This document describes the recommended way of implementing the user experience of setting up and making use of Anastasis account recovery.
Wallet state consisting of digital cash, transaction history etc. should not be lost. Taler provides a backup mechanism to prevent that. As an additional protection measure Anastasis can be used to provide access to the backup, even if all devices and offline secrets have been lost.
Access to the backup key is shared with escrow providers that can be chosen by the user.
The app settings should have a section for Anastasis using a different more universally understood name like Wallet Recovery.
The section should have an option to setup Anastasis initially. This option should be disabled as long as no backup has been set up. The section could maybe be integrated into the backup settings.
Instead of a forgettable freely chosen user name, Anastasis collects various static information from the user to generate a unique user identifier from that. Examples for such identifier would be a concatenation of the full name of the user and their social security or passport number(s).
The information that can reasonably used here various from cultural context and jurisdiction. Therefore, one idea is to start by asking for continent and then the country of primary legal residence, and then continue from there with country-specific attributes (and also offer a stateless person option).
Special care should be taken to avoid that information can later be provided ambiguously thus changing the user identifier and not being able to restore the user’s data. This can be typographic issues like someone providing “Seestr.” and later “Seestrasse” or “Seestraße” or “seestrasse”. But it can also be simple typos that we can only prevent in some instances like when checking checksums in passport numbers.
The user should be made aware that this data will not leave the app and that it is only used to compute a unique identifier that can not be forgotten.
If possible, we should guide the user in the country selection by accessing permission-less information such as the currently set language/locale and the country of the SIM card. But nothing invasive like the actual GPS location.
After creating a unique identifier, the user can chose one or more Authentication Methods supported by Anastasis.
Ideally when selecting a method, the user is already asked to provide the information required for the recovery with that method. For example, a photo of themselves, their phone number or mailing address.
Using Anastatis providers usually isn’t free. From here on, the UI should show estimated recurring costs (yearly) and the cost of recovery. Both costs should get updated with each user action affecting those costs such as selecting more authentication methods.
Taler should propose a mapping of authentication methods to providers by minimizing cost (tricky: sign-up vs. recovery costs) and distributing the selected authentication methods across as many providers as possible.
The user should be able to change the proposed default selection and add more than one provider to each chosen method.
It should also be possible to add providers that are not included in the default list provided by the wallet.
After mapping authentication methods to providers,
the user needs select which combinations are sufficient to recover the secret.
The default could be
n-1 out of
However, Anastasis recovery policies support more complex recovery options (policies) such as
when video-identification, passphrase, SMS and postal mail were chosen as authentication methods.
As the last step when all information has been properly provided, the user is asked to pay for the service with the regular wallet payment confirmation screen.