2.2 KiB
Invalidating devices during password modification
There are multiple use cases for why a user might want to modify their password:
- Adopting a password manager (to use a unique password or more secure password).
- Password rotation.
- Re-secure a compromised account.
- ... probably tons of others ...
These can be summarized into two groups:
- "My account has been compromised and I need to re-secure it."
- "I just want to change my password."
The current Matrix specification does not provide a way to differentiate between these use cases. It gives no guidance into what should happen to other sessions / devices when a password is modified and leaves it up to the implementation.
It is reasonable for a client to want to specify this behavior to offer two different workflows:
- Modify a password and log all other devices out (for use when an account has been compromised).
- Modify a password and do not touch any session data (for use in a non-malicious situations).
Alternately a client may default to whichever workflow is best for their users.
Proposal
An optional field is added to the JSON body body of the password reset endpoint
called logout_devices. This is a boolean flag (defaulting to true) that
signals to whether other devices and sessions should be invalidated after
modifying the password.
Potential issues
While Synapse defaults to the behavior of invalidating other devices and
sessions this may not be true of other implementations. Thus, a default of
true may not be backwards compatible. It might be more prudent to specify that
the behavior of not specifying the logout_devices flag is undefined.
Alternatives
Provide a new endpoint in a future version that supports an additional field (as above), using a new endpoint would avoid backwards compatibility issues.
Security considerations
By defaulting to invalidating devices and sessions the security considerations of this endpoint should remain intact. A client will need to be modified to choose to keep other devices active.