Comment by mwattsun
4 years ago
I'm reading this with an open mind, but I have questions:
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
Alone the audacity to think a single point of failure without any chance of recovery is a good idea for persona management in the real world is insane.
This is one of those things that has been an absolutely terrible thing for Apple over the years. People would forget their passwords on their phones or their iCloud account and lose access to everything. And there was nothing Apple could do to help them. So the poor people at the Apple Store just had to tell someone that the last pictures of their dead mom are gone forever.
Apple finally implemented a solution in iOS 15 (15.1?). You can designate people you trust to be able to help recover your account. Like your spouse or a sibling. If they don’t have full access, they can just help recover it.
You are 100% right. A single point of failure without any chance of recovery is a complete disaster for normal users.
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
Social recovery wallets usually use an m of n system where you don't need all keys to recover your wallet but a subset. For example, 9 total keys and any 5 needed to recover your wallet.
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
> This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.