Major 2 Key Loss Vectors and Mitigations

Most of these vectors assume that the user's passkey is on a device with an old implementation. Modern passkey implementations (such as on iCloud) are highly recoverable.

  • Passkey loss in a context where this also means irretrievable phone number loss (such as losing an Android phone with pre-passkey WebAuthN where that phone had the exclusive SIM card for a phone number which cannot otherwise be recovered)

    • Ultimately network recovery may still be possible. See SMS Providers.

  • Passkey loss where mobile device is the only holder of email/cloud credentials

    • Encourage users not to follow this unsafe practice.

  • Censorship from a single provider, such as Google for email and cloud (Google Drive)

    • Attempt to enforce different providers for Email Key and Cloud Key.

  • Theft of both single passkey device and NFC device

    • Encourage users not to carry both together. This is a weak mitigation and should be improved.

  • Forgetting security answer + another single loss

    • Regularly suggest user confirm security answer or sign with a phone number key if they have not in some time.

  • Forgetting map points + another single loss

    • Regularly suggest user confirm map points or sign with map points key if they have not in some time.

  • Irretrievable phone number loss where both SMS Key and Telegram/WhatsApp Key are being used.

    • Discourage use of multiple phone number keys in lower key-count setups.

Last updated