Add recovery kit

[bgins]

Summary

Problem

Users cannot recover their filesystem without a copy of their read key.

Impact

A user could irrevocably lose the private data they have stored in WNFS.

Solution

Create an account recovery kit that includes:

• Username (to look up their filesystem)
• Read key (to decrypt their filesytem root)

The user should be able to download a recovery kit for safe keeping and later upload it to recover their filesystem.

Most likely the recovery kit should be a text file for ease of creation and parsing.

The existing account recovery flow has some prior art: https://guide.fission.codes/accounts/account-signup/account-recovery. This flow uses a recovery kit as text file which might be a good starting point.

[depatchedmode]

Most likely the recovery kit should be a text file for ease or creation and parsing.

Out of curiosity, have other options been proposed?

[avivash]

Most likely the recovery kit should be a text file for ease or creation and parsing.

Out of curiosity, have other options been proposed?

we haven't proposed other options yet. I think the text file idea came from the thought that it was the easiest solution in terms of simple download/upload/parsing(though i guess the question is: is it easier for us or the users? 😅). I kind of like this approach too where you just tell the user to save the values to their password manager(though having a download as an additional option seems like it may be a good idea) https://dribbble.com/shots/18325312-Password-Recovery?showSimilarShots=true&_=1668801048112

original-c1481f415788ad288c3b3c830baf4ac0.mp4

[bgins]

I kind of like this approach too where you just tell the user to save the values to their password manager(though having a download as an additional option seems like it may be a good idea) https://dribbble.com/shots/18325312-Password-Recovery?showSimilarShots=true&_=1668801048112

Oh yeah, that's a neat approach. It would be interesting to know if there are any stats on how widely used password managers are. I've heard that's it mostly tech inclined people that use them, but that might be wrong.

[avivash]

I kind of like this approach too where you just tell the user to save the values to their password manager(though having a download as an additional option seems like it may be a good idea) https://dribbble.com/shots/18325312-Password-Recovery?showSimilarShots=true&_=1668801048112

Oh yeah, that's a neat approach. It would be interesting to know if there are any stats on how widely used password managers are. I've heard that's it mostly tech inclined people that use them, but that might be wrong.

Yeah, based on my experience, most less technical people don't really use password managers. Ryan and I also floated the idea of adding buttons from various storage providers, such as Save to iCloud and Save to Google Drive. 1Pass also has a Save to 1Pass button we can use. I'm sure other password managers have some ready-to-go buttons too 👍🏼

[depatchedmode]

I've heard that's it mostly tech inclined people that use them, but that might be wrong.

Here in lies the problem. I don't want to blow scope wide open on this initial port from Fission Dashboard -> Webnative Application Template, but I suspect non-technical people will struggle to do the right thing with the recovery kit as a text file.

[bgins]

Here in lies the problem. I don't want to blow scope wide open on this initial port from Fission Dashboard -> Webnative Application Template, but I suspect non-technical people will struggle to do the right thing with the recovery kit as a text file.

Our goal is to ship this by early January, so we have a bit of time to consider alternatives. This piece shouldn't block the overall filesystem recovery work.

Is the concern that the recovery kit is a text file or a file in general? Would a PDF or some other file format be better?

What are some alternatives to a recovery kit file?

[depatchedmode]

@bgins File in general.

The core issue is asking the user to "put it somewhere safe." Or any variation of that. This tweet best summarizes the root of my concern: https://twitter.com/ourielohayon/status/1594348286231592961

My guess: most folks will just leave the file in their downloads folder, unsure what else to do. Some will move the kit to another folder, unaware it's local to the very device they want to protect against the loss of. Some folks may back it up in the cloud (securely or not), or e-mail the file to themselves. Some may store it in a password manager like 1Password. Or print it out. Or write it out on paper by hand.

Which one of these, if any, is appropriately safe? The answer depends on a lot of things—about the app, the data it produces, and the person using it.

If you do the wrong thing with your recovery kit, your file system could be at greater risk and still effectively unrecoverable. ie. doing nothing would have been better.

By no means a simple problem. Might even be a wicked problem. Responsible key management arguably lay outside the scope of Webnative itself, even though we must design for it.

TLDR: A downloadable recovery kit seems like a reasonable option for people with advanced OpSec. Unsure what a sensible default is for normies; will require iteration and testing. A "Save to 1Password" button might be the best place to start investigating.

[jeffgca]

We discussed this today and concluded that:

1. it feels incomplete / a devex problem that WAT does not allow for account recovery out of the box.
2. at the same time, a conventional account recovery loop requires eg an email confirmation loop.

@depatchedmode there's sort of an existential issue in here that I think is fundamentally a security / design issue that we need to talk through. Perhaps this is all neatly solved by passkeys + extra webnative elf magic.

[depatchedmode]

@therealjeffg Agreed. Sharing another example from 1Password's recovery flow, as additional evidence of the scale of this problem.