Today we would like to introduce our innovative approach to securing user accounts. As far as we know, our solution is completely new in the cryptocurrency space and will raise the bar for security on all platforms. So before getting into our solution, lets give you some background on the nature of our security challenge.
A recent post by @karnal talks about how no browser based wallet can ever be completely secure.
It is incredibly difficult for services like blockchain.info to keep user wallets secure and they have a major advantage over steemit: they do not display user-generated content. The mere act of displaying user generated content means we must filter said content for anything that could be reinterpreted by your browser as a request to send your passwords elsewhere. Filtering is very hard to perfect, something eventually gets through the cracks.
Recognizing what is Impossible
We recognize that it is impossible to prevent all browser side exploits. The reality is that there are too many factors that are completely outside the control of steemit. These factors include browser vulnerabilities, plugin vulnerabilities, phishing attacks, man-in-the-middle attacks, etc.
Some people suggest going to extreme measures such as hardware wallets and downloadable apps. The reality is that this approach to security is extremely costly and harmful to the user experience.
Steemit will do everything it can to give users the best possible options to secure their accounts. We also know that only 1% of users will actually use the best options. For most people, convenience trumps security.
I can put this into real world terms. It is impossible to prevent someone from breaking into your house. You could spend millions of dollars on the most advanced security systems and people can still break in. Not only that, every extra security measure adds inconvenience to your life and requires constant vigilance. Even a Nuclear power plant in Iran that was completely disconnected from the internet was hacked.
At some point the cost of preventing a break in is higher than the cost of recovering from a break in.
Attempting to do the impossible is bound to fail. Instead Steemit will take a new approach.
Recovering from Theft
You may not be able to keep thieves from breaking into your house, but at least you know you can get back in and change the locks. This is the approach that we are taking.
With Bitcoin and other cryptocurrencies a hacker breaks into your house and changes the locks. You are unable to get in without "hacking the hacker" and that is almost impossible for 99.999% of people to do.
With Steem all of this is going to change.
If your account gets stolen, then you will be able to work with Steemit, Inc (or someone else of your choosing) to recover your account. All you will need to do is have access to any key you used on your home in the past 30 days.
The thief got into your home because he got a copy of your key. From the blockchain's point of view there is no difference between you and the thief. From the outside world's point of view there is a huge difference.
In my previous post I challenged the concept that "Key is Law". I made the point that for blockchains to protect property rights they need to factor real identity rather than just evidence of identity. Your password (aka private key) is just evidence. It is not absolute proof. The mistake blockchains make is to assume that it is proof.
How it Works
When an account is hacked there are two or more competing claims of ownership because multiple parties may have access to the password. The blockchain simply needs a way to break the tie and pick one claim over another. This requires three things:
- A trusted individual to vouch for you
If there is no time period during which key changes can be challenged, then the first person to change the lock wins. The more time you have to respond, the less chance that someone will get away.
If you are not paying attention then all the time in the world will not be of use. You need to be notified every time the key changes on your house. This notification gives you the most time to find a trusted individual who will vouch for you.
A Trusted Individual
A trusted individual is someone who can identify you independently of your key. Steemit can identify users by their email, facebook, and reddit logins (if you signed up through us). You could also use your mother, wife, employer, or friend, or other 3rd party provider.
When you notice your account has been hacked you contact your account recovery partner (the trusted individual) and ask them to submit a request to change the locks on your account. They verify you by whatever means they find satisfactory and then submit a proposal to the blockchain to change the locks to the ones you gave them.
Once the promposal is submitted to the blockchain, you will have 24 hours to login with both your old and new keys (aka passwords). Any key you used within the past 30 days is sufficient. If you login in time, then the keys will be changed and the hacker will be locked out.
If you don't have a key that was used within the past 30 days, then your account will be unrecoverable.
Why it is Secure
This process is strictly more secure than what any cryptocurrency offers today. Your trusted account recovery partner does not have access to your account because they do not have access to any of your keys. This means that your account is secure unless you are hacked by your account recovery partner. Because you know who your account recovery partner is there is little chance they could hack you and get away with it.
What if your Recovery Partner is Hacked too?
In this case, they would simply appeal to their own account recovery partner. Once they recover their account, then they can work with you to recover your account. It is exponentially unlikely that the hacker can compromise all accounts in a very long chain of recovery partners.
Changing your Partner
At anytime the owner of an account can request a change to their recovery partner. After a 30 day wait (during which the change can be challenged), the recovery partner is updated. This means that if you buy an account from someone, then you can rest assured that they cannot take it back. It also means that if you don't like your current partner then you can change it. The recovery partner has no say over the process.
Selling / Transferring Accounts
Under this system it is still possible to transfer accounts. You must either notify your recovery partner of the change or change the recovery partner. Transfers can be instant if you both trust the recovery partner, or they can take 30 days if you don't trust the recovery partner.
Keeping the Horses in the Barn
When a thief breaks into your house he can still do a lot of damage while you are getting the locks changed. Any cash you have laying around can be taken. You may get your house back, but the cash is still long gone.
Enter Steem Power
90% or more of all wealth in Steem is held in the form of Steem Power. This means that even if the thief gets into your house, he must wait for the time-lock safe to unlock before he can get to your cash. As long as you get your account recovered before your account can power down (1 week) then 99% of your Steem Power will be safe.
Now that we have a rock-solid account recovery process, we will add features for people to hold STEEM and Steem Dollars in time-locked "savings" accounts. These "savings" accounts would add a multi-day delay to any transfer request. If your account is hacked, then you will have a few days before your "savings" is at risk.
Steemit has created a solution to account security that is completely decentralized and based upon real-world identity rather than the poor substitute of a single private key. The entire social network collectively secures and identifies each other. It does all of this without introducing an increased level of trust nor requiring a centralized provider.
Under this model it should be completely unnecessary to hardfork in response to a hack. Any money that does get lost will be small amounts of liquid cash held outside of Steem Power or the time-locked savings accounts.
Due to these extra measures, Steemit can continue to provide a web-based interface even though keys will get stolen from time to time. What won't get stolen is account identity and that makes all the difference in the world.