


时间是安全的重要组成部分。在多数情况下,只有私钥被使用过才知道私钥是否被偷。当人们日常使用的应用程序需要把私钥保存在联网的电脑上时,基于时间的安全就更为重要。 EOS.IO 软件可以让应用开发者指明哪些消息必须在消息应用之前等待一个最小的时间周期。在此期间,消息可以取消。

EOS.IO 软件为用户提供了一种当发生密钥被偷之后恢复账户控制权的方法。账户所有者可以在指定的账户恢复好友的批准下使用任意一个最近30天有效的来重置账户的owner私钥。 账户恢复好友不能在没有账户所有者的帮助下重置账户的控制权。







Messages with Mandatory Delay

Time is a critical component of security. In most cases, it is not possible to know if a private key has been stolen until it has been used. Time based security is even more critical when people have applications that require keys be kept on computers connected to the internet for daily use. The EOS.IO software enables application developers to indicate that certain messages must wait a minimum period of time after being included in a block before they can be applied. During this time they can be cancelled.

Users can then receive notice via email or text message when one of these messages is broadcast. If they did not authorize it, then they can use the account recovery process to recover their account and retract the message.

The required delay depends upon how sensitive an operation is. Paying for a coffee can have no delay and be irreversible in seconds, while buying a house may require a 72 hour clearing period. Transferring an entire account to new control may take up to 30 days. The exact delays chosen are up to application developers and users.

Recovery from Stolen Keys

The EOS.IO software provides users a way to restore control of their account when their keys are stolen. An account owner can use any owner key that was active in the last 30 days along with approval from their designated account recovery partner to reset the owner key on their account. The account recovery partner cannot reset control of the account without the help of the owner.

There is nothing for the hacker to gain by attempting to go through the recovery process because they already "control" the account. Furthermore, if they did go through the process, the recovery partner would likely demand identification and multi-factor authentication (phone and email). This would likely compromise the hacker or gain the hacker nothing in the process.

This process is also very different from a simple multi-signature arrangement. With a multi-signature transaction, there is another company that is party to every transaction that is executed, but with the recovery process the agent is only a party to the recovery process and has no power over the day-to-day transactions. This dramatically reduces costs and legal liabilities for everyone involved.

