1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
Design Doc 006: Anastasis User Experience
#########################################
Summary
=======
This document describes the recommended way of implementing the user experience
of setting up and making use of :doc:`../anastasis` account recovery.
Motivation
==========
Wallet state consisting of digital cash, transaction history etc. should not be lost.
Taler provides a backup mechanism to prevent that.
As an additional protection measure Anastasis can be used to provide access to the backup,
even if all devices and offline secrets have been lost.
Access to the backup key is shared with escrow providers that can be chosen by the user.
Setup Steps
===========
.. graphviz::
digraph G {
rankdir=LR;
nodesep=0.5;
settings [
label = "Backup\nSettings";
shape = oval;
];
backup_is_setup [
label = "Backup\nsetup?";
shape = diamond;
];
provide_id [
label = "Provide\nIdentification";
shape = rectangle;
];
select_auth [
label = "Select\nAuthentication Methods";
shape = rectangle;
];
provide_auth [
label = "Provide\nAuthentication Data";
shape = rectangle;
];
select_providers [
label = "Select\nService Providers";
shape = rectangle;
];
review_policy [
label = "Review Recovery Policy";
shape = rectangle;
];
edit_policy [
label = "Edit Recovery Policy";
shape = rectangle;
];
pay [
label = "Confirm Payment";
shape = oval;
];
settings -> backup_is_setup;
backup_is_setup -> provide_id [label="Yes: Setup Recovery"];
backup_is_setup -> settings [label="No"];
provide_id -> select_auth;
select_auth -> provide_auth;
provide_auth -> select_auth;
select_auth -> select_providers;
select_providers -> select_auth;
select_providers -> review_policy;
review_policy -> edit_policy;
edit_policy -> review_policy;
review_policy -> pay;
}
Entry point: Settings
---------------------
The app settings should have a section for Anastasis using a different more
universally understood name like Wallet Recovery.
The section should have an option to setup Anastasis initially. This option
should be disabled as long as no backup has been set up. The section could
maybe be integrated into the backup settings.
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png
:width: 800
Providing Identification
------------------------
Instead of a forgettable freely chosen user name, Anastasis collects various
static information from the user to generate a unique user identifier from
that. Examples for such identifier would be a concatenation of the full name
of the user and their social security or passport number(s).
The information that can reasonably used here various from cultural context
and jurisdiction. Therefore, one idea is to start by asking for continent and
then the country of primary legal residence, and then continue from there with
country-specific attributes (and also offer a stateless person option).
Special care should be taken to avoid that information can later be provided
ambiguously thus changing the user identifier and not being able to restore
the user's data. This can be typographic issues like someone providing
"Seestr." and later "Seestrasse" or "Seestraße" or "seestrasse". But it can
also be simple typos that we can only prevent in some instances like when
checking checksums in passport numbers.
The user should be made aware that this data will not leave the app and that
it is only used to compute a unique identifier that can not be forgotten.
If possible, we should guide the user in the country selection by accessing
permission-less information such as the currently set language/locale and the
country of the SIM card. But nothing invasive like the actual GPS location.
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/userid.png
:width: 800
Add Authentication Methods
--------------------------
After creating a unique identifier, the user can chose one or more
:ref:`anastasis-auth-methods` supported by Anastasis.
When selecting a method, the user is already asked to provide the information
required for the recovery with that method. For example, a photo of
themselves, their phone number or mailing address.
The user interface validates that the inputs are well-formed, and refuses
inputs that are clearly invalid. Where possible, it pre-fills the fields with
sane values (phone number, e-mail addresses, country of residence).
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/truth.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruth.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addtruthmail.png
:width: 800
Confirm/Change Service Providers
--------------------------------
From the dialog where the user is adding authentication methods, the user can
optionally jump to a side-action with list of available providers (and their
status) and possibly add additional providers that are not included in the
default list provided by the wallet.
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/policy.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicy.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/addpolicymethod.png
:width: 800
Defining Recovery Options
-------------------------
After mapping authentication methods to providers, the user needs select which
combinations are sufficient to recover the secret. Here, the system
pre-computes a reasonably sane allocation, for small ``n`` the default could
be ``n-1`` out of ``n``.
We should propose a mapping of authentication methods to providers by
minimizing cost (tricky: sign-up vs. recovery costs, different currencies) and
distributing the selected authentication methods across as many providers as
possible.
The user should be able to change the proposed default selection
and add more than one provider to each chosen method.
Using Anastatis providers usually is not free. From here on, the UI should
show estimated recurring costs (yearly) and the cost of recovery. These costs
should get updated with each user action affecting those costs such as
when the user reconfigures the policies.
Pay for Setup
-------------
As the last step when all information has been properly provided, the user is
asked to pay for the service with the regular wallet payment confirmation
screen.
Show Service Status After Setup
===============================
TODO
Recovery Steps
==============
.. graphviz::
digraph G {
rankdir=LR;
nodesep=0.5;
settings [
label = "Restore from Backup";
shape = oval;
];
provide_id [
label = "Provide\nIdentification";
shape = rectangle;
];
select_challenge [
label = "Select\nAuthentication Challenge";
shape = rectangle;
];
satisfy_challenge [
label = "Enter\nChallenge Response";
shape = rectangle;
];
pay [
label = "Confirm Payment";
shape = oval;
];
finished [
label = "Success";
shape = rectangle;
];
settings -> provide_id;
provide_id -> settings [label="Back"];
provide_id -> select_challenge;
select_challenge -> provide_id [label="Back"];
select_challenge -> satisfy_challenge;
select_challenge -> pay;
satisfy_challenge -> pay;
pay -> satisfy_challenge;
satisfy_challenge -> select_challenge;
pay -> finished;
satisfy_challenge -> finished;
}
Entry point: Settings
---------------------
Like the backup, the recovery option should be available via
the App settings.
The section should have an option to recover from backup. If a previous
recovery was not completed, the interaction should resume from that previous
checkpoint instead of from the beginning.
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/menu.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/settings.png
:width: 800
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/backupsettings.png
:width: 800
Providing Identification
------------------------
The first dialog(s) during recovery should be identical to the first dialog
during backup: the user is asked to select a continent, country of residence
and then to provide country-specific inputs for identification.
.. image:: https://git.taler.net/anastasis.git/plain/doc/wireframe/png-export/userid.png
:width: 800
Select Authentication Challenge
-------------------------------
If Anastasis could recover the recovery document via any provider, it should
show a dialog allowing the user to select one of the open challenges, and
highlight which challenges still need to be satisfied for the various policies.
Additionally, the specific provider and recovery document version should be shown.
The user should be able to change the provider or recovery document version,
resulting in a switch of the recovery document and policies. If the user has
already satisfied some challenges of the current recovery document, switching to a
different recovery document should only be done after a confirmation pop-up dialog
warning the user that the existing progress will be lost.
When selecting a challenge, the user may be asked to confirm making a payment
for this challenge if the provider requires payment.
Payment
-------
Typcially, this would be the canonical wallet payment confirmation dialog.
However, in the case of a security question, the payment confirmation should
be combined with the dialog where the user enters the security answer (so
instead of an ``Ok`` button, text showing the amount due and ``Pay`` should be
used -- except of course if the security question challenge is free of
charge).
Enter Challenge Response
------------------------
If the challenge was not a security question, the dialog to enter the security
code (PIN/TAN) should open after payment. The security code field should have
a prefix ``A-``. However, the user should be able to enter both only the
numeric code, or the full code with the ``A-`` prefix (or ideally, the user
cannot delete the pre-filled ``A-`` text).
Success
-------
The user is informed about the successful recovery. We may want to do this
as part of a separate screen, or simply with a notification bar in the
main wallet screen.
|
