In the unfortunate case you’ve forgotten your password, there is still one method to change it by requesting a one-time authentication code via email, but it requires a working Tresorit desktop client application that automatically logs you in.
Your password is indispensable for accessing your tresors, but it’s never used directly. There are two pieces of information that are irreversibly derived from your password using PBKDFv2 algorithm. The authentication key is used to prove your identity to our servers when downloading your encrypted roaming profile that stores access keys to all of your tresors. The master key is used to encrypt/decrypt your roaming profile. Normally both are required to change your password. For further details on how password handling and key management works, please read our article How is your user profile handled.
Please note that Tresorit has no access to your password. The password code feature will NOT recover your actual password, but it can help you create a new password securely.
As you’ve been automatically logged in to the client application, the master key is already available without knowing the password: the automatic login works by decrypting your roaming profile directly with the master key stored locally on your device. Please note that your password is never stored or sent anywhere by Tresorit.
However, it’s still required to prove your identity to our servers. Because the password is unknown, there’s no way to calculate the authentication key that would normally be used in the challenge-response protocol during authentication. So instead of this, we send a randomly generated, one-time authetication code to the email address associated with your Tresorit account. Similarly to two-factor authentication, we assume that if you are able to obtain the authentication code, it proves that you can access your email account and thus you are in control of the associated Tresorit account.
You will be then able to use this code to initiate the password change, which takes place as usual: a new pair of master and authentication keys are derived from the new password you have entered, your roaming profile gets reencrypted with the new master key and then it gets uploaded to the cloud.