Building Casa recovery service without invasive KYC
At Casa, protecting customer privacy and sensitive data is a top priority.
What is the best way to protect sensitive customer data?
Don’t collect and store sensitive data in the first place!
We minimize data collection because it's the right way to protect customers, but doing so means that we have to carefully redesign many experiences that would typically make use of commonly collected KYC data.
In this post we share details of how we operate our Key Recovery Service without the need for invasive KYC.
Why KYC is dangerous
Using driver's license or passport to verify an identity during recovery is easier and can be lucrative for a company, but storing this data can be extremely dangerous for customers.
Multisig services do NOT need driver's license or invasive KYC to operate. Any company requiring driver's license, passport, address or other detailed KYC information is using it for a hidden purpose, possibly because data collection is a part of their business model.
Storing any kind of KYC documentation on customers should only be done out of absolute necessity. One knock on the door from a regulator and most of this data will need to be turned over. Storing full KYC documents connected to user accounts when you also have their detailed pubkey information (used in a multisig service) is even worse, because that connects detailed identity information with bitcoin balances. Talk about a honey pot.
Casa is a software company focused only on end-user security software, which enables us to minimize data collection. We are not a financial institution and will never provide regulated financial products. We chose this path because it is best for client security and privacy.
Our focus on customer privacy means that any support and recovery processes must utilize alternative means of verifying identity and safety before action by our team.
Basic Multisig 2-of-3 recovery
For Silver and Gold members using Basic Multisig 2-of-3, we built a highly-scalable and mostly automated recovery process consisting of two parts:
- Security questions, geared toward information that isn’t available publicly.
- Time-delayed recovery signing to deter attackers.
Properly written security questions are one of the best ways to authenticate someone without gathering personally identifying information.
The potential pitfall here is writing questions with publicly available answers, such as “What city were you born in?” or “What’s your mother’s maiden name?” A persistent attacker could find those answers relatively easily. No bueno.
We wrote our questions to point users toward something that is memorable to them personally, but not generally available publicly. Two examples are, “What is the name of the first person you kissed?” and “What was the brand of the first alcoholic beverage you tried?” While we can’t be 100% sure that these answers aren’t publicly available for some people, we can educate users not to pick questions that may compromise them. Example: if you raved about your magical first kiss on Facebook for weeks after it happened, maybe don’t pick that question.
There is still a small possibility that someone could guess your security answers. To mitigate the risk, we’ve implemented a 7-day time delay on Silver & Gold recovery signatures after the security questions are answered.
Each day during the time delay, we send users a reminder email with a countdown. In case the user’s Casa account was compromised, these emails will alert them to a false recovery attempt. If the user’s email was also compromised, it’s highly unlikely that they will not notice that for 7 full days. We believe this is plenty of time for a user to notice and cancel a fraudulent recovery.
When combined, these authentication methods provide a compelling solution to the problem of authenticating a recovery without needing extensive KYC data.
3-of-5 Key Shield recovery
For Platinum and Diamond members using our most secure 3-of-5 Key Shield multisig (managing over $100,000 USD worth of BTC), we've always executed the recovery process with a more personal touch.
Instead of questions and an automated 7-day time delay, our Client Services team does a direct video verification with the client to ensure his or her safety and the authenticity of the recovery request.
This is followed by a signing delay of 24 hours or more, with continued direct communication between the client and their client advisor leading up to the final signature.
How we secure your data
We employ a combination of strong encryption and least privileges access to secure the limited data we keep to execute recoveries for users.
Least privileges access
Only those who need to know the information to help our users can ever access that data, and even then only under a specific set of circumstances.
All attempts to access this information are strictly logged and reviewed by our team on a regular basis to catch any suspicious internal activity around sensitive user data.
All user data is encrypted in transit via HTTPS. Information stored in our database is encrypted at rest, and we take extra encryption precautions around sensitive recovery data.
Sovereign customers first
At Casa we protect the personal privacy of our users and limit data collection because that's the best way to maximize their sovereignty and safety.
We’ve outlined our processes in detail not only to give our customers peace of mind, but also to provide a model for the community to discuss. We appreciate any feedback on ways we can improve our recovery model, and we encourage others that provide similar recovery key services to avoid dangerous KYC practices.
Learn more and join today
If protecting your privacy while securing your bitcoin sounds appealing to you, we’d love to have you as a Casa member.
Email firstname.lastname@example.org with any questions or to schedule a time to speak with a Casa client advisor about your multisig security needs.
You can also learn more about and sign-up for a Casa membership now.