Ok, that‘s cool! But the client get‘s to download the encrypted master key without authentication, right? Doesn’t that enable easy offline attacks or is the decryption too time-consuming?
No, the client has to first verify their email address and 2FA (if configured) to receive the encrypted keys. In addition to this the decryption is time-consuming.