archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add an MSC proposal for how to handle sessions when modifying a password.

Browse Source
pull/2457/head
Patrick Cloke 5 years ago
parent 7666b9fea7
commit 1facf7ff12
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File

53
proposals/2457-password-modification-invalidating-devices.md
Unescape Escape View File

@ -0,0 +1,53 @@
# Invalidating devices during password modification
There are multiple use cases for why a user might want to modify their password:
* Adopting a password manager (to use a unique password or more secure password).
* Password rotation.
* Re-secure a compromised account.
* ... probably tons of others ...
These can be summarized into two groups:
1. "My account has been compromised and I need to re-secure it."
2. "I just want to change my password."
The [current Matrix specification](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
does not provide a way to differentiate between these use cases. It gives no
guidance into what should happen to other sessions / devices when a password is
modified and leaves it up to the implementation.
It is reasonable for a client to want to specify this behavior to offer two
different workflows:
1. Modify a password and log all other devices out (for use when an account has
been compromised).
2. Modify a password and do not touch any session data (for use in a
non-malicious situations).
Alternately a client may default to whichever workflow is best for their users.
## Proposal
An optional field is added to the JSON body body of the [password reset endpoint](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
called `logout_devices`. This is a boolean flag (defaulting to `true`) that
signals to whether other devices and sessions should be invalidated after
modifying the password.
## Potential issues
While Synapse defaults to the behavior of invalidating other devices and
sessions this may not be true of other implementations. Thus, a default of
`true` may not be backwards compatible. It might be more prudent to specify that
the behavior of not specifying the `logout_devices` flag is undefined.
## Alternatives
Provide a new endpoint in a future version that supports an additional field (as
above), using a new endpoint would avoid backwards compatibility issues.
## Security considerations
By defaulting to invalidating devices and sessions the security considerations
of this endpoint should remain intact. A client will need to be modified to
choose to keep other devices active.
Write Preview
Loading…
Cancel
Save