I am just having trouble understanding the decisions made when it comes to allowing someone to re-download their private key and generate a passphrase.
I personally envision the process for re-gaining access to one’s account can be implemented such that it can be started by allowing an administrator to click a button similar to “re-send invite”. The idea being that the user who has lost their passphrase and/or their private key needing to only have access to their email to re-gain access to their passwords.
Is the concern that the email from passbolt to the user’s email will be potentially intercepted or that the email inbox itself is a point of attack?
In response to either concern, I would ask, would it be perhaps more appropriate to let the user take that risk if they want and to simply advise users to not need to resort to that method but offer it nonetheless?