Skip to content

LockoutGuard Access Assurance

Overview

LockOutGuard ensures that users can regain access to their UnoLock Safe even if they lose access to their primary authentication method, such as their FIDO2 device or biometric login. This feature provides multiple backup mechanisms and layers of protection to prevent accidental lockouts, enabling secure recovery while maintaining the integrity of the Safe.

LockoutGuard Access Assurance is a recovery and continuity feature designed to prevent permanent lockout from your UnoLock digital Safe. By providing a secure, user-controlled alternative recovery method, LockoutGuard ensures that users can regain access to their Safe in case of lost credentials or device issues, without compromising the zero-knowledge security model. In UnoLock, LockoutGuard is not a permanent parallel login path. It is a recovery path that is intended to be used, then replaced by fresh WebAuthn registration.

How It Works

  • Alternative Recovery Method Setup: Users configure LockoutGuard as an alternative recovery path, such as an offline recovery code or related recovery material, stored securely by the user.
  • Encrypted Recovery Keys: LockoutGuard generates encrypted recovery keys or mnemonic phrases, which are stored locally or on trusted devices, encrypted with AES-256 GCM, ensuring only the user can access them.
  • Inactivity Monitoring: The system monitors user activity and can trigger recovery prompts after a user-defined inactivity period, guiding users to restore access securely.
  • Client-Side Recovery Process: Recovery operations are processed client-side, maintaining UnoLock’s zero-knowledge architecture. Users authenticate using the configured recovery path to regain access without server intervention.
  • One-Time Recovery Flow: After LockoutGuard is used, the user is required to register again with WebAuthn. The alternative recovery path is then removed, making LockoutGuard effectively a one-time recovery mechanism rather than a standing second login method.

Security Implications

  • Prevention of Permanent Lockout: LockoutGuard ensures users can recover access to their Safe without relying on third-party intervention, reducing the risk of data loss.
  • Zero-Knowledge Security: Recovery processes are handled client-side, ensuring that UnoLock servers never access user keys or data, maintaining privacy and security.
  • Controlled Recovery Lifecycle: Recovery access is temporary. By forcing fresh WebAuthn registration after use, UnoLock restores the Safe to its normal primary-authentication model and removes the temporary recovery path.

Use Cases

  • Individual Users: Protects access to personal Safes containing Bitcoin and Ethereum keys, financial records, or sensitive documents, ensuring recovery in case of lost credentials.
  • Business Continuity: Companies can use LockoutGuard to ensure key personnel can recover access to critical data, maintaining operations despite credential issues.
  • High-Risk Scenarios: Users in unstable environments can configure LockoutGuard to safeguard against coerced access attempts, using secure recovery options to regain control.

Why It Matters

Losing access to a digital Safe can result in permanent data loss, especially for critical assets like Bitcoin and Ethereum keys or legal documents. LockoutGuard provides a user-controlled, secure recovery mechanism that prevents such scenarios while upholding UnoLock’s commitment to privacy and security. As discussed in the context of secure key management, LockoutGuard ensures users can always regain access to their digital assets, offering peace of mind in an increasingly digital world.

FAQs

What happens if I lose my primary authentication method?

LockoutGuard allows you to use the configured recovery method to regain access. After that recovery succeeds, you must register again with WebAuthn, and the temporary recovery path is removed.

Can UnoLock access my recovery keys?

No, all recovery keys are encrypted and managed client-side, ensuring UnoLock has no access to them.

How does LockoutGuard protect against unauthorized recovery?

Recovery verification methods, like biometrics or FIDO2 authenticators, ensure only authorized users can initiate the recovery process.

Is LockoutGuard a permanent second way to log in?

No. LockoutGuard is an alternative recovery method, not a permanent parallel login method. Once it is used, UnoLock forces WebAuthn registration again and removes the alternative recovery path.

Compliance & Privacy Regulations

  • GDPR & HIPAA Compliance: LockoutGuard supports compliance with GDPR, HIPAA, and other regulations by ensuring that recovery processes are secure, private, and do not expose sensitive data on servers.

Integration with Other Features

  • End-to-End Encryption (E2EE): Ensures that all recovery keys and data remain encrypted throughout the recovery process.
  • Access Keys & Safe Access: LockoutGuard integrates with access-key based Safe access, allowing recovery methods to coexist with multiple registered authenticators.