The gap
Easy setup owners have no seed phrase and no password reset. Forgetting the password today costs the waiting period, never the money (heir claim works without it, and the owner holds the heir file + code for after the timelock). That fallback is honest and now documented in the FAQ and terms (#270). This issue is about whether we can do better than "wait out the timelock."
The idea
At setup, show the owner a second unlock: five simple words, like the heir file already gets. That code opens their recovery file (or a second sealed copy of the owner key) if the password is ever forgotten.
Why this must NOT be built the naive way
The heir file's "keep the code beside the file" advice is safe only because the heir key is timelocked. The file is powerless while the owner is alive and checking in. An owner code has no such shield: the owner branch spends immediately. A paper with owner code + file is a bearer instrument for the whole vault, findable by a burglar or a relative. That converts a secret in the head into a secret in a drawer, which is a downgrade.
Sketch of a safe shape
Gate it with the machinery claims already use:
- The backup sealed blob (owner xprv under a KDF of the five word code) lives server side, never inside the downloadable file.
- Requesting it needs the verified owner email and starts a challenge window (48h, same as claims): the owner is emailed, one tap cancels.
- Only after the window passes does the server release the ciphertext. Decryption still happens in the browser with the code; the server never can.
Then a found piece of paper alone is not enough: the attacker also needs the owner's inbox and two silent days. Still non custodial. Costs: new endpoint + column, another email template, careful copy.
Open questions
- Is the added recovery worth the added surface at all, given the timelock fallback exists?
- Should the code be optional (off by default) or offered to everyone at setup?
- Interaction with the emergency freeze: a freeze should probably also block backup release.
Not scheduled. Filed so the security reasoning is not lost.
🤖 Generated with Claude Code
The gap
Easy setup owners have no seed phrase and no password reset. Forgetting the password today costs the waiting period, never the money (heir claim works without it, and the owner holds the heir file + code for after the timelock). That fallback is honest and now documented in the FAQ and terms (#270). This issue is about whether we can do better than "wait out the timelock."
The idea
At setup, show the owner a second unlock: five simple words, like the heir file already gets. That code opens their recovery file (or a second sealed copy of the owner key) if the password is ever forgotten.
Why this must NOT be built the naive way
The heir file's "keep the code beside the file" advice is safe only because the heir key is timelocked. The file is powerless while the owner is alive and checking in. An owner code has no such shield: the owner branch spends immediately. A paper with owner code + file is a bearer instrument for the whole vault, findable by a burglar or a relative. That converts a secret in the head into a secret in a drawer, which is a downgrade.
Sketch of a safe shape
Gate it with the machinery claims already use:
Then a found piece of paper alone is not enough: the attacker also needs the owner's inbox and two silent days. Still non custodial. Costs: new endpoint + column, another email template, careful copy.
Open questions
Not scheduled. Filed so the security reasoning is not lost.
🤖 Generated with Claude Code