min read

What Account Recovery is

And what it is not

‘Account recovery’ is how a user authenticates themselves to a service when they are otherwise locked out  - i.e. when your standard username/password combination fails to login for some inexplicable reason.

‘Account recovery’ then, is not how you log in to the service on a day-to-day basis. In fact, if users are using the ‘account recovery’ route preferentially, then the service provider needs to take a long hard look at their systems.

Account recovery should instead be designed to be used less frequently - it should be more slightly difficult to complete but it should be thorough (giving as close to 100% guarantee that this is the intended user). Lower frequency, higher importance.

The forgot-your-password button is usually the first step of many towards a successfully recovered account. There are a number of different options for what happens next. Since account recovery is just another form of authentication it must still rely on the basics. To authenticate to a service you can use some or all of the following:

  • 1FA, passwords
  • 2FA, devices
  • 3FA, biometrics
  • 4FA, contacts

What you shouldn’t do is pretend that a secure channel exists and leverage any of the following:

  • Email
  • Phone
  • Post (yes, some archaic services still send letters in the post with secret codes)

Any of these not-at-all-secure channels can be replaced and undermined by an attacker (e.g. the attacker replaces your email address with one that they control instead).

Another thing you shouldn’t do is outsource recovery of accounts on your service to accounts on another service:

  • Email (let’s face it, most people use hosted email on account-based services)
  • Phone
  • Password Manager
  • Single Sign On identity provider (e.g. login/recover with Apple/Google/Facebook/etc.)

At Sharehold, we’re interested in solving the account recovery problem, not shuffling it around or washing our hands of it. We’re doing so with strong 4FA - where a user can select their own personal recovery team at their discretion.

Most organisations already have a weak version of 4FA in place. The contacts involved in such cases are the users and the representatives of the organisation themselves. If you can convince the representatives that you are the rightful owner of an account then they can let you back in. This is of course open to Social Engineering attacks.

There are certain types of service that this cannot apply to. Decentralised systems fundamentally do not have any human representatives to convince and some centralised services employing a zero-knowledge architecture cannot restore access to a given account (or at least not to the data that is stored there, or at least not in plaintext).

Some organisations are trying to incorporate a version of 4FA account recovery into their own ecosystems - look at Apple and Facebook, for example. The consumer will lose in this case as they will have to manage multiple recovery teams across all of the services they use.

What will the world look like with widespread strong 4FA and recoverable accounts? Look at other safety features across society and what they unlock and how you can push the limits just knowing that they are available (faster driving with seatbelts, heavier squats with racks and/or spotter, etc.). Let’s push the limits of a safer internet with 4FA.

Brian Manning