A mnemonic generated while creating a Keycard multi-account is invalid with other wallets

[guylouis]

more details in this issue #9062 closed for better clarity

Description
When user generates a new keycard multiaccount, he 's been provided by status a 12 word mnemonic

Problem
This mnemonic cannot be used to recover the multiaccount with another wallet (e.g MEW), the mnemonic is said to be invalid

Additional remark
When trying to recover the same mnemonic on the device itself without keycard, Status generates a different account whereas it should generate the same and prevent it for security reasons (see #8750). Procedure to reproduce described in #9062

@dmitryn @gravityblast @rasom

[rasom]

@guylouis before I fix this one, I want to clarify what was the reason for creation of mnemonic for pairing in the first place?

The problem is that "the wrong mnemonic" here is not a random bug, it was intentionally generated as described here. As far as I understand this mnemonic should allow to restore pairing, not private key. But well it won't work as described here, because this mnemonic does't represent master key...

And thus the question is: do we still need to show this mnemonic for pairing to the user or this code should be removed at all from the application?

[guylouis]

@rasom to clarify: the mnemonic entered here should be used to represent the seed of the multiaccount, it is definitely the seed of the BIP32 account.

For now (v1), it is not used for anything related to the pairing of the card. After v1, we will think and design about how the pairing code of the card (which is today an independant value generated randomly and provided by the user) can be derived (with a derivation method to define) from this seed. The advanatge will be for th euser to not have to remember menmnonic + pairing code but only mnemonic. But this is not in the scope now.

Hope this helps.

@gravityblast don't hesitate to jump in the discussion

[gravityblast]

the mnemonic should restore the master key, which is used to derive all the other private keys. the pairing password is something custom and can be generated randomly. @yenda proposed to derive the pairing password from the mnmonic, so that the user needs to remember less things. but we don't have different mnemonics, it's just one.

[rasom]

@guylouis @gravityblast got it, thanks

[guylouis]

Do you know if this being closed, the app prevents to have a ODA and a KCA with the same seed ? as reproduced in #9062

[rasom]

@guylouis nope that issue is not fixed, it should be a separate task because they are unrelated

[guylouis]

ok, I created #9435