Need for new NNS recovery system

For whatever reason, we see more and more NNS access lost. Last year I posted my concerns about this and tried to explained the necessity for having a recovery system. Many Dfinity employees are spending much time to help and loose that very precious time. It will only get worst and worst overtime.
People will have hardware and software problems and will be negligent. This is immutable.
I noticed there is nothing much on the roadmap about this. So I am trying again to proposed to the NNS team something like this:

Have a mandatory recovery system configured. As an example:

Store up to 3 emails addresses.
Store up to 3 phone numbers
Store 3 secret questions (both questions and answers define by the user)
Store birthdate (or any other date to the user preference)

For recovery,
1- ask for birthdate. If pass…
2- Ask to choose 1 email address and send a confirmation code. Enter the code. If pass…
3- Ask the 4 personal questions and 3 out of 4 need to be answered correctly. If pass…
4- Ask what phone number to send a sms code.

That would be a combination of hardware and personal knowledge. Of course everything would have to be strongly encrypted before sending to the IC canister.

These are only examples. The crypto community and IC cannot afford to spread to the mass that some people are loosing their account and their investments because they lost access. Although I hate banks with passion, you would never loose your web2 bank account. For Web3 mass adoption, IC cannot be worst then web 2.
Please don’t tell me that it is like this in crypto, that Metamask work like this. Let be much better than Metamask and better than banks.

The locking seed phrase option is not very efficient. If you have a compromised browser while you create and lock your seed phrase, the hacker can unlock and stole your account very easily

I understand that your personal questions and birthdate can be at risk if entered in a compromised browser but the sms and email code would compensate the risk.

I really hope that IC would the the first blockchain where: Not your key but still your crypto for ever. That is one of the way to achieve this.

Dfinity would not have to support those access problems anymore
‘Not your key but still your crypto’ would be revolutionary in this web3 world
Mass adoption made easier with a much stronger security sentiment

I do not see any disadvantage to have such a system. Welcome to share if you do.


I have thought about this as well. I appreciate you making the formal post actually. I specifically like the idea of SMS. I may embarrass myself and say an MFA app would almost be nice, but I feel they are trying to solve the need for MFA’s so I don’t want to sound dumb lol But, personally the extra just in case, or for the chance I use a compromised browser, would be really appreciated. I am learning better security practices since entering the space, because of all the helpful advice the community has given me. However, my anxiety and lack of understanding would ease or comfort that uneasy anxious feeling.

This recovery works in banks because transactions can be reversed once fraud is detected. It is impossible in crypto once an account is compromised. Security questions are useless when your tokens have already been spirited away. If people are negligent with seed phrases, they will be negligent with any other method of securing an account. Crypto simply is not structured to provide the security that banks do. Immutability and irreversibility are core values.

If locked in the NNS, you will be good.
Will never get mass adoption with ‘Not your key, not your crypto’. Will stay all between us.
I do not want be like banks, want be better than banks.
So it depends what is the long term goal.
You are intelligent but if you make 1 mistake, only 1, or have a bad luck, you are screwed.
This is the exact purpose of such a need. For people who will do a mistake, or being negligent.
If you have been in the software industry long enough, you know people are making mistakes or have bad lucks.
I really think we can do much better to attract the mass.

EDIT: Would like to add. In Kraken, you can lock your account inside and unlock with a device. So with such a function, even the unlock ICP would been safe. Add a warning email or sms for each login and you would be much better than banks.

1 Like

Remember few weeks ago when 8,000 Solana wallets were getting drained? All those people were very careful with their seed phrases. Such a recovery system, combine with transactions protections like Kraken have, would have avoid that mess and everyone would have recuperated their accounts, with all their tokens not being able to be transferred anywhere.

1 Like

The Solana attack related, afaik, to Slope and not to core protocol. You will have custodial services offering all the security measures you want, but the core protocol can never put those in place for reasons I have already mentioned. What is the point of crypto at all, if we have KYC and transaction reversibility built in?

1 Like

This is a good back-and-forth debate of my exact internal dialogue minus some of the specific talk. If anything I appreciate you two discussing this openly so I can wrap my head around this and not feel stupid. I am not trying, nor do I intend on being negligent. However, I am still learning and have a lot to learn still I’ll admit. So, while yes, some may be negligent, I worry that @coteclaude is right for my specific concern.

What if I just have bad luck, or by some chance in my learning process I flat out mess up, and would be willing to own that mistake (not negligence from my point of view)… I just want to maybe put it in a new perspective. I really am actively trying to do my own research, and cover my own basis, but I’m not perfect by any means, and having this safeguard would be nice for me personally. Or, for other more private reasons, there are other individuals who also start learning along their way, and perhaps I’m not here to help guide them through effective safety measures as I learned over the next few years of my education. Then it might be nice knowing the future generations are protected as well. Just something to consider at the very least humor me.

How or what would this look like on the IC?

Or let me be more specific, what would be a way that my browser would become compromised and this could occur? I could very well already be taking the most effective measures and am overthinking this completely to the point of paranoia. However, I would rather indulge this paranoia in this space, to gather solid feedback from those actually in these industries.

Sorry, I was not clear enough.
There is no KYC or reversible transaction needed. I will explain you my second phase to prevent asset transfer.
I will try to be clear and as short as possible.
There is two goalˋ

1- The first goal is to make sure the real owner will always have access to his account and remove non desirable access device. This is explained in my first post with a 3FA or 4FA.

2- The second phase is to prevent a hacker, who would have access to your account, from making any transaction, changes, anything.

This is inpired by Kraken Exchange security system.
In the NNS:

1- You can lock your account for all operation (transfer, wallet activities, everything) with a delay (let say 10 days but you can set up less), with an UNLOCK DELAY option
2- You setup an immediate unlock device (Yubikey or PIN)
3- Then, you lock your OPERATION. So everything inside is frozen. A hacker, or yourself, cannot do anything in the account. To perform an operation, you need to unlock the operations.

When you need to do an operation:

1- You use your immediate UNLOCK device or PIN to unlock operations. This would unlock everything immediately and you can do the desire operation.
2- If you donˋt have lost your UNLOCK device or forgot your PIN, you can still unlock with a 10 days waiting period.
3- You receive an email or sms when unlocking operations.

If a hacker sneak in your account, he can unlock operations but will have a 10 days delay to do anything. In the meantime, the real owner receive a notification email and sms that his account unlocking delay have started.

This way:
1- The real owner would have always access to his account, for being hacked or lost his device, etc.
2- If hacked, the hacker cannot do anything inside and the real owner have plenty of time to remove the hacker access device

So no KYC, No reverse transaction.

Not your key, still your crypto forever.


I actually really appreciated this thoughtful and concise reply. This hit pretty much all of my questions, except for ways a user could end up with a compromised device. In my mind, I narrowed it down to extensions. However, as mentioned I am new. This could be a topic or discussion for another day or another setting though, and I apologize for that.

It already happenned, in another thread here last summer, that a user forgot his laptop with his key (I believe a Yubikey) and it got it stolen by a coworker. The coworker removed all the real owner devices and installed his. The real owner could not do anything to get it back. He had 32000 ICP in it. Dfinity has made a long investigation and found out what happenned. A little mistake we all can do at some point, while being slightly distracted.


Yes, I read this article recently actually. It led me to several questions, and then more questions about those questions because I lacked significant context. However, this did at the very least teach me a valuable lesson on where I use or log in to my account.

Email and sms is effectively KYC. Besides, you don’t need delay mechanisms if you have staked your tokens in the NNS which has a dissolve delay built in. You will know if anybody has started the process of dissolving, because it will tell you when you log on to merge maturity. You can then use the seed phrase to recover your account completely by deleting the attacker’s devices before the dissolve is completed and then re-stake with minimal loss.
If you have not staked and locked in on the NNS, a custodial wallet will offer the solutions you want.

Ok, let me explain 1 more thing I forgot.

This would be all optional for everyone. You don’t want have a recovery system, do not configure any email, no phone number, no question, anything.

But for people who would like to have, let them have so we can board more people.

1 Like

An other idea :
We should give possibility to configure 12 keywords like this also for recovery :

  1. Name of my mother’s dad
  2. family Name of my first best friend
  3. Name of my first dog
  4. Name of my morther’s dad’s dog.
  5. First name of my first girlfriend
  6. Name of the city I lived in Canada
  7. first Name of my favorite math Teacher
  8. Name of my uncle
  9. Name of my aunt company

This type of recovery system should never be used, and was/is heavily abused by hackers in games like RuneScape where only small amount of finances are involved.

I agree with this proposal, apart from the question recovery idea. The drawbacks of each recovery option should be explained simply for the masses.

I would not predefine the questions but would let the user create his questions and answers.
Still all options would be optional. You configure only the one you like and set your recovery system to the level you want.