"Forgot password?"

[alexcnichols]

As part of the early preview, the primary reservation I've had is around the demand put on end users to retain the decryption key.

I was happy to see this week in the FAQ that the method of storing the key was enhanced to generate based on the user's password and store on the Userbase servers. That solves some complexity and removes the dependency to be locked into a single browser's storage... from what I can tell, this means users can roam between between browsers and devices and still login.

The demand on the end user to never lose their password remains though.

1. To what extent to you see this as an adoption blocker? Maybe there are use cases for certain customers where this isn't as much of an issue.
2. Any ideas for how to securely help end users recover from a lost password?

At the very least I could imagine a feature to "Delete all data and create new password". 🤷‍♂

Great work so far! Looking forward to the upcoming public launch. 🚀 🎉

[dvassallo]

Hi Alex. Thank you for the feedback. We heard the same thing from other people who participated in the beta, and this was the result of that. You are correct that in this release, logging in from other devices works just like any other web app. As long as the user knows the username & password, they can log in from anywhere without having to deal with the key.

And to your questions:

1. To what extent to you see this as an adoption blocker? Maybe there are use cases for certain customers where this isn't as much of an issue._

We don't know yet. Many end-to-end encrypted apps have that requirement (one example). If this turns out to be an adoption blocker, we think we have a solution (see below).

2. Any ideas for how to securely help end users recover from a lost password?

The password is still technically resettable if the user has access to a previously used device/browser, and as long as the user didn't explicitly log out of the last session. This is because the browser stores the encryption key in local storage, and if the key is available, the password can be reset easily (just like a regular web app). In fact, we have already implemented this feature. We chose to not include it as part of the first release because it's still under independent security review, and we need some time to properly document and define the API.

[j-berman]

Adding to what Daniel said:

At the very least I could imagine a feature to "Delete all data and create new password"

This is also a good, doable idea. We could email users a link which they can click to kick this process off. Definitely a feature we will strongly consider implementing soon.

Thank you for the well-reasoned feedback and suggestion!

[j-berman]

Closing in favor of #118 , thank you again for the suggestion @alexcnichols !

Note that a forgot password mechanism was released in #103 :)

[nagualcode]

my app is set to server-side encryption, and when I test the forgotPassword function (using the ugliest-todo/forgot-password.html example) I am still left with:
KeyNotFound: Your key was not found. Forgot password only works from a device you've signed in from before.

Is it possible to allow the users to recover password from other devices?

[dvassallo]

cc @j-berman