12.7. Design Doc 006: Anastasis User Experience

12.7.1. Summary

This document describes the recommended way of implementing the user experience of setting up and making use of Anastasis account recovery.

12.7.2. Motivation

Wallet state consisting of digital cash, transaction history etc. should not be lost. Taler provides a backup mechanism to prevent that. As an additional protection measure Anastasis can be used to provide access to the backup, even if all devices and offline secrets have been lost.

Access to the backup key is shared with escrow providers that can be chosen by the user.

12.7.3. Setup Steps

digraph G { rankdir=LR; nodesep=0.5; settings [ label = "Backup\nSettings"; shape = oval; ]; backup_is_setup [ label = "Backup\nsetup?"; shape = diamond; ]; provide_id [ label = "Provide\nIdentification"; shape = rectangle; ]; select_auth [ label = "Select\nAuthentication Methods\n\nProvide\nAuthentication Data"; shape = rectangle; ]; select_providers [ label = "Select\nService Providers"; shape = rectangle; ]; threshold [ label = "Define\nRecovery Threshold"; shape = rectangle; ]; pay [ label = "Payment"; shape = oval; ]; settings -> backup_is_setup; backup_is_setup -> provide_id [label="Yes: Setup Recovery"]; backup_is_setup -> settings [label="No"]; provide_id -> select_auth; select_auth -> select_providers; select_providers -> threshold; threshold -> pay; }

Entry point: Settings

The app settings should have a section for Anastasis using a different more universally understood name like Wallet Recovery.

The section should have an option to setup Anastasis initially. This option should be disabled as long as no backup has been set up. The section could maybe be integrated into the backup settings.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png

Providing Identification

Instead of a forgettable freely chosen user name, Anastasis collects various static information from the user to generate a unique user identifier from that. Examples for such identifier would be a concatenation of the full name of the user and their social security or passport number(s).

The information that can reasonably used here various from cultural context and jurisdiction. Therefore, one idea is to start by asking for continent and then the country of primary legal residence, and then continue from there with country-specific attributes (and also offer a stateless person option).

Special care should be taken to avoid that information can later be provided ambiguously thus changing the user identifier and not being able to restore the user’s data. This can be typographic issues like someone providing “Seestr.” and later “Seestrasse” or “Seestraße” or “seestrasse”. But it can also be simple typos that we can only prevent in some instances like when checking checksums in passport numbers.

The user should be made aware that this data will not leave the app and that it is only used to compute a unique identifier that can not be forgotten.

If possible, we should guide the user in the country selection by accessing permission-less information such as the currently set language/locale and the country of the SIM card. But nothing invasive like the actual GPS location.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/userid.png

Select Authentication Methods

After creating a unique identifier, the user can chose one or more Authentication Methods supported by Anastasis.

Ideally when selecting a method, the user is already asked to provide the information required for the recovery with that method. For example, a photo of themselves, their phone number or mailing address.

Using Anastatis providers usually isn’t free. From here on, the UI should show estimated recurring costs (yearly) and the cost of recovery. Both costs should get updated with each user action affecting those costs such as selecting more authentication methods.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/truth.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruth.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruthmail.png

Confirm/Change Service Providers

Taler should propose a mapping of authentication methods to providers by minimizing cost (tricky: sign-up vs. recovery costs) and distributing the selected authentication methods across as many providers as possible.

The user should be able to change the proposed default selection and add more than one provider to each chosen method.

It should also be possible to add providers that are not included in the default list provided by the wallet.

https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/policy.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicy.png https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicymethod.png

Defining Recovery Options

After mapping authentication methods to providers, the user needs select which combinations are sufficient to recover the secret. The default could be n-1 out of n.

However, Anastasis recovery policies support more complex recovery options (policies) such as

  • video-identification + passphrase
  • video-identification + SMS
  • SMS + postal mail + passphrase

when video-identification, passphrase, SMS and postal mail were chosen as authentication methods.

Pay for Setup

As the last step when all information has been properly provided, the user is asked to pay for the service with the regular wallet payment confirmation screen.

12.7.4. Show Service Status After Setup

TODO

12.7.5. Recovery Steps

TODO