Account Recovery - About trusting and not being trusted

avatar
(Edited)

A few days ago, during the Hive Meetup organized by the Spanish-speaking community, I presented the Hive Account Recovery Services that I created.

During the ensuing Q&A session, someone asked the following question:

Is choosing @blocktrades or @arcange as our recovery account a good choice?

At first, I answered with a "Yes, that could be a good choice" and me to qualify my answer ... "Of course, you have to trust @blocktrades (which is true for me) or @arcange (which is also true for me)".

But later, I went back on my answer by saying "No, you should NOT do that!"

Why this change of mind?

It seems that at first, I let myself be carried away by my emotions and my personal experience. Let me explain.

You have to admit that when someone shows their trust in you and asks you to be their recovery account, it flatters your ego a bit. We also want to honor this trust and respond to it in the same way.

So I kinda hastily made the following transposition: this person trusts me, I trust @blocktrades, so they can also trust @blocktrades.

Yet I felt like I heard my little voice telling me "Hmmm, are you sure that's the right answer?".
At first, I imagined it whispering it because I didn't want to take on this responsibility and considered @hive.recovery to be a much better candidate. After all, that's why I created such a service and I had just introduced it to the audience.

It was only after a little while that I really understood why such reluctance.

The key factors of the recovery process

Fogged up by the bias described above, I had completely overlooked two important factors in choosing your recovery partner:

1. Reverse identification

Your recovery account must be able to formally identify you!

Take the case of @blocktrades and the fact that I could choose him as my Recovery Account.

Beyond trusting him to have the technical skills and be willing to help me recover my account if it were to be compromised, I also trust him that, if he should receive a request to recover my account, before executing such request:

  1. he will try to verify if it's me, @arcange, who is making the request.
  2. he has the ability to identify me without a doubt.

The above two lines must absolutely guide the choice of your Recovery Account!

Dan (@blocktrades) knows me personally. We met physically (meaning in the "real" world, don't be kinky 😜) and I can for example remind him of certain elements of conversation that we had together and that only the two of us know. I believe he will ask me other questions as well. Therefore, I know he will be able to identify me with certainty.

In the case of people asking the question during the meetup, I had no information about them: neither their name, where they lived, nor even what they looked like. Nothing.

2. Communication

Another point to which you must be particularly careful in choosing your partner: you must know how to contact him.

It is absolutely useless to choose someone you trust if you don't have their consent, if you don't know how to send them your account recovery request and if you are not sure that they will respond to you. within a certain period (as short as possible).

Why are these key factors?

The ideal for a hacker is to take full control of an account in order to:

  • Empty your wallet of its liquid tokens.
  • initiate a power down to get their hands on your Hive Power.
  • initiate a transfer from your savings to make your tokens liquid.
  • use your account to scam other users.

1. Reverse identification

Imagine that you are smart enough not to leak your password or keys, but that a hacker notices that you have just changed them. He could then contact your recovery account, pretend to be you and say "Hey, my account just got hacked, can you help me get it back?"

If your recovery account is not cautious and runs without due diligence, it could be the one giving control of your account.

Identity theft is so easy to do these days. Reverse identification is a must and any reliable recovery account holders should categorically refuse to initiate the recovery process if they are not able to identify the requester 100% certainty!

This is what I expect from my recovery account in order to protect my account!

2. Communication

You must be able to communicate quickly with your recovery partner.

  • A transfer from your saving takes only 3 days.
  • You and your recovery partner only have 30 days to complete the recovery process.
  • Each week that passes, a 13th of your funds become available to the hacker.

If you do not know how to reach your recovery partner or if it does not respond, you are in trouble. And after 30 days, it will be game over. You will have permanently lost your account!

Conlusion

As you can now see, choosing or being a recovery account is something important to think about a bit, from both parties

Choosing a recovery account

  • Pick someone around you who you trust, who can formally identify you.
  • Ask him for his agreement before making the change
  • Your choice is not final. If your partner disappears or no longer deserves your trust, change your recovery account.
  • If you don't know who to choose, use @hive.recovery services.

Being a recovery account

  • Be aware of the responsibility you take.
  • If you agree to do so, set up an identification protocol.
  • Pay attention when the day you need to act comes. Scammers are cunning and clever.
  • Feel free to decline and tell your friend about @hive.recovery

The Hive Account Recovery Services allow you to avoid these thorny problems, so why not take advantage of them. For more information about it, read this post

I hope that this few information and tips will help you better understand the Account Recovery process and its subtleties, and enable you to make the right choice.

Take mutual care of your accounts!

Este post está traducido al español - aquí
Une version en français de ce post est disponible - ici


Check out my apps and services


Vote for me as a witness



0
0
0.000
37 comments
avatar

pixresteemer_incognito_angel_mini.png
Bang, I did it again... I just rehived your post!
Week 49 of my contest just started...you can now check the winners of the previous week!
2

0
0
0.000
avatar

Very good advice and this is such an important thing to consider as we take account ownership into our own hands. Thanks for bringing it to attention - have shared to hopefully help spread the word this side!

Keep up the great work @arcange

0
0
0.000
avatar

Great article thanks. This is very useful. I have heard some people recommend using an alt account as a recovery account. Is that a good idea do you think?

Posted Using LeoFinance Beta

0
0
0.000
avatar

As long as you control this alt account and it stays safe and secure, that's an option,

0
0
0.000
avatar

I was about to ask this similar question then decided to first read the comments, thanks for this reply

0
0
0.000
avatar

We can therefore consider it was a good question 😉

0
0
0.000
avatar

"Hey, my account just got hacked, can you help me get it back?"
I believe last Owner key is required to initiate a account recover request. If hacker has the old key then only he would be able to create a request.

0
0
0.000
avatar

The last owner key is not required to initiate the recovery process but to confirm and finalize it.

0
0
0.000
avatar

'Recovery' posts always get me clicking to open them :).

If anyone is interested in a tale (from last year) of how I almost lost control of this account but didn't ...phew, the link is below:
https://peakd.com/hive/@barge/hive-account-loss-and-recovery-a-personal-tale-unfolds-between-two-full-moons

0
0
0.000
avatar

Links to stories about recovering accounts always get me clicking to open them :) 😀
Glad you were able to recover your account.

0
0
0.000
avatar

LOL, thanks Arcange 😎

0
0
0.000
avatar

Wow exelente post, muy instructivo, gracias por compartir.

0
0
0.000
avatar

Exposing oneself to as little risk vector as possible is desirable.

0
0
0.000
avatar

With simple wallet addresses, the problem can be easily fixed, or second wallet :D

0
0
0.000
avatar

I only trust one person here and he's my recovery account!

0
0
0.000
avatar

How lucky he is. Me feel untrusted 😿

0
0
0.000
avatar

Hahahaha so dramatic!!!! Loveeeee the cat emoji 😍

0
0
0.000
avatar

I took an alt account of mine and wrote 'his' keys down offline -jusTinCase-. His owner key shall never ever see the virtual world again if everything goes well.

If something were to happen to me, I'd like my funds to be burned forever. But there ain't no mechanisms for that, and maybe there also should not be added one. An expiration date for votes and delegations would be NEED on the other hand. Even if it's as long as 5years, it seems proper to be handled somehow.

0
0
0.000
avatar

Thank you for your engagement on this post, you have recieved ENGAGE tokens.

0
0
0.000
avatar

Safest way to go.

Expiration for (witness) votes is coming with HF25.
We already talked about expiration for delegation. This should be implemented post-HF5 with automated actions.

PS: Why burn your funds when dying instead of giving them to a charity (or to me 😀)?

0
0
0.000
avatar

By nature, a death has to be testified by a 3red Party. That means it's critically important to never create an incentive structure around it - like never. It's a pandora's box, don't open it.

0
0
0.000
avatar

Cool
I have never known one can have a recovery account, and assign another to guard it as well in order to shut the scammers out here on hive
At least, I knew from Facebook, that we can entrust two to three of our friends to help us get our account back in case of any compromise of any sort.
However, reading this today has made me realized that it doesn't just stop at finding someone to trust with this role, both of us has to find a way to be able to identify each other in order not to be scammed
In that case, we need personal information, probably from a discussion we had, or the physically meeting
And then, I have to take this seriously because it will take me and my partner up to 30 days to finally decide if my account will be handed over to me or if the scammer gets to keep it
Thank you so much for the insight

Posted Using LeoFinance Beta

0
0
0.000
avatar

I am delighted to have been able to provide you with more useful information on that topic.

0
0
0.000