The other key (Key B) is sent to Edge servers along with the encrypted questions and hashed answers. Key A is also used to encrypt their chosen questions and hash their answers. When a user emails themselves the recovery link we talked about earlier, they are sending themselves one of the keys (Key A). How is this accomplished?Īs mentioned above, we utilize a split key mechanism, which splits up a second decryption password into two separate keys which on their own are useless but when combined will allow a user access to their account. After providing the right answers, they will be logged back into their account and are able to reset their password. In the event a user forgets their password, tapping on the link in their email will take the user to their questions. NOTE: this link never goes to Edge and is managed by the user. The user then sends an email to themselves that includes a special recovery link. Our Password Recovery requires the user to choose two questions and provide their unique answers. Inspired by the multi-signature capabilities of bitcoin and other cryptocurrencies, we implemented a split-key recovery mechanism which is both familiar and forgiving. This required us to devise a unique method of password recovery that didn’t require us to have full access to user data and keys. If we knew user passwords it would allow us to access user funds. This isn’t a traditional password recovery in that we don’t know user passwords or emails and can’t send users a link to change the password in case they forget. One of those fail-safes users can set up is Password Recovery. Our architecture keeps the user in control and offers tools to help users secure their account with some fail-safes for adverse events and a support team to help with any questions or issues. This puts some responsibility on users to remember their account information. There are also multiple warnings that the password is known only to you and that Edge cannot see or reset it. During the account creation process, Edge never asks for your name, phone number, email or any personal information that ties your identity to an account. As Edge does not have access to users’ credentials, it also cannot access user funds and does not maintain any information about its users. We’ve kept some of the same usability patterns of traditional applications intact, and apply them in a new way for a new type of application: a mobile cryptocurrency wallet.Ī strong cryptographic hash of users’ password is used to encrypt all account and wallet information, including private keys. Here at Edge we use a username, password, and 2FA combo for wallet creation, encryption, and backup.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |