How does BlockSurvey Magic Recovery Code Work?

BlockSurvey enables digital rights for the users. Meaning, the account or identity ownership, and data ownership is with the user and not with the platform provider. With BlockSurvey, all your data is encrypted end to end and you have the keys for them. This prevents data breaches, leaks, harvesting, and trust issues. We strongly believe all your ideas and insights gathered from people through data collection are valuable and need to be protected. BlockSurvey enables that with a modern privacy-focused design system using BlockStack's Blockchain.

By this, the users are in control of their data and not anyone else. You have your secret keys and a Secret Key is a password. which is used to create your account and encrypt/decrypt your data. It's generated when you sign up. Nobody but you will have your Secret Key, to make sure that only you can decrypt your data and see the content inside.

What if I lose my Secret Key?

So now, the question comes 'What if I lose my Secret Key?'. Till now the system was such like, if you lose your Secret Key, it will be lost forever. Only you know your Secret Key, which means that no one can help you recover it.

At BlockSurvey, we started worrying about what might happen to user accounts if they lose their secret keys. All of their surveys and results will be lost and we will be unable to recover them for you. So we thought initially about how we can provide users with an account recovery option so that even if they lose their secret key, they will be able to recover their account on their own, and that too in a secure way.

So we came to a conclusion and decided to go with an approach that would not only be able to recover your account but also will be secure and only you can recover the account. We came up with this Magic Recovery Code approach, which is a recovery code that can be used to recover your BlockSurvey Secret Key if you lose it and sign in back to your BlockSurvey account.

Magic Recovery Key generation process

Magic Recovery Key will only be generated for users who have signed up using email authentication or any of the third-party OAuth. When creating an account the user is required to enter his email address and verify the account using OTP. Blocksurvey does not store secret keys directly. For Magic Recovery Key, BlockSurvey uses the established PBKDF2 standard.

While this is not the latest, best, or state-of-the-art, it is well known and has wide language support, especially in the WebCrypto API, where it importantly performs at native speed.

Magic recovery key computation

The Magic Recovery Key hash is computed as follows:

UserSalt = cryptographically secure generated random 256-character value BlockSurvey
UserSalt = cryptographically secure generated random 256-character value
Hash = SHA-512
Iterations = 200.000
Bit Length = 512

Magic Recovery Key = PBKDF2(UserSalt , BlockSurveyUserSalt , iterations, hash, bitLength)

We generate two Salt keys i.e. cryptographically secure generated random 256-character values, one is kept with BlockSurvey and another is shared with the user through the mail. Using these 2 salts we generate a Magic Recovery Key which is used to encrypt/decrypt your seed phrases.

Using the generated Magic Recovery Code, we encrypt your Secret key using AES (Advanced Encryption Standard) encryption technology and we store this encrypted secret key in our backend. Don't worry, it will be safe and only you will be able to decrypt the secret key to sign in back to your account. Not even BlockSurvey will be able to recover your account. As only one part of the salt is saved with us. The rest half of the salt key is with you and it can be only decrypted once you provide your recovery code in the provided input box.

The Magic Recovery Code will only be sent to your email address and also downloaded locally on your system. If by mistake you have lost your secret key, you can input your recovery code which we have shared with you once you have verified your email address. We will get the encrypted secret key as well as the other half part of your salt key which we have generated and stored for your account. We will combine both the salt keys and using the PBKDF2 method we will generate the Magic Recovery Key and will decrypt the secret key for you using the AES method.

We will successfully take you to the dashboard if the key you provided was correct and it decrypted the secret key successfully. From the dashboard account settings, you will be able to copy or take a backup of your secret key again. You can regenerate your magic recovery code if you wish to but the previous recovery code becomes invalid. Use the most recent code to sign in in the future.

If you want more information, please go through our FAQs regarding Magic Recovery Code.