On 04/22/2014 08:43 AM, Dave Baggett wrote: > I'd love to get your collective thoughts on a challenge we have.
At LEAP, we also use SRP in a similar way for the same reason. Options we have considered: (1) do nothing: warn the user they are totally screwed if the forget their password. (working!) (2) recovery code: encourage users to print out a long recovery code that can be used to download and restore all their secrets. (working, but no UI for it yet) (3) Shamir's Secret Sharing [1]: as described by Michael except automated and using OpenPGP (akin to Trevor's public key suggestion). (not working) (4) third party escrow: I would like to start an escrow service that providers could use so that they didn't need to be the escrow themselves, located in some place with jurisdictional arbitrage. The API would allow saving a password along with one of three reset methods (email, question, sms), and returns an identifier. (not working) (5) shitty mode: allow users to configure their account in low security mode, with big flashing warning lights. In this mode, the provider would keep a copy of the user's password. (not working) -elijah [1] https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
