As many of you may know I bought some EOS back in the 2017 token distribution. Since then I've been keeping a watching brief of the project. I've commented on it's messy birth. I've been watching the development of applications (primarily gambling ones) and the emergence of 'sister' chains from afar. However last week, I've really taken some time to get my hands dirty in EOS... it's been an eye-opening experience.

From Hacks to Real Life Apps

Before a couple of weeks ago, when I thought of EOS, my overriding impression was hackathons and governance. Not exactly the stuff to get you leaping out of bed in the morning!

While politics and governance stimulates the intellectuals in the space it really does little for user adoption. Adoption is usually predicated on a simple principle; does what you're offering make the users life easier or more enjoyable?

For that we need to look to the actual applications. built on EOS. To my pleasant surprise there are a lot of cool innovation happening on the application front in EOS. It isn't just hackathons. There are real applications, generating real money with real use cases that embrace the ethos of users, stakeholders and product creators having aligned incentives.

I will write my view of the first generation of EOS applications in other posts, however the first thing to note about EOS before getting into anything else is key management.

Anyone looking to get involved in EOS in 2019 really needs to take the time to understand key management thoroughly.

Steem's Account Recovery safety net

In many ways Steem has spoiled DPoS users. Interfaces like Steemit, Steem Connect and Steem Keychain have really made key management as simple as it can be for users.

In my view the reason why these Interfaces work is because the Steem blockchain has a duel safety net in terms of the Account Recovery System and Steem Power. These features mean that if the worse happens and an account gets compromised the damage a hacker can do is limited.

Given Dan Larmier's history with the Steem Account Recovery System, I'm somewhat surprised that it was implemented in EOS.

Double-edged simplicity

At present it is stupidly easy to lose ownership of your account on EOS. That is because there are two vectors of attack.

The first is that someone can take over your account (in seconds) by gaining access to your private keys. Most people know this, so keep that nice and safe.

However a hacker can also take over your account, if they gain access to your wallet and your wallet has owner permissions on it. They don't need your private keys. They can simply change the keys that control the account.

It's a double-edged sward because the simplicity with which I could change my owner and active keys in EOS was really useful when it came to securing my genesis account and creating separate keys for my active and owner permissions.

Once I got the hang of it, I was creating new accounts, sub-accounts, delegating between accounts in no time. All this is great fun for the geek in me. It was fast and simple and convenient on EOS.

And there is the rub... while it was too fast... too simple... too convenient... and most importantly, too permanent! You don't need yout private keys to do irreversible damage and render your highly guarded private keys completely irrelevant, if you don't fully understand the difference between owner and active keys/ permissions. Yes the interfaces give you the warnings however one slip you can easily use access to your account. Permanently.

Everyday access to lose it all

This is compounded by the fact that people will be using their accounts to access all kinds of applications, in all kinds of situations. Leave an app running on your computer while you go off to the restroom and by the time you come back, you could have lost complete access to your funds... if you don't understand the difference between active and owner keys/ permissions.

I was okay as I was playing primarily with active keys. However for users new to crypto, the convenience with which both active and owner keys can be permanently changed becomes a vulnerability. Indeed it was this vector of attack is what caught out many during the recent Telos scam, where a phishing site pretending to be Telos Foundation website duped people into handing over control of their EOS accounts.

I'm sure many users thought that because their private keys were off line they were immune from hackers, or at least they'd have the ability to stop a hack as long as their coins were staked. However this is not the case. If a hacker changes the keys that control your account (or dupes you into changing them) you're shit out of luck. Sorry.

This is why before anything else; if I'm taking about EOS, I'm talking about key management.

In particular... don't store your owner permissions on any wallet.

It is boring. It is unsexy. Yet it is crucial to get a handle of.

If you take nothing from this post take away this.

Keep your private keys safe and off line

Don't store your owner permissions on any wallet,

Use your active permissions for everyday activity

Improving User-friendliness

There is an alternative to this dull introduction to the exciting blockchain space that is EOS. That is to learn the lessons of Steem and introduce an Account Recovery System for EOS.

What the Steem Account Recovery System allows for is a cool off period if your owner key is compromised. You can read the article by Dan for the specifics of how it works.

Not only does Account Recovery give peace of mind to regular users, it acts as a deterrent to hackers. Yes, should they can gain access to your account they can make off any crypto assets that are liquid. However as long as you are monitoring your staked tokens, you should be able to take action to keep them staked.

Ownership transfer hiccup

The only drawback for having Account Recovery is that it makes the transfer of account ownership more drawn out. A buyer of an account will need to satisfy themselves twill need to wait for the cool off period to elapsed before they can be completely satisfied that the seller cannot renege on the account sale.

However the selling of accounts is so edge case that it shouldn't be a barrier to EOS implementing Account Recovery.

Focusing on what users need

Given all the chatter about ECAF and arbitration, I would have thought Account Recovery would be a practical measure that would actually benefit regular users that BPs and intellectuals on EOS could sink their teeth into!

There is a lot more to say on EOS key management, particularly as it pertains to claiming airdrop/ sharedrop tokens however this is enough for now.

What do you think? Does STEEM have the balance right in terms of Account Recovery? Have EOS missed a trick? Let me know.