[pennyintheslot]

Well, if I assume that I just got temporary access to someone’s unlocked device, then it would probably be a lot more convenient for me to quickly transfer the account to one of my own devices and then access it from there instead of accessing it from my targets device which I might lose access to any moment.

So from that point of view it would be legitimate to argue that I might want to get notified if one of my contacts transfers his account. I can then double check : “Did you just transfer your signal account to a new device or was that an attacker?”

That might only be interesting for high-risk users though and could impair the UX. Why not make it optional?

[UncleMeat]

Configurable security posture is the sort of thing that got RSA into trouble. For the huge majority of users, opinionated security is a much better approach, even ignoring the maintenance problems of having special features.

The temporary access threat model is a common criticism that people use, but it is largely incoherent. Once you are making human judgements like "enough time to transfer a signal account but not enough time to install a rootkit" things quickly break down into meaninglessness.

[mindslight]

I don't really like trusted computing, but it is part of the mobile security model. There's a distinction between Signal deliberately facilitating extraction of the keys, and having to break a device's security to do so.