or
completed feature-request
ffff0h
First off, please let me say that I very much like the eminently simple sign-up process, and I do believe that data minimization is a good thing.

However, with how it works at present, if a user signs up and then lose their browser cookies, there appears to be no way to recover access to the account. If a user invests significantly in their account, this could become a problem.

It's fairly clear from reading the profile page in detail that the way to solve this is to securely record the account recovery token. However, the user does not appear to be presented with this information when they sign up. (I wasn't.)

Once a user signs up, they should ideally be presented with information on how to maintain access to their account even if their cookies are deleted. This could be a simple message along the lines of "to ensure continued access to your account, go into your profile and record your account recovery token in a safe, secure place" with a link to the profile page.
Top Answer
Caleb
I understand the desire to hold as little PII as possible, but account recovery is a problem, and making those with root DB access responsible for manually validating identities does not scale.

For example @Jack knows some other channels to verify this account is me if I claim to have lost access to it, but he will quickly run into people he doesn't know how to contact, hence puting those accounts at risk of being lost (at best) or handed over to bad actors (at worst).

I would suggest:

1. Having a huge bold red warning banner on all profiles about users being 100% responsible for their account recovery and explaining that they are NOT RECOVERABLE unless the user enables a recovery mechanism. Drop the banner only when at least one fallback mechanism is enabled.

1. Not making any single method mandatory. Different information will be sensitive to different people. If would rather cross link _all_ of my social profiles, some people would rather cross link select sets, others would prefer none. Whatever PII is held should be up to the user.

1. Allow cross linking other identities with or without marking them as usable for account recovery. Some people may want to list their Twitter profile without making that a point of failure.

Here are some account recovery ideas.

* GPG: Allow me to enter my public key, and if I lose my accont present me with an encrypted message with my recovery key than only I should  be able to decrypt (because only I have the private key). **Requires zero PII** but a lot of technical knowledge.

* Bitcoin / Etherium / other blockchain currency: List a wallet address as a profile recovery option, users could recover accounts making a donation from that wallet that supports the site at the same time! **PII only revealesed on recovery request.**

* Keybase:

* Twitter / Github / Gitlab: These and many other systems provide federated login support so people can just authenticate with them as ID providers in the first place (incidentally without reveling very much PII), and they can also be added as backup mechanisms. A lot of us will want to advertise these anyway.

* SE / Facebook / other social media link / website: account recovery could be done by giving the user a token to post anywhere on the profile page and then crawling for it (tricky to do securely on some sites, manual validation might be a first step).

* FIDO: Using 2FA as a single factor fallback is weird, but possible.

* Email: a very common way of doing this and email providers tend to take ID seriously enough it's a viable method of verifying people. Include a warning about this being visible to (potentially lots of) server and DB administrators. Even if the current set is low, people should be aware listing their email is not a secure proposition. Perhaps ONLY allow listing it publically to avoid people that want to keep their email private even using this method, with an option to use it for recovery or not, but not an option to keep it private.

* SMS: Similar to above. I think it's a bad idea but lots of people rely on their phone provide as a fallback identity.
Answer #2
Monica
I'd like to go a step farther: allow people to record a (private) email address on the profile, and add an "email me my recovery information" button.  This also doubles as "email me that text string I'm going to need to sign in on another device".

We want people to invest in our communities, and we're also reaching out to people who already *have* invested elsewhere and want to bring that investment here.  Let's please make it hard to be locked out of that investment.

Further, if we have an email address, then even if the user *didn't* click that button and then lost the token, we would in principle have a way to reunite the person with the lost account later.
Answer #3
Jack Douglas
> However, the user does not appear to be presented with this information when they sign up. (I wasn't.)

Thanks for pointing out this omission. As our sign-up process is different (even if it is better), the onus is on us to give users extra prompting to help stop accidental loss of access.

As of now, a new sign up redirects to the profile page and highlights the login key and the message about protecting it. We've also moved the recovery info near the top of the login page:

![Screenshot 2019-12-02 at 12.52.51.png](/image?hash=b0119f3971037879763aabb6f8924fd9f5597454f36ebb69a71ada6850a683e6)
Answer #4
Wellspring
To recovery the login key, how about  arranging for it to be saved in (at the user's discretion) and recovered from the user's normal login depositories.  eg IOS Passwords and Accounts? 
Make it clear to new users how to maintain access to their account
Hosch250
Hi, again. Sorry I dropped out for a bit. Yes, I mean user-supplied email (or username, anyway) and password. As it is, I entered this key in my FireFox password manager manually, and I'll need to retrieve it manually whenever I want to sign in. I'll never remember a guid :)
Jack Douglas
@Wellspring that suggestion is related to [this other question](https://topanswers.xyz/meta?q=464#question). If that is possible and working, it should work on mobile Safari too.
Monica replying to Jack Douglas
This makes sense -- we need to make it pretty obvious that they need to take specific action, and what that action is, because it's not the norm.  And so long as there's some (human-powered) way to recover, that's probably enough.  But *I* missed the implications of that token at first and I consider myself reasonably adept technically, so I expect others would too.  I thought it was relevant for signing in on additional devices, and didn't consider that my browser could lose access too.
ffff0h
It's not so much an issue for someone who sets up an account, then immediately loses access before they have had a chance to invest much in it. That might be a UX issue, but seems less of an account access issue.
ffff0h
Being able to tie an account to an e-mail address for recovery purposes might be nice, but I for one kind of like the fact that there is no (or next to none) PII involved here.
ffff0h replying to Jack Douglas
A redirect to the profile page and explicit warning would appear to solve the immediate problem, yes. My immediate concern is that someone comes along, sets up an account and contributes; then at some later point, they do something that causes them to lose their cookies. (Get a new computer or phone, troubleshoot the browser, or whichever.) In that scenario, if they haven't saved the recovery token, there appears to be no way to regain access to their account, so it should be made clear that they need to do that.
Jack Douglas
I do think it might be quite a while before this happens however…
Jack Douglas
@Monica I think it is less likely that someone with a significant investment would be locked out entirely than that there would be a period of inconvenience and extra effort for both them and us devs (also bad of course but not quite so bad). Saying that, as Paul mentioned above, I think it would be a good thing in the longer term to have at least one, and possibly several other, options for account recovery, with none being mandatory of course.
Jack Douglas
@ffff0h that is a very sensible and helpful suggestion — I'll add an answer here when we have got a solution in place. Would it be a useful start to simply redirect people to their profile page as soon as they 'join'? Perhaps combined with a more explicit warning about saving the recovery token somewhere? Eventually this might be replaced with some kind of helpful landing page specifically for new users.
Paul White
one of the starting ideas was not to hold any personal info at all  
at least to start with, this makes a heaps of things easier  
Jack did say recently that consideration was being given to other methods for account recovery in future  
so I'll leave him to answer on that
Monica replying to ffff0h
Whoops, you're right.  I wonder what else I signed up for recently that I'm confusing memories with.  I'll edit.
ffff0h
@Monica I'm not even seeing anywhere to enter an e-mail address on the profile.