Sort:  

We send password and ask user to change it. It is not super secure if person doesn’t change or user email is compromised but alternative is much worse people tend to loose or don’t backup keys properly.

Employees from the email provider and employees of any third-party tools that have access to the emails would also be able to access the private keys then. It is known that they collect data using AI to make personalized profiles of who buys what, etc. And that they've given access to third-party tools. Unfortunately.

How about adding a step that verifies the person has made a copy of their credentials? Register and show private keys, then hide private keys and ask the user to input them - only then is the registration finalized.

Onboard a friend signup option works similar way, in that signup option person has to download their keys before generate link for account creation process. So word of mouth and friend onboarding is more secure and trustless with moderately complex flow. So there is easy, moderate and hard account creation flows on Ecency.

Oh, great to hear that you have that process as well.

For the easier process where the plain text private keys are sent via email, would it make sense to somehow make it clear to the person via email reminders and reminders on the app that they haven't changed their private keys so the email provider and any third parties they work with has access to their account and all funds on it?

That’s good point that’s why users are recommended to change their password/keys right away. But for those who are new and don’t know anything about multiple keys and complications Hive brings, why make things too hard from the start. We tried to find a balance, as people get more familiar with our values and importance of keys, personal responsibilities they will be more likely take actions to protect themselves and their wealth.