EOS42 - Opt-in Account Recovery
Written by EOS42 Team
Scalable Solution for Account Recovery
How to effectively address the issue of hacked accounts on a public blockchain is riddled philosophical contradiction. One of the core advantages of a public blockchain is immutability and censorship resistance — code is law, and data on blockchains is “immune” to human intervention. Introducing mechanisms that give users recourse in the event of hacked accounts requires intervention.
Finding a scalable middle ground between these two philosophical positions will be crucial for mass adoption. Users will be perpetually deterred from a system whereby their private key is the only claim to ownership. Therefore, we propose a scalable, cost effective, opt-in solution, that will address a large number of cases in which accounts have been hacked.
The EOS community will have access to an opt-in process that can be used in the event their account is hacked. Users can provide their identifying information, which is then converted to a SHA256 Hash, and the transaction is submitted to a smart contract through Scatter (or other wallets), to add the account name/hash to a table.
Note: All Identifying information would be obfuscated, and thus unreadable until the event that a user initiated the account recovery process. The degree of personal information disclosed to BPs in the event a user triggers a recovery process can be customized. Therefore, users could theoretically recover their funds, without ever having to reveal their identity to anyone but the KYC provider.
Very easy for a user to protect their account through an opt-in system.
Very quick account recovery — reduces chances that funds are stolen
Approval process for users who have completed KYC protocol after losing their account can be automated
A public website will have two options.
Set up account protection
Recovering a hacked account
Setting Up Recovery Protections
Users can set up recovery protections with an opt-in process, by selecting an account they want to protect. Then users can provide identifying information.
User goes to the website, and chooses “Set up account protection”
User fills out a form with the details of their passport, and other information.
Date of Birth
The information is converted to a SHA256 Hash, and a transaction is submitted to a smart contract through Scatter to add the account name and hash to a table.
All of this is free.
Recover Hacked Account
If the user’s account is hacked, then they go back to the website, and execute the following process:
Choose “Recover a hacked account”
Enter the account name that is hacked.
Enter the new public key(s) that they want to have
Enter into a form their details from their passport.
The hash of this information is checked against the smart contract for a match, if there is a match, then proceed to next step.
They are then linked to one of multiple external KYC providers, who verifies the user is who they say they are on their passport.
They will have to pay a fee at this stage. BPs can choose if the fee is just enough to cover the KYC costs, or it could also be some fraction of the account funds, which we then keep for maintenance of the system.
The KYC provider accepts the proof, and the BPs are informed.
We have a automated process to propose a key change using eosio.wrap, and then it is just up to the BPs to sign it.
Any BP can choose to auto-sign the proposal if they trust the KYC provider, otherwise they can manually approve.
Note: In the above example, a passport is used as an official document, however other documentation may be acceptable depending on the KYC provider.
This solution is opt-in, scales, is cheap, and can be very efficient.
The contract is already built and being tested, we will support the community building a website and integrating KYC with the BPs.