So from what I unedrstand, Signal has this concept of a “master device”, which means there’s this one device (usually a phone) that has the “authority” to link other devices to the same account. The other linked devices do not have that capability - not only because of software limitations (in the case of the browser app), but also because of server limitations or restrictions (in the case of, e.g. signal-cli or similar third-party apps). More specifically, signal-cli has the capability of linking with other devices as a “master” device, but not when it was linked as a (presumably) “slave” device.
Beyond the “power user” use case (e.g. my case, where I use signal in the browser and the commandline), it seems to me the more common use case is “i lost my phone” or “my phone just died”. If users would be able to link devices through the chrome app, losing a phone wouldn’t be such a big deal as security numbers would not necessarily have to change.
In fact, this brings the question of revocation: if I have lost my phone, I’d like to be able to revoke access to that thing completely, through other clients. That’s a different feature of course, but it seems like a common use case as well.
In the meantime - is it possible to change what the master device is (e.g. switch phones) without having to re-register? It’s the use case I have right now and seems like a reasonable scenario.
It’s not currently possible, but we’d like to expand capabilities here in the future. There are a lot of edge cases with multi-device, though, and other work has taken priority so far.
The problem is that your master device still contains your identity key. Right now an adversary could extract the identity, re-register with it, and chat with your contacts without them being able to notice anything.
With that stolen phone, an adversary could also take over the registration through SMS or voice registration. Heck, one doesn’t even need the cell phone to do that, you merely need to hijack the phone number through a LNP which basically only requires a (possibly fake) signed bill from the current carrier.
But yeah, I understand that there are technical challenges, but it seems to me there should be ways to safely move that authority between devices without having to change security numbers. That could possibly help with such abuse scenarios (for example by moving the master device offline, or something that is less likely to be stolen).
And thanks for the reply, @moxie0 - it’s always great to hear devs pay attention to user’s requests, even if it’s just a “yeah, we know”. ;)
It is not that simple: If the attacker has the phone, he does not need to re-register, and will continue to use the old identity. The victim could now
get a new SIM card and re-register with a new identity
promote a slave to the new master and thus re-use the identity
In the former case
all contacts which exchange messages with the victim will get notified that the identity has changed
the victim can explain that a device got lost/stolen
the attacker will notice that he cannot login any more, and re-register with the old or new identity. In both cases the contacts will receive another identity key change warning, and should act accordingly
In the latter case
no contact will receive a identity key change warning upon promoting
the attacker may re-register with the victim’s identity at any time, reset the sessions and talk to your contacts without them getting a identity key change warning.
I don’t see a way to reuse an identity key without obscure constructs relying on the integrity of a third party, but i’d be happy to see myself disproved.
I travel often between four different countries and have got four different mobile numbers that I use, for each country one. Multi-device support would be extremely helpful.
@Trolldemorted, how about that: Whenever a new SIM/mobile number is added to an existing account, the user and all contacts get notified that the identity has changed/what phone number has been added. The user can explain that she added a phone. Or now she knows that there is an attacker: she can close her account which would deactivate it on all devices and re-register.
i know this is a very old thread but i figured people interested in the topic would like to know this might actually be implemented somehow, with multi-device support: