Clicking on another user's device prompts you to "manually verify it"

[richvdh]

1. Open the profile of a user who has not been verified (or who has been verified and has an unverified device); see something like this:
   
2. Click on "<N> sessions", to see the full session list
3. Click on a device, marked with a grey shield. (Aside: shouldn't devices that actually haven't been verified by their owner be red, in keeping with the member list?)
4. Observe this modal:
   

Clicking on "Interactively Verify by emoji" attempts to initiate a verification session with that specific device.

Problems:

• It incorrectly says "signed in to a new session without verifying it", even when that is not the case.
• We don't really want to be encouraging users to directly verify each other's devices
• In any case "manually verify it" is confusing wording: we use that to refer to eyeballing the device key.

[optim77]

May I ask about the security of this feauture, verifying someone else's unverified session, remotely, does not give any assurance that we are verifying the right person, is this safe, or am I missing something?

[t3chguy]

May I ask about the security of this feauture, verifying someone else's unverified session, remotely, does not give any assurance that we are verifying the right person, is this safe, or am I missing something?

The whole point of verification in an end-to-end system is to do it via an existing trusted mechanism, e.g. in person or via another verified means of communication. Otherwise it is pointless.

[optim77]

so remote verification of a person's unverified session is not secure. This can only be useful if we are physically able to verify the person and his device. I'm not sure it's right to suggest the possibility of verifying such a session to a user

[t3chguy]

Hence the prompt telling you to urge them to verify their own device...

[BillCarsonFr]

Decision: we should remove this dialog for now, it is outdated.