Hi
I’m either doing something wrong or I found a bug?
I tried to open my (self-hosted) passbolt on a different browser and I couldn’t log in because it started an account recovery instead?
I copied the URL to the login page in my current browser (brave) and pasted it into the new browser (chrome) (both have the addon installed), but it loaded a different page:
After I put in my mailaddress, I recieved an email for account recovery
Do I really have to use account recovery if I want to switch browsers? If yes, why is that a thing?
(This situation also occurs if I select “switch accounts” on the login page in my current browser)
→ shouldn’t it be possible to login as a different user, or just login from a different browser without account recovery?
Does anyone know, why this happens and/or how I can fix it?
This is normal, and registering the browser extension is needed before that particular browser can access your passbolt site. Once that is done, Account Recovery for that browser is not needed again for that user unless you uninstall the extension.
A large part of the security model of passbolt, as well as the pages you end up seeing, occur in the extension itself.
Also, yes, the account recovery process is needed for switching users while using the same extension. There are workarounds to this, but not within the extension itself. For example, using more than one kind of browser, or using more than one installation of a browser. But without Account Recovery, being able to simply login with one extension to more than one user account is not an option at the moment.
thank you for your reply
it does make sense as a security feature, even though it is a bit… unpractical
you said that I had to register the browser extension to login without account recovery → how do I do that? is there an option somewhere in my current browser extension/the UI or do I have to look somewhere else?
You can follow this procedure if you are meeting the following requirements:
You are in possession of an active account;
You are in possession of your recovery kit, it contains a copy of the private key associated to your account;
You remember your passphrase.
(if you dont have it, you can download a copy of your private key from your current configured browser, click on your name on the top right and go to your profile > key inspector)
Procedure
Step 1. In order to recover you will need to go to your domain URL and add /recover at the end of the url, for example https://yourpassbolt.com/recover. Step 2. Complete the form by providing your email address.
Step 3. Follow the link in your mailbox.
Step 4. Follow the recovery steps, which is much like the initial setup. You will need to import your private key.
Yes you need to re-configure your account every time you switch laptop or browser profile (since you need to configure the extension for every environment). You only need to do it once per browser profile. See. Why does passbolt require an extension? | by passbolt | passbolt for more information on how passbolt works.
so I find this process really weird and unusuall. Now I am in a situation where I installed passbolt on ubuntu, I had to travel and took my laptop with me and I am pretty much locked out of my password manager. Sorry for saying this but this is beyond paranoid!!! So - I am using login mail and a superb password + I am using MFA code. And yet - I cant login to the bloody thing because you also want me to posess the private key block? Where am I supposed to save this? In a file that I carry around on thumb drive??? Do you find it “safe”??? Sorry but I am rather pissed off now Dont mean to be rude to you guys but I have never ever seen anything like that… I guess I need another password manager that will only hold my passbolt private key in case this happens when traveling What an idea…
Wouldnt it be better to enforce using MFA? Instead I need to carry around private key… Or do I understand it the wrong way?
Colleagues, tell me, is it possible to simplify authorization without having to enter the PGP key, if you change the browser? At least for non-administrator users. Instead, we want to use MFA - if it is possible to send a code to a telegram chat, that would be great. It would be possible to make an additional field “Telegram ID” in the user’s card.
Pass bolt is planned for use in a secure perimeter, where employees are connected using a SSL VPN tunnel and two firewalls. Routes to the Internet on a Linux server with Pass bolt installed are excluded. We have about 10 employees who will have problems with the PGP key.At least for non-administrator users
Dont mean to be rude to you guys but I have never ever seen anything like that… I guess I need another password manager that will only hold my passbolt private key in case this happens when traveling