The Recovery System
Steem has an interesting account recovery system if your account gets stolen. It is designed in a way that prevents the recovery account from hijacking any account, thus entirely safe to use. Signing up through the official website automatically takes care of the recovery account allowing regular users to recover their account easily.
Important: The recovery system can only recover hacked accounts. In the event you lose your passwords, your account is still lost forever. You must know your old password in order for this to work!
What is Steem-JS?
Steem-JS is the official JavaScript library for interacting with the STEEM blockchain. Out of the box it offers a powerful set of APIs to do anything you can imagine, capable of working on node or in the browser. It also powers the front end (steemit/condenser).
Let's get started
This tutorial specifically targets developers or anyone interested in learning about the Steem recovery process on the blockchain. It is assumed you know how to use the Steem-JS library if you want to follow along and try it on your own account.
Disclaimer: This will not work unless you have control of the recovery account nor am I responsible for any lost accounts as a result of misuse of the API. This was tested on the blockchain successfully. If you do want to try this, ensure all keys (old and new) are properly backed up and you know which keys have the authority over your account. Of course it's safer to use a test net for experimenting ;)
Earlier it was mentioned that signing up the official way uses the steem recovery account. Things change when you create the account directly on the blockchain with your account. In this case the recovery account is configured to use the creator's Steem account in the process of recovery.
This can be verified on Steemd, using my account as an example:
In this case your only way of recovery is to recover your account through the official interface. Below is an example of the @steemdunk account I created.
It is clearly visible which account was signed up through the official interface and which account was created by me by simple looking at the recovery account field.
What if I want to use steem as my recovery account?
Changing your recovery account is a very easy thing to do. Fill in the proper arguments and invoke it. Make sure to use your private active WIF key. Of course that isn't the purpose of this tutorial.
steem.broadcast.changeRecoveryAccount(wif, accountToRecover, newRecoveryAccount, extensions, function(err, result) {
console.log(err, result);
});
The recovery account starts the process
The recovery account must initiate the process in order start the recovery process. This is true for the blockchain, but not for the user. The user needs to have new owner keys ready to go and give the public key for the recovery account to start the process.
const wif = ''; // Private active key of the *recovery* account
const newOwnerPubKey = ''; // Put your new key here!
const recoveryAcc = ''; // Recovery account
const recover = ''; // Account to be recovered
const newOwnerAuthority = {
weight_threshold: 1,
account_auths: [],
key_auths: [
[newOwnerPubKey, 1]
]
};
const extensions = [];
steem.broadcast.requestAccountRecovery(wif, recoveryAcc, recover, newOwnerAuthority, extensions, (err, res) => console.log(err, '\n', res));
That's basically it to start the recovery process. Note that the account to recover must be the one who generates the new keys. This is what makes the system safe from preventing the recovery account hijacking your account. You'll see why a little later on.
The user can now recover their account
The user needs to have their old owner private key and their new owner private key ready to go (needed for signing the transaction).
const account_to_recover = '';
const newOwnerPubKey = '';
const newOwnerPrivKey = '';
const oldOwnerPrivKey = '';
const oldOwnerPubKey = '';
steem.broadcast.send({
extensions: [],
operations: [[
'recover_account',
{
account_to_recover,
new_owner_authority: {weight_threshold: 1, account_auths: [], key_auths: [[newOwnerPubKey, 1]]},
recent_owner_authority: {weight_threshold: 1, account_auths: [], key_auths: [[oldOwnerPubKey, 1]]}
}
]]
}, [oldOwnerPrivKey, newOwnerPrivKey], (err, res) => {
console.log(err, '\n', res)
});
If there are account auths in the account to be recovered, that needs to be added to the account_auths array as appropriately in the recent_owner_authority property. The transaction gets signed with the new key and old key to prove ownership of both keys. This is the safety mechanism that prevents the recovery account from hijacking the user account.
Wrapping up
This can be extended and built into applications, allowing other websites to build on the blockchain, create accounts, and let users recover hacked accounts. Of course if you create accounts directly yourself, this is life saving information if your secondary account was hacked and needs to be recovered.
The primary purpose of this tutorial was so I could learn more about the recovery process and how it works. :-)
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
You can contact us on Discord.
[utopian-moderator]
Nice write-up! Thanks for the information.
Hopefully, this will not be needed, but if it can be accessed while an account is inaccessible, then wonderful.
Hey @samrg472 I am @utopian-io. I have just upvoted you!
Achievements
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
Awesome!
wow! Thank you Sam
Nice~ So you can recover an account~!
This rocks Bro, I had no idea
love it
Sam is the man with a plan, I think that is what your slogan should be. Such a wealth of knowledge that so many rarely get to see. Thank you brother
Angel in actions, Ty ! <3