Cover photo

Farcaster account recovery

What it is, how it works and some thoughts (as usual).

TLDR; If you lost your secret Farcaster phrase, you are in luck! Farcaster (the protocol) has an account recovery feature built-in. This is how Warpcast (the most popular client) has implemented it. But there's a lot more to it.

How it works

Varun has created video that explains everything in a very simple way:

  • Every Farcaster account is owned by an Ethereum address (often called "wallet").

  • Every Farcaster account can also set a recovery address. The only thing the recovery address can do is to move your Farcaster account to a new address.

Now, moving your account to a new address is quite a power to give to someone. The owner of the recovery address can save you if you lost your "secret phrase" (think of it as your password), by moving your account to a new address you control. But if they go rogue, or get hacked, they can also steal your Farcaster account!

Failsafe, no failsafe

If you watched the above video, you may have noticed that there was a fail-safe: Between the initiation of the account transfer and the actual transfer there was a 5-day delay during which you could cancel it and even change/revoke the recovery address.

I'm writing in the past tense because this fail-safe was removed by FIP-5: Instant Recovery: The recovery address can now instantly move your account to a new address and there's nothing you can do about.

While this may seem a bad thing, it's not that bad, and there's good reasoning behind it:

  1. 99% of the users, especially new users that will join once signups are open for everyone, are used to Web2 platforms: I lost my password, I use my email to recover it.

  2. When a new user signs up, Warpcast (that most of them will use to signup), sets the recovery address to one Warpcast controls. This way they can hide the complexity from users, and provide them with what most users expect: Being able to instantly help them recover their account.

https://warpcast.com/dwr.eth/0x7137eced

Where did decentralization go?

If you are here because of the Web3 ethos, decentralization and sovereignty, you're probably disappointed. What I just described is a way for a centralized entity (Warpcast) to take away your decentralized Farcaster identity. If that's the case, what's the point of all the decentralization, web3 and the costs that come with them?

There are a couple of good answers.

First of all, you can set your own recovery address: You can use another address you control, a good friend's address you trust, or your lawyer's Ethereum address (yes, there are some that know what this is).

You could also set it to an M-of-N multisig wallet, controlled by N people you trust.

I can also imagine more exotic implementations of a recovery address.

For example, all Farcaster accounts a company uses can have a recovery address controlled by their IT, which has a dual purpose. 1) Being able to support users who lost their secret phrase and 2) being able to take away a corporate account.

Or a smart contract that implements the time-delay feature removed by FIP-5.

Or even create a valet service that users pay annually and in order to recover their account, users have to do a video call, prove their identity, and then the service helps them recover their account.

Takeaways

  1. If you sign up to Farcaster using Warpcast, Warpcast can recover your account if you loose your keys, but they can also take away your account, or compelled to do so. Keep this in mind if you think that someone may want to censor you in the future.

  2. If you are an experienced Web3 user, you may want to consider some of the options mentioned above, like setting the recovery address to one controled by your hardware wallet, or a multisig.

  3. There is a wide range of services to be built that help users recover their Farcaster accounts. You may want to build one of them.


Loading...
highlight
Collect this post to permanently own it.
Purple Submarine logo
Subscribe to Purple Submarine and never miss a post.