ffff0h
First off, please let me say that I very much like the eminently simple sign-up process, and I do believe that data minimization is a good thing.
However, with how it works at present, if a user signs up and then lose their browser cookies, there appears to be no way to recover access to the account. If a user invests significantly in their account, this could become a problem.
It's fairly clear from reading the profile page in detail that the way to solve this is to securely record the account recovery token. However, the user does not appear to be presented with this information when they sign up. (I wasn't.)
Once a user signs up, they should ideally be presented with information on how to maintain access to their account even if their cookies are deleted. This could be a simple message along the lines of "to ensure continued access to your account, go into your profile and record your account recovery token in a safe, secure place" with a link to the profile page.
Top Answer
Caleb
I understand the desire to hold as little PII as possible, but account recovery is a problem, and making those with root DB access responsible for manually validating identities does not scale.
For example @Jack knows some other channels to verify this account is me if I claim to have lost access to it, but he will quickly run into people he doesn't know how to contact, hence puting those accounts at risk of being lost (at best) or handed over to bad actors (at worst).
I would suggest:
1. Having a huge bold red warning banner on all profiles about users being 100% responsible for their account recovery and explaining that they are NOT RECOVERABLE unless the user enables a recovery mechanism. Drop the banner only when at least one fallback mechanism is enabled.
1. Not making any single method mandatory. Different information will be sensitive to different people. If would rather cross link _all_ of my social profiles, some people would rather cross link select sets, others would prefer none. Whatever PII is held should be up to the user.
1. Allow cross linking other identities with or without marking them as usable for account recovery. Some people may want to list their Twitter profile without making that a point of failure.
Here are some account recovery ideas.
* GPG: Allow me to enter my public key, and if I lose my accont present me with an encrypted message with my recovery key than only I should be able to decrypt (because only I have the private key). **Requires zero PII** but a lot of technical knowledge.
* Bitcoin / Etherium / other blockchain currency: List a wallet address as a profile recovery option, users could recover accounts making a donation from that wallet that supports the site at the same time! **PII only revealesed on recovery request.**
* Keybase:
* Twitter / Github / Gitlab: These and many other systems provide federated login support so people can just authenticate with them as ID providers in the first place (incidentally without reveling very much PII), and they can also be added as backup mechanisms. A lot of us will want to advertise these anyway.
* SE / Facebook / other social media link / website: account recovery could be done by giving the user a token to post anywhere on the profile page and then crawling for it (tricky to do securely on some sites, manual validation might be a first step).
* FIDO: Using 2FA as a single factor fallback is weird, but possible.
* Email: a very common way of doing this and email providers tend to take ID seriously enough it's a viable method of verifying people. Include a warning about this being visible to (potentially lots of) server and DB administrators. Even if the current set is low, people should be aware listing their email is not a secure proposition. Perhaps ONLY allow listing it publically to avoid people that want to keep their email private even using this method, with an option to use it for recovery or not, but not an option to keep it private.
* SMS: Similar to above. I think it's a bad idea but lots of people rely on their phone provide as a fallback identity.
Answer #2
Monica
I'd like to go a step farther: allow people to record a (private) email address on the profile, and add an "email me my recovery information" button. This also doubles as "email me that text string I'm going to need to sign in on another device".
We want people to invest in our communities, and we're also reaching out to people who already *have* invested elsewhere and want to bring that investment here. Let's please make it hard to be locked out of that investment.
Further, if we have an email address, then even if the user *didn't* click that button and then lost the token, we would in principle have a way to reunite the person with the lost account later.
Answer #3
Jack Douglas
> However, the user does not appear to be presented with this information when they sign up. (I wasn't.)
Thanks for pointing out this omission. As our sign-up process is different (even if it is better), the onus is on us to give users extra prompting to help stop accidental loss of access.
As of now, a new sign up redirects to the profile page and highlights the login key and the message about protecting it. We've also moved the recovery info near the top of the login page:
![Screenshot 2019-12-02 at 12.52.51.png](/image?hash=b0119f3971037879763aabb6f8924fd9f5597454f36ebb69a71ada6850a683e6)
Answer #4
Wellspring
To recovery the login key, how about arranging for it to be saved in (at the user's discretion) and recovered from the user's normal login depositories. eg IOS Passwords and Accounts?