Author

Topic: System to prove account ownership and recovery automatically - Demo included (Read 238 times)

hero member
Activity: 784
Merit: 1416
What if a function that uses Simple Machines Forum password hash file as some sort of Multisignature schema ?
So the admin could perform simple SQL query on SMF database to be K1, then the user would show K2

There are many ways to do it, i just chosen this implementation because it's very similar to the way is working now, you have an address connected with the account and prove you own it, but everything is automated.
jr. member
Activity: 168
Merit: 3
#Please, read:Daniel Ellsberg,-The Doomsday *wk
What if a function that uses Simple Machines Forum password hash file as some sort of Multisignature schema ?
So the admin could perform simple SQL query on SMF database to be K1, then the user would show K2
hero member
Activity: 784
Merit: 1416
looks promising but... shouldn't you offer this to ethereumtalk.org Grin
this is bitcointalk.org, I doubt theymos would want to use ethereum's smart contract for this matter
the problem is when the private key compromised, we are back to the same proof of ownership problem again
btw I think theymos doesn't want recovering account to be automated

I think for every problem to be solved there is a right tool to be used. In any case you may find out you lost the private key of your Bitcoin address you posted here somewhere and get locked out the same way.
hero member
Activity: 1232
Merit: 738
Mixing reinvented for your privacy | chipmixer.com
looks promising but... shouldn't you offer this to ethereumtalk.org Grin
this is bitcointalk.org, I doubt theymos would want to use ethereum's smart contract for this matter
the problem is when the private key compromised, we are back to the same proof of ownership problem again
btw I think theymos doesn't want recovering account to be automated
copper member
Activity: 630
Merit: 420
We are Bitcoin!
Seems like a bit closer to one of my proposal ([Proposal: prevent account hack] A complete new login system for BitcoinTalk). As long as we can automate the whole thing then the pressure to mod and the waiting time we see for the victim will be reduced dramatically. Bottom line is, we need automation PERIOD.


update:
...They probably look at when the passwords were changed, and they may even look at personal messages to determine if an account has been compromised through other means.....
It make sense if an account gets banned for suspicious activities or any of the forum mod lock the account, as an appeal against the action. If anyone lose their password or forget account details or someone gets locked for using secret question feature then an automation of recovering an account makes a lot of sense. Anyway I am sure theymos and other admins have their own choice for the best of the forum.
staff
Activity: 3304
Merit: 4115
I don't think it solely relies on providing a signature though. I believe cyrus/theymos looks at each case individually and determines if everything makes sense and the private key hasn't been compromised either. They probably look at when the passwords were changed, and they may even look at personal messages to determine if an account has been compromised through other means.

If it was solely based on signing an address then there would likely not be a huge backlog in accounts waiting to be looked at, and it likely wouldn't be restricted to theymos/cyrus either.  Here's a quote from cyrus:
Apparently he left a backdoor on his way out: https://bitcointalksearch.org/topic/m.20476143 (which still remained quoted)

If recovering an account was easy, then the above would be all it takes. Account recoveries are seldom straightforward, they take time and precision but it's ultimately in the rightful owner's benefit.

That being said something like this could be beneficial to those who make common mistakes in formatting their address & signature.
hero member
Activity: 784
Merit: 1416
Summary:

The ownership of an account can be easily proved through a smart contract (or similar technology), by linking an ETH address to a key, which is tied up with an account in any system. The smart contract allows to request the reset of the password to a new mail provided from the smart contract. When the server where the account are managed sees the request and verify the ETH address and key are linked to a specified account, it will automatically handle the case, sending the recovery details to the new mail belonging to the legitimate owner.

Live demo: https://albertoit.github.io/Demo/AccountOwnership.html




Details:

This is a draft of the smart contract behind it:
   
Code:
pragma solidity ^0.4.23;

contract BitcointalkAccountOwenship {

    address owner;
   
    struct UserAccount {
        uint linkKey;
        string recoveryMail;
    }
   
    event ProofOfOwnership(address account, uint linkingKey);
   
    mapping (uint => address) private _accountsLink;
    mapping (address => UserAccount) public _linkAccount;
   
    function BitcointalkAccountOwenship() public {
        owner = msg.sender;
    }
   
    function linkAccount(uint linkKey){
       
        if(_linkAccount[msg.sender].linkKey != 0) revert(); // address already binded, need to use a brand new
        if(_accountsLink[linkKey] != address(0x0)) revert(); // duplicate linkKey
       
        UserAccount memory user = UserAccount(linkKey, "");
       
        _accountsLink[linkKey] = msg.sender;
        _linkAccount[msg.sender] = user;
       
    }
   
    function verifyOwnership(string newMail){
       
        if(_linkAccount[msg.sender].linkKey == 0) revert(); // we don't know who you are
       
        _linkAccount[msg.sender].recoveryMail=newMail;

        ProofOfOwnership(msg.sender, _linkAccount[msg.sender].linkKey);
    }
   
   
}



Each user can create a brand new ETH address for the only purpose of linking it with his own account’s key and call the function below with it.
   
Code:
linkAccount(2211184082342633147);

After the transaction is confirmed, information necessary to recover his account (ETH and key) must be confirmed and saved as well in the server hosting the account.

If the account get compromised the legitimate owner calls:
   
Code:
verifyOwnership("[email protected]")

The server could have a bot or a scheduled task running once a day, which will read the new ProofOfOwnership events generated; At this point, it will need to verify that everything is in order before to reset the password to the new mail, this can be done by retrieving the key (and the mail) connected to the ETH address which submitted the ProofOfOwnership and verifying it is associated to one of the active accounts (all these checks don't cost anything):

   
Code:
_linkAccount(0xaddress)


Available to answer any doubt and interested to know if anybody has some way to improve it. Maybe a system similar to this one could be taken under consideration in here to secure accounts.

Jump to: