13.7. Design Doc 006: Anastasis User Experience

13.7.1. Summary

This document describes the recommended way of implementing the user experience of setting up and making use of Anastasis account recovery.

13.7.2. Motivation

Wallet state consisting of digital cash, transaction history etc. should not be lost. Taler provides a backup mechanism to prevent that. As an additional protection measure Anastasis can be used to provide access to the backup, even if all devices and offline secrets have been lost.

Access to the backup key is shared with escrow providers that can be chosen by the user.

13.7.3. Setup Steps

digraph G { rankdir=LR; nodesep=0.5; settings [ label = "Backup\nSettings"; shape = oval; ]; backup_is_setup [ label = "Backup\nsetup?"; shape = diamond; ]; provide_id [ label = "Provide\nIdentification"; shape = rectangle; ]; select_auth [ label = "Select\nAuthentication Methods"; shape = rectangle; ]; provide_auth [ label = "Provide\nAuthentication Data"; shape = rectangle; ]; select_providers [ label = "Select\nService Providers"; shape = rectangle; ]; review_policy [ label = "Review Recovery Policy"; shape = rectangle; ]; edit_policy [ label = "Edit Recovery Policy"; shape = rectangle; ]; pay [ label = "Confirm Payment"; shape = oval; ]; settings -> backup_is_setup; backup_is_setup -> provide_id [label="Yes: Setup Recovery"]; backup_is_setup -> settings [label="No"]; provide_id -> select_auth; select_auth -> provide_auth; provide_auth -> select_auth; select_auth -> select_providers; select_providers -> select_auth; select_providers -> review_policy; review_policy -> edit_policy; edit_policy -> review_policy; review_policy -> pay; }

Entry point: Settings

The app settings should have a section for Anastasis using a different more universally understood name like Wallet Recovery.

The section should have an option to setup Anastasis initially. This option should be disabled as long as no backup has been set up. The section could maybe be integrated into the backup settings.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png

Providing Identification

Instead of a forgettable freely chosen user name, Anastasis collects various static information from the user to generate a unique user identifier from that. Examples for such identifier would be a concatenation of the full name of the user and their social security or passport number(s).

The information that can reasonably used here various from cultural context and jurisdiction. Therefore, one idea is to start by asking for continent and then the country of primary legal residence, and then continue from there with country-specific attributes (and also offer a stateless person option).

Special care should be taken to avoid that information can later be provided ambiguously thus changing the user identifier and not being able to restore the user’s data. This can be typographic issues like someone providing “Seestr.” and later “Seestrasse” or “Seestraße” or “seestrasse”. But it can also be simple typos that we can only prevent in some instances like when checking checksums in passport numbers.

The user should be made aware that this data will not leave the app and that it is only used to compute a unique identifier that can not be forgotten.

If possible, we should guide the user in the country selection by accessing permission-less information such as the currently set language/locale and the country of the SIM card. But nothing invasive like the actual GPS location.


Add Authentication Methods

After creating a unique identifier, the user can chose one or more Authentication Methods supported by Anastasis.

When selecting a method, the user is already asked to provide the information required for the recovery with that method. For example, a photo of themselves, their phone number or mailing address.

The user interface validates that the inputs are well-formed, and refuses inputs that are clearly invalid. Where possible, it pre-fills the fields with sane values (phone number, e-mail addresses, country of residence).

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/truth.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruth.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruthmail.png

Confirm/Change Service Providers

From the dialog where the user is adding authentication methods, the user can optionally jump to a side-action with list of available providers (and their status) and possibly add additional providers that are not included in the default list provided by the wallet.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/policy.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicy.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicymethod.png

Defining Recovery Options

After mapping authentication methods to providers, the user needs select which combinations are sufficient to recover the secret. Here, the system pre-computes a reasonably sane allocation, for small n the default could be n-1 out of n.

We should propose a mapping of authentication methods to providers by minimizing cost (tricky: sign-up vs. recovery costs, different currencies) and distributing the selected authentication methods across as many providers as possible.

The user should be able to change the proposed default selection and add more than one provider to each chosen method.

Using Anastatis providers usually is not free. From here on, the UI should show estimated recurring costs (yearly) and the cost of recovery. These costs should get updated with each user action affecting those costs such as when the user reconfigures the policies.

Pay for Setup

As the last step when all information has been properly provided, the user is asked to pay for the service with the regular wallet payment confirmation screen.

13.7.4. Show Service Status After Setup


13.7.5. Recovery Steps

digraph G { rankdir=LR; nodesep=0.5; settings [ label = "Restore from Backup"; shape = oval; ]; provide_id [ label = "Provide\nIdentification"; shape = rectangle; ]; select_challenge [ label = "Select\nAuthentication Challenge"; shape = rectangle; ]; satisfy_challenge [ label = "Enter\nChallenge Response"; shape = rectangle; ]; pay [ label = "Confirm Payment"; shape = oval; ]; finished [ label = "Success"; shape = rectangle; ]; settings -> provide_id; provide_id -> settings [label="Back"]; provide_id -> select_challenge; select_challenge -> provide_id [label="Back"]; select_challenge -> satisfy_challenge; select_challenge -> pay; satisfy_challenge -> pay; pay -> satisfy_challenge; satisfy_challenge -> select_challenge; pay -> finished; satisfy_challenge -> finished; }

Entry point: Settings

Like the backup, the recovery option should be available via the App settings.

The section should have an option to recover from backup. If a previous recovery was not completed, the interaction should resume from that previous checkpoint instead of from the beginning.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png

Providing Identification

The first dialog(s) during recovery should be identical to the first dialog during backup: the user is asked to select a continent, country of residence and then to provide country-specific inputs for identification.


Select Authentication Challenge

If Anastasis could recover the recovery document via any provider, it should show a dialog allowing the user to select one of the open challenges, and highlight which challenges still need to be satisfied for the various policies.

Additionally, the specific provider and recovery document version should be shown. The user should be able to change the provider or recovery document version, resulting in a switch of the recovery document and policies. If the user has already satisfied some challenges of the current recovery document, switching to a different recovery document should only be done after a confirmation pop-up dialog warning the user that the existing progress will be lost.

When selecting a challenge, the user may be asked to confirm making a payment for this challenge if the provider requires payment.


Typcially, this would be the canonical wallet payment confirmation dialog.

However, in the case of a security question, the payment confirmation should be combined with the dialog where the user enters the security answer (so instead of an Ok button, text showing the amount due and Pay should be used – except of course if the security question challenge is free of charge).

Enter Challenge Response

If the challenge was not a security question, the dialog to enter the security code (PIN/TAN) should open after payment. The security code field should have a prefix A-. However, the user should be able to enter both only the numeric code, or the full code with the A- prefix (or ideally, the user cannot delete the pre-filled A- text).


The user is informed about the successful recovery. We may want to do this as part of a separate screen, or simply with a notification bar in the main wallet screen.