logging in with cross signing is very confusing

[zeratax]

this is me trying to login into my account in a new tab with a logged in session right next to it
https://dmnd.sh:8448/_matrix/media/r0/download/dmnd.sh/lJRXjgMcyVvRzINymwzSelJi

Description

Logging into a new device is currently very confusing to me, especially this part confuses me, the old session talks about a one time code to verify, while the new login just wants me to enter my SSSS key. If I do enter that I am completely verified without having to ever do anything in another session and there is no big warning telling me that a new device has just been added in the other sessions :/

Also this whole process takes ages see #12376 but gives barely any feedback. In a previous attempt hitting the continue button here didn't seem to do anything even though things was happening in the developer console, but no feedback was given to me otherwise until the next modal finally opened.

I expected some otp confirmation and I guess that's really doing much when I enable Keybackups, but at the very least I would expect a big red sign telling me that a new device has been added, which you only get when you're currently logged in during this process. a
If someone would steal both my account password and SSSS password, it seems to me like they could login to my account, read and send encrypted messages and nobody would notice unless they actively check my devices.

Steps to reproduce

• login (with keybackup enabled)

Version information

• Platform: web (in-browser)

For the web app:

• Browser: Firefox 73.0.1
• OS: Windows
• URL: riot.im/develop for the new session and https://chat.dmnd.sh (1.5.10-37-g6bc79ad5-dirty) for the logged in session

[zeratax]

okay keybackup doesn't have any affect on this and using two riot/develop session also doesn't change anything, but what I did notice is I was doing #12546 which made the modals popup from two different logins.
when I did only one login I could finally verify using emoji, but it did still timeout before that happened asking me to enter my SSSS pw, which I needed to [X] to see the emoji verification behind it.

[jryans]

Thanks for testing cross-signing as it stands at the moment. I guess I'll start by saying I am not surprised it's confusing at the moment: you are testing a half-finished feature that is still in active development.

With that disclaimer out of the way, let's see how your feedback matches up with issues...

Logging into a new device is currently very confusing to me, especially this part confuses me, the old session talks about a one time code to verify, while the new login just wants me to enter my SSSS key.

On the old device, you are seeing a toast to verify the new device which you could use if you skipped complete security on the new device.

Complete security on the new device has been using SSSS at the moment, but that's really more like an "account recovery" method that is asking for the passphrase that guards your cross-signing identity.

If I do enter that I am completely verified without having to ever do anything in another session and there is no big warning telling me that a new device has just been added in the other sessions

Yes, this does quite exist yet in the way you are asking for. There are toasts for unverified devices, and you can manually check your device list to see new ones. Future work is planned to add a more robust audit trail of added devices.

Also this whole process takes ages see #12376 but gives barely any feedback.

Yes, this is unfortunate, but it's tracked in that issue as you say.

I expected some otp confirmation

At the moment, that does not happen because we've been using the SSSS passphrase to verify during complete security as mentioned above. Interactive flows will also be added, see #11215 and #11217.

As far as I can tell, everything you have reported is already tracked separately, so I don't think we need to keep this open. Thanks for testing and providing feedback on this work-in-progress feature! 😄