Major Improvement to ChainSafe Files!

Introducing account recovery and multi-factor auth

Cindy Chau
ChainSafe
5 min readApr 27, 2021

--

Today, we are excited to announce an improvement on how you sign in to Files.

This new authentication system makes it easier to sign in on multiple devices and allows for account recovery. In the past, Files required an encryption password after signing in from a crypto wallet, GitHub, Google, or Facebook. Losing this password meant losing access to your account without recourse for recovery.

We’re pleased to inform all users that Files has implemented multi-factor authentication.

About multi-factor authentication

Multi-factor authentication may sound like a mouthful, but it’s a familiar flow. You’re likely accustomed to signing into an app with an email, then confirming your identity with a code texted to your phone. ChainSafe Files now asks for two factors confirming your identity each time you sign in. The difference is, we provide a wider set of authentication factors so you aren’t obliged to associate your phone number or email with our service.

If you’re wondering whether we’re still non-custodial, the answer is yes. In fact, we might be more non-custodial than ever because you hold the keys to recover your account, not us. It only takes a few steps to set it up.

If you currently use Files, you don’t have to do anything new. Signing in with your current password is perfectly fine. Except now you might breathe easier knowing that you can reset that password. We still encourage existing users to add at least one more auth factor to improve account security and further reduce their chance of being locked out of their account.

Your primary auth factor is the provider you’ve signed up with (crypto wallet, Google, GitHub or Facebook). After that, you may choose to confirm your identity by continuing to use your password, entering a backup phrase, or signing in from a saved browser.

Why it’s important

There were two main reasons why we chose to offer this; on the one hand, it makes it tougher for your account to be compromised. Adversaries would need more than one authentication factor to access your account. On the other hand, it allows you to restore your account in case you forget one of your auth factors. Let’s say that you usually log in with your GitHub account and a password. If you forget your password, but you’ve saved a backup phrase, you can enter the backup phrase to enter your account and reset your password.

The team at Files believes that privacy comes with responsibility — but as human beings, mistakes are common. The problem we set out to solve was this: we didn’t want to collect emails and phone numbers, but we also wanted there to be ways for everyone to restore access to their account. The solution? Apply cryptography to split each user’s private key into chunks, each chunk residing in each auth factor that’s set up. Not too far off from The Secret of the Unicorn!

How it works

Before continuing, a major shout out to the Torus team! Their line of key management systems is phenomenal. Their support in helping us connect it to our existing architecture has been complete and enthusiastic. Thank you, thank you, thank you!

Files integrates Torus’ tKey for non-custodial threshold key management. tKey uses Shamir Secret Sharing to divide a secret into parts called shares. Each time a user sets up an additional auth factor, that method will contain a share. Torus has a great explainer article if you’d like dig deeper into distributed key management.

Since two shares is the minimum required to reconstruct the original secret, Files requires two auth factors to confirm your identity.

Let’s say you’re logging in on your phone on three different browsers, and you choose to save them all to sign in with one click in the future. Each individual browser you save splits the key (the secret) into smaller chunks, so that each browser contains a share. The more shares you create, the more options you’ll have for signing in or recovering your account.

Splitting the secret means we can create shares anywhere along the polynomial

What this means for you

With independence comes responsibility. Since we aren’t storing sign-in details for you, it is still possible for you to get locked out of your account. Let’s say you haven’t saved your backup phrase somewhere, you’ve lost your password and you can’t sign in from any of the browsers you’ve saved.

If all of those are true, you won’t be able to access your account. Files will auto-save the browser you’ve originally signed up with to mitigate the risk of being totally locked out forever — but it’s best to cover your own bases.

With that said, we hope that you take an extra minute to set up multiple auth factors on Files. We’re committed to continuing to enhance the experience of storing files on the decentralized web, thank you so much for your support and feedback!

Get Involved

Want to work with ChainSafe? COME JOIN US!!! Check out the new Careers section of our website and our open positions, and get in touch with us at careers@chainsafe.io if you are interested!

If you would like to get in contact with one of the Files team members, feel free to drop by on Chainsafe’s Discord, or email info@chainsafe.io. We would love to know what you think!

For more details on Files, head to the Files website!

Learn more about ChainSafe by visiting our website, through our Medium, via Twitter, or by visiting the ChainSafe GitHub.

--

--