m now turning it into a “hey this needs fixing”, but leaving the original wording, to give a feel of the new user experience
I installed the latest AWS AMI version yesterday.
It prompted me through all the steps I see in
I let it generate its own “server PGP key”. I didnt upload my own.
Completed setup. set my passphrase.
Then happily created a bunch of secrets.
TODAY, I sit down, go to the website to log in, put in my email address to log in, and it gives me,
“We sent you a link to verify your email.”
I check my email, and IT says
“You have initiated an account recovery!
You just requested to recover your passbolt account on this device.”
Uhhh. NO I DIDNT.
Furthermore, when I click on the link, it then tells me,
" Welcome back, please enter your private key to begin the recovery process."
WTH??? I never HAD my own account-specific private key ??
=====================================================
So… apparently, when I first made my account, the “account recovery file” it spit out at me, is actually my private key.
So from a user perspective, a few things need to happen to make this a more pleasant user experience
-
Be consistent about wording. If its “my private PGP key”, then SAY that. dont call it “my account recovery key”
-
Mention at that download time, “you WILL be using this a lot, not just to ‘recover your account’, but any time you log in from a new browser”
-
In the whole “check your email” thing. also be consistent about wording. Dont say it is “account verification” in one place, but “account recovery” in a different place!
Call it “new browser verification” or something, consistently?