Checklist
[X ] I have read intro post: About the Installation Issues category
[ X] I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
[ X] I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
I think I am missing something. The service works. I can create an account, add passwords, and get the addon working.
the problem is when I try to login on another device or browser. I put my e-mail in and passbolt sends me an e-mail, I get the e-mail and click on the link and that takes me to Account Recovery. I don’t need to recover my account, I just need to log in. Do I need to take my private key with me anywhere I want to login?
That does answer the question thanks.
From a security perspective I think this weakens security. memorizing one strong password is far better than storing a key somewhere. A private key in this case is nothing more than a very long password that cannot be memorized.
If the password is only stored on the browser and can be different in every browser, then it is not something you know and something you have. it is only something you have plus access to e-mail to get the unique link for recovery.
I think using standard methods of 2FA would be much stronger here.
user created password
admin configurable minimum requirements for that password
admin configurable 2FA options (yubikey, authy, sms, google authenticator ect…)
host and server side encryption using well known secrets management with something like pbkdf2 or scrypt
use of private keys are extremely valuable in specific instances. I could even understand requiring private key authentication for admin access in addition to a password. But for user access I don’t think it is the right solution.
Just to correct the browser/password thing. To set up a new browser you enter your email and then you get that link, then you will be prompted to supply:
the key
your passphrase
You can later change that password on a per browser basis, but you will still need the password. You aren’t able to log in with just a key and an email. Also more standard MFA options such as TOTP, Yubikey, and Duo are available for use with passbolt.
It is good that they are available and optional. what would be better is also being able to require a private key to be optional. the best security is the one that is used. how am I going to explain to my family the process of how they need to log in?
Having a truely random private key guarantees that the encryption strength is not dependant on the password selected by the user. This is known to be objectively better for security. This is not just us saying that, as this is also the stance selected by 1password for example. This is an opinionated choice which is unlikely to change.
Some other password manager prefer to favour usability instead of security, such as lastpass or bitwarden for example. These other password managers don’t require a browser extension nor a private key so they may be more in line with your requirements.
Purely from a security perspective, I agree a private key is more secure. the problem is that the service still needs to be useable by regular people.
There are a lot of technical problems that I can work through, but this issue will just cause my family to not use the service at all. and then the security risk is reused week passwords. I understand that this seems to be a core concept of how passbolt works that is not likely to change, and for that reason I have already abandoned my installation and have moved on to another product. I am sure there are valid use cases for these design decisions, its just not my use case.