Account Recovery - About trusting and not being trusted

in HiveDevs4 years ago (edited)

A few days ago, during the Hive Meetup organized by the Spanish-speaking community, I presented the Hive Account Recovery Services that I created.

During the ensuing Q&A session, someone asked the following question:

Is choosing @blocktrades or @arcange as our recovery account a good choice?

At first, I answered with a "Yes, that could be a good choice" and me to qualify my answer ... "Of course, you have to trust @blocktrades (which is true for me) or @arcange (which is also true for me)".

But later, I went back on my answer by saying "No, you should NOT do that!"

Why this change of mind?

It seems that at first, I let myself be carried away by my emotions and my personal experience. Let me explain.

You have to admit that when someone shows their trust in you and asks you to be their recovery account, it flatters your ego a bit. We also want to honor this trust and respond to it in the same way.

So I kinda hastily made the following transposition: this person trusts me, I trust @blocktrades, so they can also trust @blocktrades.

Yet I felt like I heard my little voice telling me "Hmmm, are you sure that's the right answer?".
At first, I imagined it whispering it because I didn't want to take on this responsibility and considered @hive.recovery to be a much better candidate. After all, that's why I created such a service and I had just introduced it to the audience.

It was only after a little while that I finally understood why such reluctance.

The key factors of the recovery process

Fogged up by the bias described above, I had completely overlooked two important factors in choosing your recovery partner:

1. Reverse identification

Your recovery account must be able to formally identify you!

Take the case of @blocktrades and the fact that I could choose him as my Recovery Account.

Beyond trusting him to have the technical skills and be willing to help me recover my account if it were to be compromised, I also trust him that, if he should receive a request to recover my account, before executing such request:

  1. he will try to verify if it's me, @arcange, who is making the request.
  2. he has the ability to identify me without a doubt.

The above two lines must absolutely guide the choice of your Recovery Account!

Dan (@blocktrades) knows me personally. We met physically (meaning in the "real" world, don't be kinky 😜) and I can for example remind him of certain elements of conversation that we had together and that only the two of us know. I believe he will ask me other questions as well. Therefore, I know he will be able to identify me with certainty.

In the case of people asking the question during the meetup, I had no information about them: neither their name, where they lived, nor even what they looked like. Nothing.

2. Communication

Another point to which you must be particularly careful in choosing your partner: you must know how to contact him.

It is totally useless to choose someone you trust if you don't have their consent, if you don't know how to send them your account recovery request and if you are not sure that they will respond to you within a certain period of time (as short as possible).

Why are these key factors?

The best use case for hackers when they take full control of your account is to:

  • empty your wallet of its liquid tokens.
  • initiate a power down to get their hands on your Hive Power.
  • initiate a withdrawal from your savings to make your tokens liquid.
  • use your account to scam other users.

1. Reverse identification

Imagine that you are smart enough not to leak your password or keys, but that a hacker notices that you have just changed them. He could then contact your recovery account, pretend to be you and say "Hey, my account just got hacked, can you help me get it back?"

If your recovery account is not cautious and runs without due diligence, it could be the one giving control of your account.

Identity theft is so easy to do these days. Reverse identification is a must and any reliable recovery account holders should categorically refuse to initiate the recovery process if they are not able to identify the requester with 100% certainty!

This is what I expect from my recovery account in order to protect my account!

2. Communication

You must be able to communicate quickly with your recovery partner.

  • A withdrawal from your savings takes only 3 days.
  • You and your recovery partner only have 30 days to complete the recovery process.
  • Each week that passes, a 13th of your funds becomes available to the hacker.

If you do not know how to reach your recovery partner or if it does not respond, you are in trouble. And after 30 days, it will be game over. You will have permanently lost your account!

Conclusion

As you can now see, choosing or being a recovery account is something important to think about a bit, for both parties

Choosing a recovery account

  • Pick someone around you who you trust, who can formally identify you.
  • Ask him for his agreement before making the change
  • Your choice is not final. If your partner disappears or no longer deserves your trust, change your recovery account.
  • If you don't know who to choose, use @hive.recovery services.

Being a recovery account

  • Be aware of the responsibility you take.
  • If you agree to do so, set up an identification protocol.
  • Pay attention when the day you need to act comes. Scammers are cunning and clever.
  • Feel free to decline and tell your friend about @hive.recovery

The Hive Account Recovery Services allow you to avoid these thorny problems, so why not take advantage of them? For more information about it, read this post

I hope that this information and tips will help you better understand the Account Recovery process and its subtleties, and enable you to make the right choice.

Take mutual care of your accounts!

Este post está traducido al español - aquí
Une version en français de ce post est disponible - ici


Check out my apps and services


Vote for me as a witness

Sort:  

Great article thanks. This is very useful. I have heard some people recommend using an alt account as a recovery account. Is that a good idea do you think?

Posted Using LeoFinance Beta

As long as you control this alt account and it stays safe and secure, that's an option,

I was about to ask this similar question then decided to first read the comments, thanks for this reply

We can therefore consider it was a good question 😉

BOOM1.jpg

toruk_washere_new3leo.jpg

How this all started with Toruk

Posted Using LeoFinance Beta

Very good advice and this is such an important thing to consider as we take account ownership into our own hands. Thanks for bringing it to attention - have shared to hopefully help spread the word this side!

Keep up the great work @arcange

'Recovery' posts always get me clicking to open them :).

If anyone is interested in a tale (from last year) of how I almost lost control of this account but didn't ...phew, the link is below:
https://peakd.com/hive/@barge/hive-account-loss-and-recovery-a-personal-tale-unfolds-between-two-full-moons

Links to stories about recovering accounts always get me clicking to open them :) 😀
Glad you were able to recover your account.

LOL, thanks Arcange 😎

I took an alt account of mine and wrote 'his' keys down offline -jusTinCase-. His owner key shall never ever see the virtual world again if everything goes well.

If something were to happen to me, I'd like my funds to be burned forever. But there ain't no mechanisms for that, and maybe there also should not be added one. An expiration date for votes and delegations would be NEED on the other hand. Even if it's as long as 5years, it seems proper to be handled somehow.

Thank you for your engagement on this post, you have recieved ENGAGE tokens.

Safest way to go.

Expiration for (witness) votes is coming with HF25.
We already talked about expiration for delegation. This should be implemented post-HF5 with automated actions.

PS: Why burn your funds when dying instead of giving them to a charity (or to me 😀)?

By nature, a death has to be testified by a 3red Party. That means it's critically important to never create an incentive structure around it - like never. It's a pandora's box, don't open it.

cheers !BEER

!ENGAGE 50

I only trust one person here and he's my recovery account!

How lucky he is. Me feel untrusted 😿

Hahahaha so dramatic!!!! Loveeeee the cat emoji 😍

Wow exelente post, muy instructivo, gracias por compartir.

Gracias @prm4031
Mientras tanto, mi publicación ha sido traducida al español aqui

Thanks for this advice.

"Hey, my account just got hacked, can you help me get it back?"
I believe last Owner key is required to initiate a account recover request. If hacker has the old key then only he would be able to create a request.

The last owner key is not required to initiate the recovery process but to confirm and finalize it.

Exposing oneself to as little risk vector as possible is desirable.

With simple wallet addresses, the problem can be easily fixed, or second wallet :D

This will help a lot of new users! Thanks for being with us!

Posted Using LeoFinance Beta

!wine


Congratulations, @theguruasia You Successfully Shared 0.300 WINE With @arcange.
You Earned 0.300 WINE As Curation Reward.
You Utilized 3/3 Successful Calls.

wine-greeting
Total Purchase : 24809.918 WINE & Last Price : 0.290 HIVE
HURRY UP & GET YOUR SPOT IN WINE INITIAL TOKEN OFFERING -ITO-


WINE Current Market Price : 0.271 HIVE

Impressive :)

Impressed?

Cool
I have never known one can have a recovery account, and assign another to guard it as well in order to shut the scammers out here on hive
At least, I knew from Facebook, that we can entrust two to three of our friends to help us get our account back in case of any compromise of any sort.
However, reading this today has made me realized that it doesn't just stop at finding someone to trust with this role, both of us has to find a way to be able to identify each other in order not to be scammed
In that case, we need personal information, probably from a discussion we had, or the physically meeting
And then, I have to take this seriously because it will take me and my partner up to 30 days to finally decide if my account will be handed over to me or if the scammer gets to keep it
Thank you so much for the insight

Posted Using LeoFinance Beta

I am delighted to have been able to provide you with more useful information on that topic.