Password recovery

[sandhose]

Users should be able to recover their account via email.

Potential flows:

1. Start the recovery, you get a code by email, you enter that code, you can set a new password
2. Start the recovery, you get a link by email, you follow that link, you can set a new password

The first flow feels better at not disrupting the current action. If you're in the middle of a client login, it's easier to resume that login after that.

The second flow feels better at preventing social engineering attacks, as we would require the person to click a link and change the password on the same device they are checking their emails, whereas in the option 1., the attacker could just ask "can you give me the code you just got by email" and the user could overlook that it's for a password change?

Open questions:

• Option 1. or 2. -> 2
• What's the input for resetting the account? The Matrix ID or the email address? -> email only
• Email design and wording
• Do we automatically login after password reset? -> no
• Do we send a password change email notification after that? -> ideally
• Do we log off existing sessions when you recover your account that way? -> no
• Do we only use the primary email address, or do we allow any email address on the account? -> all emails, but add email notification if we do so

Relevant design screens:

• Forgot password flow

[hughns]

After recovering and setting a new password the user should be given the option to log out all other sessions or leave them intact.

See element-hq/element-web#2671 for discussion and context on this behaviour.

[americanrefugee]

Here is the final design in Figma.