Email Verification Recovery

[Damariobros]

Users should be allowed to fallback on their recovery key, or perhaps some backup codes, if they lose access to their email, as a faster and more convenient alternative to contacting support.

Contacting support should remain an option to those who do not have their recovery key or backup codes, but the recovery key should allow them to skip the wait.

Entering the recovery key or backup codes at the email verification stage should also present the user with the option to immediately disable email verification, should they choose, before they are logged into Ente.

[kaizokan]

This requires thinking carefully about whether a recovery key should be able to bypass multifactor authentication. Not saying it should not or that it should, just that it is important to think about it and make it clear for the user because there seems to be no longer one definition of a recovery code.

This is what others do:

1Password:

We’ve made sure that the recovery process is safe by requiring two separate steps (email verification and your recovery code) to complete identity verification and regain access to your account.

Bitwarden (recovery codes are for disabling two step verification methods, NOT resetting the password. Your email only serves as account identification here, not verification with access to email):

Using your recovery code is like the normal login procedure, requiring your (i) email address, (ii) master password, and (iii) recovery code. On successful authentication of all three, you will be logged in to your vault and all two-step login methods will be disabled.

Google and Discord have so called Backup Codes for disabling 2FA

Microsoft is very vague in its description of recovery codes. It is possible that their recovery codes are the only thing you need, bypassing everything else, but unsure.

EDIT: Ente having two different type of apps that share the same account (Ente Photos and Ente Auth) is possibly something that makes this decision even harder to make.

Which probably also explains why I sometimes feel unsure about support helping with account recovery by e.g. disabling passkeys to let someone login. Aside from the physical security aspect of passkeys, passkeys are a nightmare in its current implementation and cause more trouble than they fix imo.

Passkey technology is elegant, but it’s most definitely not usable security
One does not simply implement passkeys

[Damariobros]

What about if we could register a backup email in the case that email verification is turned on, and one loses access to their primary email? Mozilla does something like that. Mozilla also has a button in account settings that lets you make the secondary email the primary email, that could be something to think about too

Also you're right, Microsoft recovery codes do indeed bypass all login processes; if you provide one that is currently valid during the account recovery process, you are immediately taken to your account's security info dashboard, where you can edit your password and all authentication methods and settings without further authentication. The key is only shown once when you click the button to make one, and clicking it again makes a new one. You can only have one at a time.

I'm not entirely certain but I think Apple might do the same, if you have Recovery Key enabled. Set a new password, bypass two-factor for that one login, and I think it even gets you access to your e2ee stuff that's protected with the device passcodes. The tradeoff, however, is that turning on Recovery Key disables recovery via the iCloud recovery process (so, if you don't have recovery contacts or the key, they auto deny you).

Mozilla has both a set of backup codes for getting through two-factor, and a recovery key for recovering synced browser data I believe. I haven't ever had to test it, so if it does more than that I wouldn't know. They also have the aforementioned backup email.

[kaizokan]

Wouldn't it be better to have a backup email set up in the settings of the primary email provider to allow recovery of your primary email so that you won't lose access to it. This way not every separate service needs its own email recovery options and you also get to keep email and possibly other accounts (depending on your email/alias use that is). I believe it is best to not deviate too much from the common standards. You mentioned backup codes which is something seen more often with 2FA/MFA options.

I have not thought much about this just trying to think along a bit so just take it as some extra input, also others who read.

About the Microsoft part, thanks that is good to know, it is hard to find official information about this. Only confusing community posts including official MS employees and contradicting support agent answers on other platforms depending on who you speak. Like its on purpose. But it is Microsoft support after all haha.

[Damariobros]

You bring up a fair point, and indeed I do already have a recovery email set on my primary email provider (and in fact, even have multiple accounts where I can receive the emails themselves).

But I'm all for diversifying recovery options. Not everyone's situation is the same, and not everyone will always be able to recover their primary email.

[Damariobros]

Btw I just realized, GitHub has a backup email system too.

[kaizokan]

But I'm all for diversifying recovery options. Not everyone's situation is the same, and not everyone will always be able to recover their primary email.

True. Access to password managers, authenticators and email(s) should not even depend on each other. Like e.g. how you should not have your authenticator as a second factor to your password manager, or your authenticator account password stored inside your password manager because you will need access to one to access the other. Exception is when you do not make use of a second factor or have backup codes for that (which also need to be stored somewhere).

But since everything wants a way of recovery we keep adding things that depend on other things 😅

[maxeffent]

When enabling Email Verification in Ente Auth, users are warned not to store their email 2FA/MFA within Ente Auth. While this is a reasonable recommendation to mitigate account lockout, other secure vendors, like Tutanota, allow MFA Reset via Recovery Code + password.

Enabling Email Verification reset via Recovery Code + Password would mitigate users having to use yet another MFA application for their email address, while still mitigating Ente Auth lockout should the verification email address not be accessible or MFA for the email address is stored in Ente Auth.