Right now web3 users have some sort of trade off while trying to store their secret phrase . Either they use some ledger type wallet , it has physical issues , someone can steal it, it can break etc . (Not to mention ledger was recently hacked in December 2023) . Or he can use a hot wallet like Plug or trust wallet , but he uses maybe google drive or google keep to store them … but those ones have a back door always and not to mention its backed by policies not cryptography . So why isn’t there a trust less or decentralized protocol for seed phrase storage and recovery . Turns out its because the technology for it wasn’t mainstream.
Let me explain …
You see the idea of password recovery only works if there is a central custodial of the password … At the end your username(email) and password account resides in their own database ,hence they have the access to change it . So they created the mechanism of recovery just to make sure your identity (using your email) and they write the code to allow you to change it . After from that , the mechanism evolved by adding some sort of AES encryption so that those who can see the database can’t just see your password plainly … if he has the keys then he can see them plainly . That’s why they say to change your passwords on different platforms. Because at the end , your password is at the mercy of the database admin .
So that’s why metamask , trust wallet etc still don’t have a recover password button . You might be thinking , but hey "Coinbase allows me to store on google drive " … It works by using a password to encrypt it , and its back to the same circle , you have to remember the password . And also Data availability isn’t guarantee by google .
So can we do it now ?
Yes , infact i have done a basic prototype .
So why is it possible now ?
Because of Vet keys …
You see when ICP made tECDSA possible , Vet keys was the natural progression. Where i can store any secret on the blockchain using vet keys . Hence a secret can be stored on blockchain which can only be accessed by the user or the smart contract and not by some "database admin " (hence no back door).
So i used Vet keys and added DKIM signature to it .
Why DKIM Signature ?
This is a signature in all your mainstream emails to verify your email subject and body . So using this you can verify your email without a centralised OTP servers !
So using these to concepts , you can have a linked secret to your email . Such that i can just link my email to my seed phrase and that’s it … I now have the security of hardware and convenience of software recovery .
Why stop here ?
Not really gonna stop here , huge potential ahead , i plan on adding ZK proofs to it and reclaim protocol integration such that you can have social auth like google , amazon etc or even Govt ID like Aadhar etc . All happening trustless and using ZK . Then things like programmable inheritance can be made etc .
Here is the Dapp So far
And the source code
And the DKIM signature verification at
Current protocol :
User Registering
- User clicks on register which shows 5 digit number that is going to expire in 5 minutes
- Then an instruction is set out such that the user has to give a copy of the email which has those 5 digits
- Then the user sends an email to the email he want to use as recovery.
- Then submits the copy of the email from his recovery email
- Then user enters the secret phrase
User Retrieving Secret
- User enters email
- After checking if the email is registered , then a 5 digit number is show
- The user sends the copy of a email which has those 5 digit number
- The smart contract verifies the email using DKIM and return the phrase
Thanks to @lastmjs for helping me out in the DKIM signature part .