Obi Public Docs
  • FOR USERS
    • Quickstart: Using Obi
  • FOR BUILDERS
    • Obi: Cross-Chain Account and User Management
    • Dev Quickstart: Connecting Your App
    • Dev Quickstart: Building Multi-Chain Apps
    • πŸ”΅The Obi Smart Account Suite
      • πŸ”’Multikey
        • 🎣Preventing Phishing
        • πŸ“²SMS and Other Web2 Providers
        • πŸ’•Final Recovery
      • πŸ”Signet
        • Draft Signet Whitepaper
      • πŸ’•Extra Life
      • πŸ€–Automatons
      • ⏳Sessions
        • Threshold Escalation
      • πŸ§™β€β™‚οΈParty Members
        • Allowances: Hot Wallets, Budgets, and Subscriptions
        • Allow/Block/Delay Lists
      • 🧩Obi Stack Overview
      • β›½Gasless UX
      • πŸ”General Obi Features
      • πŸ“œSmart Account Design Philosophy
      • πŸ—οΈSmart Contract Architecture & Flow
    • πŸ›£οΈRoadmap: Upcoming Features
      • πŸ”§Duress Mode
      • πŸ“³Security Notifications and Lockdowns
      • βœ‹Global Transaction Limit (Sanity Limit)
      • 🌐Obi Service Providers
        • Incentivizing Service Providers
    • πŸ₯‡Obi's Unique Advantages
    • πŸ”’Multikey Attack & Loss Vectors
      • Passkey
      • Cloud Key
      • SMS Key
      • Telegram Key
      • WhatsApp Key
      • Social Recovery Key
      • Email Recovery Key
      • Ledger Hardware Key
      • Map Points Key
      • NFC Key
      • Major 2 Key Loss Vectors and Mitigations
      • Major 2 Key Attack Vectors and Mitigations
      • β€œUnlocked Obi Theft” Attack
  • Glossary
Powered by GitBook
On this page
  1. FOR BUILDERS
  2. Multikey Attack & Loss Vectors

Major 2 Key Loss Vectors and Mitigations

Most of these vectors assume that the user's passkey is on a device with an old implementation. Modern passkey implementations (such as on iCloud) are highly recoverable.

  • Passkey loss in a context where this also means irretrievable phone number loss (such as losing an Android phone with pre-passkey WebAuthN where that phone had the exclusive SIM card for a phone number which cannot otherwise be recovered)

    • Ultimately network recovery may still be possible. See SMS Providers.

  • Passkey loss where mobile device is the only holder of email/cloud credentials

    • Encourage users not to follow this unsafe practice.

  • Censorship from a single provider, such as Google for email and cloud (Google Drive)

    • Attempt to enforce different providers for Email Key and Cloud Key.

  • Theft of both single passkey device and NFC device

    • Encourage users not to carry both together. This is a weak mitigation and should be improved.

  • Forgetting security answer + another single loss

    • Regularly suggest user confirm security answer or sign with a phone number key if they have not in some time.

  • Forgetting map points + another single loss

    • Regularly suggest user confirm map points or sign with map points key if they have not in some time.

  • Irretrievable phone number loss where both SMS Key and Telegram/WhatsApp Key are being used.

    • Discourage use of multiple phone number keys in lower key-count setups.

PreviousNFC KeyNextMajor 2 Key Attack Vectors and Mitigations

Last updated 1 year ago

πŸ”’