-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Forgot password?" #59
Comments
Hi Alex. Thank you for the feedback. We heard the same thing from other people who participated in the beta, and this was the result of that. You are correct that in this release, logging in from other devices works just like any other web app. As long as the user knows the username & password, they can log in from anywhere without having to deal with the key. And to your questions:
We don't know yet. Many end-to-end encrypted apps have that requirement (one example). If this turns out to be an adoption blocker, we think we have a solution (see below).
The password is still technically resettable if the user has access to a previously used device/browser, and as long as the user didn't explicitly log out of the last session. This is because the browser stores the encryption key in local storage, and if the key is available, the password can be reset easily (just like a regular web app). In fact, we have already implemented this feature. We chose to not include it as part of the first release because it's still under independent security review, and we need some time to properly document and define the API. |
Adding to what Daniel said:
This is also a good, doable idea. We could email users a link which they can click to kick this process off. Definitely a feature we will strongly consider implementing soon. Thank you for the well-reasoned feedback and suggestion! |
Closing in favor of #118 , thank you again for the suggestion @alexcnichols ! Note that a forgot password mechanism was released in #103 :) |
my app is set to server-side encryption, and when I test the forgotPassword function (using the ugliest-todo/forgot-password.html example) I am still left with: Is it possible to allow the users to recover password from other devices? |
cc @j-berman |
As part of the early preview, the primary reservation I've had is around the demand put on end users to retain the decryption key.
I was happy to see this week in the FAQ that the method of storing the key was enhanced to generate based on the user's password and store on the Userbase servers. That solves some complexity and removes the dependency to be locked into a single browser's storage... from what I can tell, this means users can roam between between browsers and devices and still login.
The demand on the end user to never lose their password remains though.
At the very least I could imagine a feature to "Delete all data and create new password". 🤷♂
Great work so far! Looking forward to the upcoming public launch. 🚀 🎉
The text was updated successfully, but these errors were encountered: