Migrate a regular multiaccount to a keycard

[guylouis]

Goal

We want a normal status user (on mobile) that has a multiaccount setup on his phone, and that purchases a brand new keycard, to be able to migrate this multiaccount to the keycard

Problem

This feature is not offered now. So the only thing the user can currently do his

• go to his list of multiaccounts
• try to import a new multiaccount
• enter the same seed

... and he gets a error message because this seed is already used by the current multiaccount

Solution

What is for sure:

• the user needs to select which multiaccount he wants to migrate
• the user needs to enter his seed again, because the root of the multiaccount is not stored on the phone and needs to be stored on the card

The following need to be decided.

• (design) where does the flow start ?
  - logged into the multiaccount in the profile section
  - or in the list of multiaccounts
• (technical) can we keep the user's data (messages, accounts) ?
• design, this will be a succession of screen with the following logic
  - user chose a multiaccount
  - he's been prompted about what he's going to do (move his keys to the keycard) and what he needs (a keycard with no secret stored)
  - (enter his password again ?)
  - asked to enter his seed again
  - taken through keycard onboarding (he will get a PIN, PUK, Pairing code if the card is new)

[cammellos]

@errorists @hesterbruikman could you please have a look at this from the UI/UX perspective so we can get it ready for development?
Thanks!

[hesterbruikman]

@guylouis thanks for the clear description!

To make it explicit. The scope of this issue is to only move a multiaccount, correct?

A variation could be a use case where the user does not want to move all accounts, but only a high value account they already have in their multiaccount, e.g. m/44'/60'/0'/0'/1 only) to Keycard. I suspect we'd have no root to derive the chat key in this case.

[hesterbruikman]

WIP on Figma

Exploring options I found that the flow to migrate and reset password have overlap #10129

@rasom Can you tell me more about this question:

(technical) can we keep the user's data (messages, accounts) ?

[rasom]

(technical) can we keep the user's data (messages, accounts) ?

sure

[cammellos]

@hesterbruikman the designs looks good to me, the only thing is that if you want to keep the user data, you will need to ask them for their current password, otherwise we won't be able to migrate the data. @rasom correct me if I am wrong

[rasom]

@cammellos sure, we would need to have an old password in order to decrypt an existing database

[guylouis]

In theory there are 4 cases where the seed entered by the user is already in use on the phone
where the seed is stored -> where the user decides to migrate it

1. phone -> phone: that's a password reset
2. phone ->keycard: that's the phone to keycard migration
3. keycard -> keycard
4. keycard -> phone

'1.' and '2.' are tackled above. For 3. and 4. we should define what we do.

I think 3. and 4. corresponds to cases where the user

• 3: he has still his keycard -> that's the place where the user could go to try to duplicate his keycard, but we've got to answer that we can't use two different keycards with the same key on one multiaccount
• 4: he has lost his keycard -> that's the place where the user can go to delete a keycard multiaccount if he has lost the card

@hesterbruikman wdyt ?

[hesterbruikman]

• 1 & 2. - Currently covered. After a review with @johnlea-quiup decided to separate these two cases after all. So no single Reset flow, but a separate Reset password flow. Where Reset password is accessed through settings and Change profile storage is accessed through settings or adding the seed of an existing multiaccount.

• 3 - Agree, in the UI this should be naturally handled when choosing Keycard storage and tapping an empty card; at least I don't foresee changes to the UI for this case, aside from removing the 'this account already exists' error message

• 4 - This seems like an issue to 'overwrite or wipe Keycard'. I'm not sure if we have an issue documented for this. I think it should be handled separately and in the UI would appear as a Delete my profile option under Privacy and Security that is currently available for regular accounts

A case I think should be included is:

• 5 - Regular -> regular
  The user has lost their password. They're locked out of their regular multiaccount and are trying to regain access to their HD wallet (not db) via seed phrase

I'll make some more edits and set up a call to discuss

[cammellos]

I won't attend today's meeting as I am off,
on my side it looks good now that we are asking the user's password.
In general, I would split the features though:

• First we can have the user move the account to keycard without moving the data (i.e data will be reset), so we can focus on the mechanics of moving keys over/deleting keys

As a user
I want to move my account to keycard
So that I can have it better secured

• Later we can have the move data feature

As a user
I want to keep my data when moving my account to keycard
So that I don't have to start from scratch when moving my account

Of course this might be worked together/released together as it might not be very palatable to the user to having to reset their data, but they are two distinct features imo.

The rest of the cases we can handle in separate issues/tasks.

[cammellos]

@hesterbruikman are the designs still WIP for this or they have been finalized?

As discussed previously, we can start by implementing the flow that just migrates the keys from phone to keycard (no other case), but not the data (so no user password is required), and implement then the flow which also migrates the data in a separate issue.

Let me know if that's ready so I can polish this up and put it in the next column.
Thanks!

[hesterbruikman]

Going through the designs a bit more to detail and separate the Reset flow and make it inaccessible. In the current design you can end up in that flow, while I'm not sure about the behavior yet. I'm looking at how to keep it out of scope.

As a user

I want to reset an existing multiaccount in Status...

• so that I can use my account with a new chat key/profile
• so that my contacts, chats and settings are removed but I can still access my funds
• so that I can access my account after losing my password

[guylouis]

I checked the flows and I find it super complete, great work @hesterbruikman

As per keycard, I think this means in terms of mapping keycard feature vs the designs (I am listing this with what I consider their priority regarding keycard roadmap)

• regular->keycard is flow 2a. It's issue Migrate account to a regular keycard from logged out "Manage keys and storage" #11431
• reset keycard and remove the m.account (issue Clean keycard and remove multi-account #9229) is flow 6
• keycard->regular cause I lost my keycard is flow 5. (Lost Keycard) I lost my keycard and want to regain control of my assets #11391
• keycard->regular cause I don't want to use keycard anymore is flow 4. Migrate multiaccount: keycard to regular #11390

You'll see in the figma a remark about the flow 2a: I think we need an extra screen where the user needs to tap the card he wants to use to differentiate the case where it's already initialized or not (initialized means that it has a pairing code and PIN already).

[hesterbruikman]

Latest designs on Figma

TODO's

• Use biometrics to confirm reset (if enabled)
• Add entry point to key management from fresh Keycard onboarding
• Revisit copy: Reset database = Remove database?
• Check if expandable list item is available as component (likely not, it is currently used in Wallet favorites)
• Add spec that in case of entering the flow through settings, Cancel should be replaced by < chevron

[hesterbruikman]

Design for first iteration is ready cc @guylouis @cammellos :
2. MIGRATATE REGULAR TO KEYCARD
A Without profile data

Changes

• Added entry point to Sign in screen for visibility when existing user has purchased a Keycard.
  • This moves Access existing keys on Sign in screen to a overflow menu that also includes Manage keys and storage
  • I believe this should be part of an initial release for discoverability. Can be addressed in a separate issue

• Updated navigation based on design discussions.
  • Designs show native Android behavior, always a ⟵ button top left; no use of Cancel.
  • ⟵ closes Key management
  • < Previous goes one step back in Key management

[guylouis]

Closing this one since the bulk of it have been closed

• closed: Migrate account to a regular keycard from logged out "Manage keys and storage" #11431 (migration from regular to keycard - logged out state - don't keep database)
• closed : Clean keycard and remove multi-account #9229
• closed : (Lost Keycard) I lost my keycard and want to regain control of my assets #11391

We leave open the following issues

• (left over from Migrate account to a regular keycard from logged out "Manage keys and storage" #11431 )Enable keeping database when migrating account to keycard Enable keeping database when migrating account to keycard #11777
• migration from regular to keycard from signed in state Enable migration to keycard from signed-in state #11778
• (low priority) migration from keycard -> regular Migrate multiaccount: keycard to regular #11390