We should prompt users to clean up old devices more aggressively #2154
Comments
|
We should also delete devices on logout too (#3238) |
|
This is getting more and more important, imo, especially to help protect users from the risk of 'ghost' devices which an attacker has added to try to intercept their comms. |
|
Instead of on each login (because that would probably get annoying), you could have two sections in the device list, current devices and devices we think are old, maybe moved there after not being logged in to for 6 months. I can't remember the issue number for in app notifications that aren't modal dialogs but then you could send some kind of in app notification saying we think you have old devices that can be cleaned up and with one click you can delete all the old devices (or select individual ones to delete). Related: #8319 |
|
The cross-signing work on develop (and to be released quite soon) addresses this via toasts that encourage reviewing both new and existing sessions, so I believe that's enough to consider this resolved. |
|
@jryans I don't think so. When you setup cross signing for the first time you do get toasts for your existing sessions but it does not prompt you to clean them up. The only options are to verify them or to say it wasn't you in which case it says Your account is not secure and something has been compromised. There is no button to say, this is an old session, log me out of it.
|
|
The toasts are rapidly changing. As of the last few days, many bugs and tweaks have landed with the toasts and continue to land as we speak, so it highly depends on exactly what version you are testing. If you are sure you're on latest develop and an existing session is shown as new, it may be a bug, so please file it separately. For old sessions, we send you to user info to verify for now, as a bit of hack. Post-release we'll add proper session management with both verify and delete in a single place in settings (#11221). |
|
Yes that was on the latest /develop at the time of writing that comment. Looks like #13463 already exists for that. |
|
I still think a periodic check of whether all your devices are still recently used would be desirable. |
It's mildly alarming that #megolm has 20 users but 104 devices, as a result, each new megolm session requires sharing 104 new room_keys, which doesn't feel like it's going to scale. Perhaps when logging in and creating a new device, Vector should prompt the user to go clean out any old ones (as for the web case, it's likely the new tab is replacing an old lost tab
The text was updated successfully, but these errors were encountered: