Identity Verification for Account Recovery
In a Casa setup, Casa retains one of the keys to provide a signature in case of emergency recovery situations. This is useful to protect clients, but creates a vulnerability if an attacker can trick Casa into signing a recovery request that transfers the user’s bitcoin into the attacker’s wallet.
To protect against this Casa verifies the user’s identity on all recovery signature signing requests using a special process detailed to clients during activation. We keep details of this process private, but note that the process includes a significant signing delay and a series of regular user notifications when a recovery request is made. The signing delay and notifications increase the odds that an attack would be caught and reversed before the recovery signature occurs.
Last modified 1yr ago
Copy link