A small dive into EOS: First up, why is there no Account Recovery System?
As many of you may know I bought some EOS back in the 2017 token distribution. Since then I've been keeping a watching brief of the project. I've commented on it's messy birth. I've been watching the development of applications (primarily gambling ones) and the emergence of 'sister' chains from afar. However last week, I've really taken some time to get my hands dirty in EOS... it's been an eye-opening experience.
.png)
From Hacks to Real Life Apps
Before a couple of weeks ago, when I thought of EOS, my overriding impression was hackathons and governance. Not exactly the stuff to get you leaping out of bed in the morning!
While politics and governance stimulates the intellectuals in the space it really does little for user adoption. Adoption is usually predicated on a simple principle; does what you're offering make the users life easier or more enjoyable?
For that we need to look to the actual applications. built on EOS. To my pleasant surprise there are a lot of cool innovation happening on the application front in EOS. It isn't just hackathons. There are real applications, generating real money with real use cases that embrace the ethos of users, stakeholders and product creators having aligned incentives.
I will write my view of the first generation of EOS applications in other posts, however the first thing to note about EOS before getting into anything else is key management.
Anyone looking to get involved in EOS in 2019 really needs to take the time to understand key management thoroughly.
Steem's Account Recovery safety net
In many ways Steem has spoiled DPoS users. Interfaces like Steemit, Steem Connect and Steem Keychain have really made key management as simple as it can be for users.
In my view the reason why these Interfaces work is because the Steem blockchain has a duel safety net in terms of the Account Recovery System and Steem Power. These features mean that if the worse happens and an account gets compromised the damage a hacker can do is limited.
Given Dan Larmier's history with the Steem Account Recovery System, I'm somewhat surprised that it was implemented in EOS.
Double-edged simplicity
At present it is stupidly easy to lose ownership of your account on EOS. That is because there are two vectors of attack.
The first is that someone can take over your account (in seconds) by gaining access to your private keys. Most people know this, so keep that nice and safe.
However a hacker can also take over your account, if they gain access to your wallet and your wallet has owner permissions on it. They don't need your private keys. They can simply change the keys that control the account.
It's a double-edged sward because the simplicity with which I could change my owner and active keys in EOS was really useful when it came to securing my genesis account and creating separate keys for my active and owner permissions.
Once I got the hang of it, I was creating new accounts, sub-accounts, delegating between accounts in no time. All this is great fun for the geek in me. It was fast and simple and convenient on EOS.
And there is the rub... while it was too fast... too simple... too convenient... and most importantly, too permanent! You don't need yout private keys to do irreversible damage and render your highly guarded private keys completely irrelevant, if you don't fully understand the difference between owner and active keys/ permissions. Yes the interfaces give you the warnings however one slip you can easily use access to your account. Permanently.
Everyday access to lose it all
This is compounded by the fact that people will be using their accounts to access all kinds of applications, in all kinds of situations. Leave an app running on your computer while you go off to the restroom and by the time you come back, you could have lost complete access to your funds... if you don't understand the difference between active and owner keys/ permissions.
I was okay as I was playing primarily with active keys. However for users new to crypto, the convenience with which both active and owner keys can be permanently changed becomes a vulnerability. Indeed it was this vector of attack is what caught out many during the recent Telos scam, where a phishing site pretending to be Telos Foundation website duped people into handing over control of their EOS accounts.
I'm sure many users thought that because their private keys were off line they were immune from hackers, or at least they'd have the ability to stop a hack as long as their coins were staked. However this is not the case. If a hacker changes the keys that control your account (or dupes you into changing them) you're shit out of luck. Sorry.
This is why before anything else; if I'm taking about EOS, I'm talking about key management.
In particular... don't store your owner permissions on any wallet.
It is boring. It is unsexy. Yet it is crucial to get a handle of.
If you take nothing from this post take away this.
Keep your private keys safe and off line
Don't store your owner permissions on any wallet,
Use your active permissions for everyday activity
Improving User-friendliness
There is an alternative to this dull introduction to the exciting blockchain space that is EOS. That is to learn the lessons of Steem and introduce an Account Recovery System for EOS.
What the Steem Account Recovery System allows for is a cool off period if your owner key is compromised. You can read the article by Dan for the specifics of how it works.
Not only does Account Recovery give peace of mind to regular users, it acts as a deterrent to hackers. Yes, should they can gain access to your account they can make off any crypto assets that are liquid. However as long as you are monitoring your staked tokens, you should be able to take action to keep them staked.
Ownership transfer hiccup
The only drawback for having Account Recovery is that it makes the transfer of account ownership more drawn out. A buyer of an account will need to satisfy themselves twill need to wait for the cool off period to elapsed before they can be completely satisfied that the seller cannot renege on the account sale.
However the selling of accounts is so edge case that it shouldn't be a barrier to EOS implementing Account Recovery.
Focusing on what users need
Given all the chatter about ECAF and arbitration, I would have thought Account Recovery would be a practical measure that would actually benefit regular users that BPs and intellectuals on EOS could sink their teeth into!
There is a lot more to say on EOS key management, particularly as it pertains to claiming airdrop/ sharedrop tokens however this is enough for now.
Yes, this is timely. I transferred some eos tokens (previously erc20) from exodus to a simpleos wallet and haven't revisited in a few months. God knows what the login was.... 😬? Luckily there wasn't much in there as I was testing it but there is definitely a lesson here...
Posted using Partiko Android
Hi Nanzo
This is a very impressive and well written article.
I must admit to not knowing much about EOS, but this article was a great primer and more importantly was full of very useful account saving information.
Thank you!
I'm in two minds about whether steem should lose the account recovery system..
It seems well set up to just keep my master key stored offline and relatively easy to just use my posting key for, well... posting, which is what I store in my browser, and then the occassional use of my active key for transactions which I keep in an obscurely named doc on my main pc.
However I don't have a fire proof safe so my physical offline storage is at risk, and the majority of people don't have these and don't understand the importance of not using master keys to sign in (I only 'got this' a few months ago following a chance conversation with @coruscate).
Then there's this dilemma - mass adoption and retention are more likely with an account recovery system, but if steem inc is going to whither away and steem become truly decentralised then who do we trust to recover hacked accounts?
Posted using Partiko Android
The beauty of the Steem Account Recovery system is that you decide who the Recovery Account is. It could be a friend or relative or just another account that you control.
The Recovery Account cannot temper with your account without access to your private keys.
I like it. As we have the ability to lock up funds, on Steem and EOS it makes sense to have a disaster recovery mechanism should the account get compromised. Who wants to be the guy that gets hacked and has 13 weeks to watch someone slowly siphon funds out of their account?
Interesting thoughts. This is the first time I’m hearing about the account recovery system of Steem, and dozens of questions are popping up in my head.
For starters, who ensures that the person I have chosen for my recovery is not compromised in the first place? Isn’t that a way around to getting hands on your account?
Another is that, when one makes use of the account recovery, does it involve application specific recovery like Steemit or dtube and the rest, it is it recovering your identity in the base layer blockchain?
I apologize in advance if these questions seems too silly, I’m just hearing about it from you.
Thanks.
Great info @nanzo-scoop
Posted using Partiko iOS
Crypto for the most part is 'manage it yourself'. Lose the keys or passwords, and your currency is trapped forever. This is what the average man in the street struggles with and why a more broad acceptance may be delayed.
To have this account recovery on our blockchain to me is a bonus. I really wouldnt expect it anywhere else and really.. is it tha bad? We have all got to learn to be responsible as our own bank manager.
I agree to an extent, particularly when it comes to the currency applications of crypto. However if crypto is to make the cross over to mainstream and a myriad of different apps, a robust means of recovering an account that doesn't compromise the integrity of the blockchain, seems sensible to me.
I think an important distinction to make between STEEM and EOS is that most users who interact with STEEM do so via the Steemit / Busy application. Steemit takes care about the permissions to perform tasks on the STEEM blockchain.
EOS however is like an operating system where multiple apps are build on and a user need to take care about her/his permissions them self. For inexperienced users it is therefore easy to make a "mistake" and give owner instead of active permissions to the app they want to interact with.
So Steemit is definitely more secure for all kind of users simply because it handles the permissions part internally while with EOS you have more control but also greater risk if you are not careful.
Ahh this cleared a lot of my questions about the recovery mechanism. Thanks.
Posted using Partiko iOS
For all the flack that Steem & Steemit specifically gets/has gotten... both the blockchain and the dapp have done a pretty great job overall imo. The dual fail safes, the fact that both have worked for apprx 3yrs straight with minimal interuptions, hardforks without splitting etc... among a whole plethora of other valuable features. It’s amazing that it’s not more respected in the crypto idiom & valued for the sheer amount of useful transactions it can accomplish, low cost and fast.
I believe Steem got a lot right. It’s not a perfect system but currently it’s way further along and proven than soooo many other projects!!
its very important to be aware about the keys here and the phishing attempts has been on a rise again and again over time
Steem should also introduce 2FA, sms or Pin features for more security.
If there was a petition for this, I would definitely sign it. Steemit is pretty secure in itself, but one can never be too careful. Security is really important.
Posted using Partiko iOS
To listen to the audio version of this article click on the play image.
Brought to you by @tts. If you find it useful please consider upvoting this reply.
Thank you for this great article. Thank you for addressing several important points such as Ownership transfer hiccup and Focusing on what users need
@nanzo-scoop support #steem .