Summary:The ownership of an account can be easily proved through a smart contract (or similar technology), by linking an ETH address to a key, which is tied up with an account in any system. The smart contract allows to request the reset of the password to a new mail provided from the smart contract. When the server where the account are managed sees the request and verify the ETH address and key are linked to a specified account, it will automatically handle the case, sending the recovery details to the new mail belonging to the legitimate owner.
Live demo: https://albertoit.github.io/Demo/AccountOwnership.html
Details:This is a draft of the smart contract behind it:
pragma solidity ^0.4.23;
contract BitcointalkAccountOwenship {
address owner;
struct UserAccount {
uint linkKey;
string recoveryMail;
}
event ProofOfOwnership(address account, uint linkingKey);
mapping (uint => address) private _accountsLink;
mapping (address => UserAccount) public _linkAccount;
function BitcointalkAccountOwenship() public {
owner = msg.sender;
}
function linkAccount(uint linkKey){
if(_linkAccount[msg.sender].linkKey != 0) revert(); // address already binded, need to use a brand new
if(_accountsLink[linkKey] != address(0x0)) revert(); // duplicate linkKey
UserAccount memory user = UserAccount(linkKey, "");
_accountsLink[linkKey] = msg.sender;
_linkAccount[msg.sender] = user;
}
function verifyOwnership(string newMail){
if(_linkAccount[msg.sender].linkKey == 0) revert(); // we don't know who you are
_linkAccount[msg.sender].recoveryMail=newMail;
ProofOfOwnership(msg.sender, _linkAccount[msg.sender].linkKey);
}
}
Each user can create a brand new ETH address for the only purpose of linking it with his own account’s key and call the function below with it.
linkAccount(2211184082342633147);
After the transaction is confirmed, information necessary to recover his account (ETH and key) must be confirmed and saved as well in the server hosting the account.
If the account get compromised the legitimate owner calls:
The server could have a bot or a scheduled task running once a day, which will read the new ProofOfOwnership events generated; At this point, it will need to verify that everything is in order before to reset the password to the new mail, this can be done by retrieving the key (and the mail) connected to the ETH address which submitted the ProofOfOwnership and verifying it is associated to one of the active accounts (all these checks don't cost anything):
Available to answer any doubt and interested to know if anybody has some way to improve it. Maybe a system similar to this one could be taken under consideration in here to secure accounts.