"lose your password and you lose access to everything" - I'm sorry but this UX blunder just won't fly. If we are to have decentralized web we'll need services for key recovery.
I showed him a cryptographically secure method of having passwords (that keys are not derived from) that allows for password resets (without a server).
For a high-level conceptual explanation of this approach, see our 1 minute Cartoon Cryptography animated explainer series:
This same method can be used for doing Shamir Secret "recover your account based on your 3 best friends" method, which I believe will be the best UX for most users.
Nah, what if your friends conspire against you? A better idea, imo, is you have three physical keys. If you lose one, then you can use the other 2 in order to revoke it and generate a new one.
There are already multisignature services being developed with a third party being one of the holders. I'd have to read up again on how it works but it makes sense when you hear it.
I, and I suspect many other people, often have online profiles and existences and we simply don’t care about the government seeing it. Don’t get me wrong, I’d like a high security option for some things, but most of what I do online is frankly trivial nonsense. I’d be much more upset if I lost access to it forever than I would if some jackbooted thug decided to snoop around it. Why does everything need to be the digital equivalent of a Supermax prison? I want the full range from a guy on furlough to Hannibal Lector fullly restrained, mask and all.
If you’re only willing to offer me the “Lector” package, I’m going to pass.
I'm more concerned about criminals using such proposed credential recovery procedures to rob me. Thanks however for sharing your views about how we should all trust the government without question.
If public blockchains prevail then everything is already public and traceable to a single individual. Search wouldn't even be necessary. As long as financial gateways are tied into decentralized web, AML/KYC will prevent total anonymity so there is always room for forensic services.
this is more of a "using passwords" problem than a "decentralized web" problem. password recovery is a band-aid fix over the real password management problem. i think key-based capability security is the future, but it isn't possible without first moving away from passwords.
i think the UX for a completely keychain-centric auth/authz framework can be much better than what we have today with password managers. a master password + device-entangled PINs protecting per-app/agent keys drastically reduces the possibility of getting locked out of your account AND provides for master password reset by unlocking and re-encrypting your keychain using the local device-entangled key.
Mitra @ the Internet Archive, when integrating DWeb ( https://news.ycombinator.com/item?id=17685682 ) and I talked about this.
I showed him a cryptographically secure method of having passwords (that keys are not derived from) that allows for password resets (without a server).
For a high-level conceptual explanation of this approach, see our 1 minute Cartoon Cryptography animated explainer series:
http://gun.js.org/explainers/data/security.html
This same method can be used for doing Shamir Secret "recover your account based on your 3 best friends" method, which I believe will be the best UX for most users.
This is an already solved problem.