UX: is it a Security Key or a Recovery Key

[colemickens]

Your use case

What would you like to do?

On the heels of confusion about Key Backup, how mine got corrupted, what it means for "sessions failed to decrypt", etc...

I come across yet another UX thing that feels easy to fix, and could go a long way towards helping users (even ones trying to use Matrix for 5 years) not get confused.

When I (reset) and setup Key Backup today, I was prompted to download a 48-character ... thing... that was saved as "security-key.txt".

When I set Element X Android today, it prompted me for my "Recovery Key".

1. Is there a document that lays out, plainly, how E2EE is meant to work, and the definitions of:

   • session
   • keys
   • key backup
   • "security-key"
   • "recovery key"
   • whatever the key backup "passphrase" is called
   • how cross-signing keys fits into this picture? I assume its not the same as Key Backup?

2. Can y'all please document them precisely, and then commit to standardized names throughout, at the very least, Element properties?

Why would you like to do it?

1. Idk, if someone explains it to me, I'll literally send PRs for it.

How would you like to achieve it?

1. idk.

Have you considered any alternatives?

not any non-sarcastic ones

Additional context

I love Matrix, but it's a challenging love.

[pmaier1]

Thanks for the feedback!

1. "Recovery key" is the new terminology as we've seen in user tests that it works best among the options we tested.
2. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.
3. Element X will lead this change, Web will follow.
4. We have an FAQ to explain what a "recovery key" is https://element.io/help#encryption16.
5. We've taken measures to clarify that a "security key" or "security phrase" will continue to work Element X: Wording improvement for "Enter recovery key" screen #2402.
6. We're further reworking Web settings (and are taking care in EX settings) to make these concepts easier to comprehend for users.

Hope this helps!

[richvdh]

If people still see "Security Key" (or security-key.txt) being referenced in any applications, I recommend filing bugs in the relevant application-specific issue trackers.

[BrenBarn]

2. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.

Can you clarify what is being dropped? Right now there are two things: an opaque string of characters (which I think is currently called "recovery key") and a user-chosen password to unlock key backup.

Getting rid of the ability to choose your own password for the latter would be a terrible idea. I want to be able to log in on a new device and input my chosen key-backup password to get access to my messages. To do that, I need to be able to choose that password so I can remember it.

[Croydon]

1. "Recovery key" is the new terminology as we've seen in user tests that it works best among the options we tested.

So it was once named recovery key, then it got renamed to security key and now the plan is to rename it back to recovery key?

[Croydon]

2. The "security phrase" feature (aka choose your own recovery key) will be dropped for the future as user tests have shown that it's being mixed up with your account password and generally causes more confusion than benefit.

Can you clarify what is being dropped? Right now there are two things: an opaque string of characters (which I think is currently called "recovery key") and a user-chosen password to unlock key backup.

Getting rid of the ability to choose your own password for the latter would be a terrible idea. I want to be able to log in on a new device and input my chosen key-backup password to get access to my messages. To do that, I need to be able to choose that password so I can remember it.

I don't understand the argument either. Just name it the same thing, no matter if it is Element generated or user-defined. For all processes afterwards it only matters that it is the correct one.

[richvdh]

So it was once named recovery key, then it got renamed to security key

I'm not aware of it ever being renamed in this way, no.

[richvdh]

TL;DR: It's a "recovery key". Please file bugs if you see people calling it a "security key".

We have more work on the way to be more consistent with our terminology.

[richvdh]

Related: #361

[richvdh]

So it was once named recovery key, then it got renamed to security key

I'm not aware of it ever being renamed in this way, no.

SIGH. Apparently I was wrong. matrix-org/matrix-react-sdk#5533 did indeed rename from "recovery key" to "security key"

(╯°□°)╯︵ ┻━┻

[richvdh]

Filed element-hq/element-web#27713 to sort this out on Element Web