Recovery key/passphrase no longer required, causes support pain

[opusforlife2]

Description

When I created my Matrix account, setting up a recovery passphrase was part of the sign up process. This is no longer the case, as I just tried it with a test account.

This is quite an issue because I'm trying to get people to sign up on Matrix, and if they happen to sign out of their only session, then they need to verify with a recovery passphrase they don't have. They may not have any important messages to lose so early, but they now have a single unverified session that cannot be verified anymore. This is confusing and scary for laypersons, and an instant rejection for most Whatsapp refugees.

Steps to reproduce

• Create a new account on matrix.org
• Go through the sign up process.

Expect to see the recovery key/passphrase dialog. It isn't there. Now if you sign out of your only session (which laypersons won't know not to do) then you're stuck with an unverified session.

Version information

• Platform: web
• Browser: Firefox 84.
• OS: Windows.
• URL: app.element.io

[t3chguy]

You are prompted to set it up when you first enter any encrypted room. There is nothing to lose before that point.

[opusforlife2]

Ah. Good to know! I hadn't tried that.

Follow-on: I tried the same thing on Element Android. It prevents you from signing out with a warning message that facilitates either setting up a recovery key/passphrase, or explicitly choosing to sign out. This is a far better UX than Element Web currently has, which:

1. Doesn't get you to set up a recovery passphrase during sign up (which you've explained the reason for above).
2. Doesn't warn you about not having a recovery passphrase when signing out.
3. Effectively blocks you (a newbie) from signing in with a scary message talking about cross signing (newbie has no idea what this is) and a big red Skip button, clicking which shows you another scary confirmation dialogue about really skipping this seemingly important step that you (the newbie) have no idea about. -> (This is the step where I get alarmed tech support questions. :D )

I see two easy solutions:

1. Do the same thing Element Android does: let the user set up a recovery passphrase before signing out.
2. Don't bother with verifying a new login until the user has created a recovery passphrase, which will happen automatically, as you say, when they first enter an encrypted room, so before they ever send or receive an encrypted message.

[opusforlife2]

@t3chguy Your thoughts?

[t3chguy]

I'll defer to design/product for thoughts

[opusforlife2]

I don't understand. Why is this not being looked at with higher priority? I've already stated that this is causing a direct loss of new users.

@jryans You've added the enhancement label and removed the defect one. May I ask why? What I've described is clearly a defect. Not a defect in the code, but certainly a defect in the UX.

Is this a hard problem to solve? There are two dialogue boxes that need to be removed if the user does not have any encrypted chats, has not set up any recovery passphrase, and logs out of their only session.