At first glance, account recovery might seem like a simple topic: just write a reset password function, send a challenge code, and you're done!
But, Fission’s commitment to prioritizing user control makes things a little more complicated. When the user is in control, how do we help them get back into their data if they get locked out? The main relevant factors are:
- We’ve designed our account system around portable account identifiers, called Decentralized IDs (DIDs)
- Your account holds encryption keys that keep your private content encrypted and private only to you — even the Fission platform doesn’t have access and can’t see your content.
- We wanted an account recovery system that was as trust-minimized as possible. Meaning, you don’t have to trust us, and you would require as few third-party systems as possible to help you out if you lose account access.
Oh, and one more thing: we wanted to do all of this without passwords.
At Fission, being password-free is the default. Instead, we use technology built into modern browsers — including mobile browsers — that generates and keeps a private encryption key safely stored. This is called the Web Crypto API.
By the way, if you haven’t tried this yet, head over to the default Fission Drive app and create a new Fission account. Notice that it asks you for a unique username and an email address, but it doesn’t ask you for a password.
To use your account on other devices — like your desktop browser, tablet, or phone — you get access by creating a key on your new device and linking it to another device that already has permission.
Now, the private keys built into the browsers on all your devices have permission to access your account and all of your encrypted, personal data — all without setting up or having to remember a password.
Apple is known for providing users with end-to-end encryption that keeps everyone, including Apple, out of any personal information. Fission is taking the same approach.
What about lost devices?
But what happens if you lose all your devices? Can you still get access to the encrypted content stored and synced online by your Fission account? Right now, the answer is no! We don’t have a copy of your key — and the Web Crypto API built into browsers is designed in such a way that we can’t get a copy for security reasons. If you lose access to all your devices, how can you recover your encrypted content? This is where Account Recovery comes in.
One of the design goals we have with Fission is to support a broad number of default use cases — we think this stuff should just work for everyone. We do rely on the most cutting edge browser standards, but we choose these standards based on the real world support available in all major browsers, including mobile browsers.
Using a single-device as a base case
Let’s consider the base case scenario of a person having just one mobile computing device — owning and using a single phone — meaning that losing that one mobile device means you’ve lost everything.
This is the common base case we need to keep in mind.
It’s crucial to remember that the typical software developer or early adopter is much easier to support: at least one mobile device and one desktop/laptop device. The private key stored on a desktop is much more likely to stick around for a really long time.
In fact, in some of our user research interviews, developers told us that the private key they used to securely connect to GitHub was often on their machine for 5 years. Basically, the entire lifetime of owning the machine before they got a new computer and set up a new key!
But since that isn’t the deal for our single mobile device base case, we have to plan for account recovery process with just a single device to make the system accessible and recoverable by the largest number of users.
Splitting up keys
Our basic principle involves making backup keys and splitting them into pieces. We then store some of those pieces on the Fission platform linked to the user account.
The other half is stored “offline” by the user, as recovery codes.
When the offline recovery codes are combined with the pieces on Fission, it creates the complete key that can access the person’s account.
Because of our commitment to privacy, Fission never has access to the whole key.
If someone breaks into Fission's database, there are no passwords and no secret keys to leak.
Where should I store recovery codes?
On Apple iOS devices, basic iCloud file storage is built into the operating system — just like Fission accounts have the Web Native File System included. We’ll recommend that users download the recovery codes and store them in their Safari iCloud downloads folder — or somewhere else on their iCloud files.
On Android, the defaults are a lot more varied. Many Android phones have Google services built in by default, so we’ll recommend this as a similar approach to using iCloud in our iOS example.
Advanced users can store this file anywhere they feel comfortable - be it in Apple Notes with a password, printed out on paper, stored in their 1Password account, or even sent as a “Note to Self” in their Signal messenger app.
And in the future, based on the feedback, we may allow advanced security-conscious users to forgo the use of recovery codes entirely, allowing them to self-manage backup keys.
You can check out the in-progress diagrams and notes of our Account Recovery design process in the forum.
We’re not done with our design. We are still working at the level of security, systems, and cryptographic principles, as well as streamlining the user experience and the flows for users.