Edit: this was originally a request for help.
I’m now turning it into a “hey this needs fixing”, but leaving the original wording, to give a feel of the new user experience
I installed the latest AWS AMI version yesterday.
It prompted me through all the steps I see in
I let it generate its own “server PGP key”. I didnt upload my own.
Completed setup. set my passphrase.
Then happily created a bunch of secrets.
TODAY, I sit down, go to the website to log in, put in my email address to log in, and it gives me,
“We sent you a link to verify your email.”
I check my email, and IT says
“You have initiated an account recovery!
You just requested to recover your passbolt account on this device.”
Uhhh. NO I DIDNT.
Furthermore, when I click on the link, it then tells me,
" Welcome back, please enter your private key to begin the recovery process."
WTH??? I never HAD my own account-specific private key ??
So… apparently, when I first made my account, the “account recovery file” it spit out at me, is actually my private key.
So from a user perspective, a few things need to happen to make this a more pleasant user experience
Be consistent about wording. If its “my private PGP key”, then SAY that. dont call it “my account recovery key”
Mention at that download time, “you WILL be using this a lot, not just to ‘recover your account’, but any time you log in from a new browser”
In the whole “check your email” thing. also be consistent about wording. Dont say it is “account verification” in one place, but “account recovery” in a different place!
Call it “new browser verification” or something, consistently?