Didn’t have time to completely read all the docs. So I have some questions from the customer’s point of view.
EDIT: My use case: I’m more concerned with secure cold storage. I’m trying to get completely rid of local backups in a way that survives disasters (like a home or a datacenter location burning down ) and that I don’t have to monitor. Hot storage is a bonus.
a. Do I need to use the STORJ tokens to make sure I’m covered for the future without lifting a finger? Currently I was just asked for my CC info and that’s it… I think I need to complete my bank’s “2FA” the first time I’m being charged.
b. What happens if I get locked out of my email account, but still have access to my passphrases and bills are all paid? Is it technically possible to still recover my data?
c. What happens if my email gets compromised and buckets deleted from your web interface by an attacker? Is my data gone then? I’m looking to encrypt locally using cli/rclone. Email credentials are way too hot for backups.
d. I noticed that it’s possible to have several passphrases for a single bucket and also upload to root without specifying a bucket (rclone, not 100% if it’s stored). How does that work? What part of the directory structure is encrypted? Are filenames encrypted? My impression is that the web interface just displays valid decrypts and users are expected to use a single passphrase per bucket.
a. you may opt to prepay for future usage using STORJ token, while also keeping a credit card on file as backup payment method. There are currently no bank 2FA requirements, as long as your card is valid, we will be able to charge it for the past month´s usage at time of invoicing.
b. If you are a Pro Account customer and you loose access to your email account, you can file a support ticket to ask us to change your email address to a new one. We strongly recommend you make a helpdesk account using your current email address on your Storj DCS account before you lose access to it, as we will need to ask you to prove you are the account owner before we will greenlight a change to a different email address. This is for security reasons.
c. An attacker would have to compromise not only your email but also your Storj DCS account password, and gain access to your 2FA device if you had the foresight to activate 2FA on your account before having it compromised. Besides this, the encryption keys to your access grants that allow you to manage your buckets and their contents are not stored inside your Storj DCS account in any form, you need to make a backup yourself for example on a USB stick which you should keep in a safe place, apart from the computer where you manage the account. The attacker would have to physically compromise the location where you keep the encryption keys in order to gain access to your buckets that are protected by those keys. If an attacker physically compromised your home or bank deposit box, I think you have other problems to worry about besides them deleting your data. I suggest you read the documentation section on access grants and encryption keys, there you will find the answers to your remaining questions.
All makes sense. Except about the bucket management. I just did a quick test.
No passphrases stored in web. No grants. Just 2 API keys (web and rclone).
With rclone, created a bucket and uploaded a file (with passphrase).
Logged in to web and deleted the bucket.
Even if I have still access to my email I don’t see a way to change it. Is there a reason to not to allow to change the registered email online? This seems to be very unusual. At least all online service where I have an account allow change of email online (of course by verifying that you have access to the old and to the new one).
You are correct, if someone would be able to breach your satellite account, they can remove a bucket or start to use it for themselves. They also can remove all access grants (however, this is not a problem, while you have your encryption phrase(s), you always can re-create your access grants back).
So, it’s recommended to enable 2FA for your satellite account to avoid a breach.
But this practice is really unusual. So I doubt it is required. I have just checked with an AWS account and there is absolutely no issue changing the account email. So I am wondering a bit why Storj makes such an issue out of it instead of following the industry standard. It feels totally unnecessary and over-complicating stuff.
We are trying to be a secure solution.
In the AWS they keep the verification in the same place where is authentication. So, it can be breached at once.
Our approach is not ideal too, but more hard to circumvent.
You may suggest your own solution, which doesn’t bring together the authentication and verification to the one point of failure.
As you may know, we separated an authorization (encryption phrase, client side encryption/decryption) from the authentication (server-side, API Keys) too.
How? Maybe I am missing something.
I am specifically looking a the case where a customer simply wants to change the account email address to a new one while he still has access to his old email. This case is of course different from one where a client has lost access to his old email.
Now let’s say this customer has MFA enabled. The workflow would be that customer logs into account, starts change email workflow, receives link in old email account which he as to confirm, then receives link in new email to verify it is a valid email he as access to and then the change can be performed.
An attacker would need the current account email address, the password, the OTP device and even access to the current email account to be able to perform such a change.
Let me understand why this is not sufficient security in your opinion.
I have one provider that sends a pin to the current email address when I want to change the email address. And I have to enter the pin to perform the change. I never considered this practice as not secure.
This was already answered in my prior post: If you are a Pro Account customer and you lose access to your email account, you can file a support ticket to ask us to change your email address to a new one.
The same applies if you did not lose access to your current email address. Go to the helpdesk and file a support ticket asking to change your email address to the new one, after you have signed up for helpdesk accounts for both old and new email address to confirm that you control both accounts. Note that our recently updated terms of service state that we will only offer personalized support to customers with paid accounts, so if you are a free account user, you will need to first upgrade by adding a payment method.
I understand that you would prefer to have a simple button in the dashboard that would allow you to change the email yourself. The current manual email change process is not broken, there is currently a path available to ask for change of email to paid account customers. Automating this would require significant dev time, and has not been our dev team´s first priority as they have many other more urgent issues to attend to.
I hope you understand that Storj does not have unlimited dev resources available, unlike some other long established companies, to immediately automate all processes. We have been working on automating many of the processes that previously required manual steps and we continue to add more automations to make our product more user friendly.
Some ideas: Maybe an easy and nice to have feature would be the ability to have email addresses for notifications only. Or the ability to disable password recovery (email as username) or just use the API for password changes (maybe already possible, didn’t check).
I think the password recovery is redundant for cli users. If user is able to handle the passphrases then the login also shouldn’t be a problem.
I look at it mainly from the clients perspective. And I was wondering because there is not even a hint on how to change the email address. The impression is that Storj simply has forgotten to add such an option. This leaves a bad taste. I also could not find information about it in the docs. I might have missed it. I think adding a note or a link in the dashboard to the section where it is mentioned would improve the overall impression for the client.
What is really news to me is that this option is only available to paid accounts. I think this is really an important information, maybe if you mention that on the dashboard more users would convert to a paid account.
Any way I am certainly all for an automated workflow like I am used to with any other provider. I think this would be save resources for clients and also for Storj. I am sure Storj staff has more important things to do than manually changing email addresses.
But I have learned that it is not for security reasons it is not automated yet, but due to limited dev resources. Then let’s keep hoping that this feature will receive some dev attention in the future.
Email adds an unnecessary point of failure (Like a mail provider getting compromised). Accounts and domains come and go. Even Google is deleting unused accounts. So a workaround of using a cold email account or a long, random non-existent address is also not really feasible (address may leak and someone could grab it).
None of our customers who actually wanted to change their email ever had any trouble requesting the change by filing a support ticket.
As already mentioned in my earlier comment, our updated ToS clearly state that we only offer personalized support to paid tier customers:
8. Customer Support.
Company will provide certain support in connection with your use of the Storage Services as stated herein. The support described herein is available only to Pro Accounts. Accounts (other than Pro Accounts) may request assistance from the community at https://forum.storj.io/.
Upgrading to Pro Account only requires adding a valid payment method. You will not incur any charges unless your usage exceeds what is covered by your free tier coupon. So it should not present an obstacle to obtaining personalized customer support when needed.
Anyone who does not want to upgrade to paid tier may simply backup any data stored in their current account to their local storage, file a ticket to ask for account deletion, and then create a new account under their new email address and re-upload their data. It seems to me it would be a lot simpler to just add a payment method and continue with your usual usage pattern as before, thus not incurring any additional charges.
They don’t have a choice, do they? If there was an automatic option maybe the majority of users would use that instead. It is my personal opinion that they they would.
As I have written in my earlier comment, this was news to me. Not the fact that there might be special support options for paid users, but that changing an account email would fall under this limitation. As I understand it this means that a free account user currently cannot change his account email address without upgrading to a pro account, correct?
Well if you are a free user of a legacy account with old limits that you don’t exceed then this option is not really appealing.
So let me put it how I understand it:
I must provide my credit card details to have an email change performed
As a free user I cannot request a change of my email address
With that the GDPR comes into my mind. I am not a lawyer but as a company I would ask myself if that practice is in accordance to the GDPR, mainly 2 principles:
Article 5
Principles relating to processing of personal data
Personal data shall be: […]
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Article 16
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
A credit card is not required to process a change of email address. And when my email becomes obsolete and is therefore inaccurate, I shall be in the position to have this corrected. At least this is how I would understand the 2 quotes, which come directly from the original text of the GDPR-law. But as said I am not a lawyer and I am just writing what comes into my mind, but maybe it is worth to double check.
There is another thing that I have just checked with a legacy account and in there I see this:
This is definitely from an account that was created before the limits have changed. So the old limits should still be in place, correct? If that’s true, I think the current section should reflect the true actual limits.
And of course the question is, what would happen if I upgrade this to a Pro Account? Will I keep my 150GB free allowance or will it be reduced to 25GB? If the latter is true, then adding a credit card just for changing an account email would be really disadvantageous.
Why? You will be charged only if you exceed your free tier coupon. In exchange you will get a full support and no need to request to increase limits, if you would like to use more than a free tier. You also will have an additional options like have https for your custom domain if you going to host a static website.
or top-up your account with STORJ on sum more than $10. No personal information is required. And I’m not sure that CC attributes fall to a personal info category.
then you would process like described
You will have the same coupon as before. If it was $1.65, it will remain the same. If it was $0.38, it will remain the same.
Because if you have a legacy account with 150GB free tier and close it and create a new account with the new email as suggested, then only the 25 GB free tier apply. Correct?
So if your usage was below 150GB it was completely free with the old account.
With the new account you have to remain below 25GB for the usage to remain free.
I was just trying to make clear that there could be circumstances that make the suggestion to close an existing account and opening a new one with the new email address not a good option. The matter of upgrading wasn’t even my original concern. I was just surprised by the fact that a change of email is not possible at all without upgrading. My initial question was, why the process to change an email is not an automated self-service. So my question would apply to Pro Account any way.
why the process to change an email is not an automated self-service.
Once again, this was already answered before, please read my prior posts in their entirety:
We welcome your pull request if you want to contribute to getting email changes automated quicker. I personally don´t find this as urgent as implementing other features such as zkSync Era for example.
) and that I don’t have to monitor. Hot storage is a bonus.