Skip to content

LockoutGuard: Anti-Lockout Protection and One-Time Recovery

Overview

LockoutGuard helps users regain access to a Safe after losing a key or device without turning recovery into a permanent second login system. It is designed as a one-time alternative recovery path that returns the Safe to the normal WebAuthn access-key model after use.

How It Works

  • Recovery Material: Users create recovery material that is stored outside the normal day-to-day Safe access flow.
  • One-Time Recovery Access: LockoutGuard supports a controlled recovery flow that restores access temporarily so the user can recover the Safe.
  • Client-Side Verification: Recovery processes are executed client-side, with no decryption keys or sensitive data sent to UnoLock’s servers, maintaining the zero-knowledge model.
  • Inactivity Trigger and Warning Window: LockoutGuard uses a configured inactivity interval and warning period before the recovery path becomes relevant.
  • Forced WebAuthn Re-Registration: After recovery is used, the user must register again with WebAuthn. That registration replaces the temporary recovery route.

Security Implications

  • Anti-Lockout Protection: LockoutGuard reduces the risk of permanent data loss due to lost keys or devices.
  • Maintained Privacy: Client-side encryption and verification ensure that recovery processes do not expose sensitive data, preserving UnoLock’s zero-knowledge architecture.
  • Protection Against Abuse: The inactivity trigger, warning period, and recovery verification mechanisms help prevent malicious actors from exploiting recovery processes.
  • Recovery Boundaries: Because the recovery route is removed after use, LockOutGuard does not remain as a standing parallel access channel.

Use Cases

  • Individual Users: Crypto investors or individuals storing sensitive documents can recover access to their Safe if they lose their primary key or device.
  • Enterprise Teams: Businesses can implement recovery protocols for employees, ensuring access to shared Safes is restored securely.
  • High-Risk Scenarios: Users in unstable regions can use LockOutGuard for continuity planning without turning recovery into a standing second login path.

Why It Matters

Losing access to a secure Safe can be catastrophic. LockoutGuard provides a recovery path without redefining recovery as a permanent alternative login method. That distinction matters because UnoLock treats WebAuthn access keys as the normal authentication model and recovery as the exception.

FAQs

How does LockoutGuard prevent lockouts without compromising security?

LockoutGuard uses recovery material and client-side verification to restore access securely without exposing data to servers. After recovery is used, the user must register again with WebAuthn and the temporary recovery route is removed.

What happens if I lose all my recovery keys?

If all recovery options are lost, access may be unrecoverable due to UnoLock’s zero-knowledge model, emphasizing the importance of securely storing backups.

Can the inactivity timing be bypassed in an emergency?

LockoutGuard depends on the configured inactivity and warning settings. Users should choose those settings carefully based on their recovery needs.

Compliance & Privacy Regulations

  • GDPR & HIPAA Compliance: LockoutGuard supports compliance with GDPR, HIPAA, and other regulations by ensuring recovery processes are secure, private, and do not expose sensitive data on servers.

Integration with Other Features

  • Robust Key Management with Multi-Key Registration and WebAuthn: Complements multi-key registration by providing recovery options for registered keys, enhancing access redundancy.
  • Client-Side Encryption Using AES-256 GCM: Ensures that recovery keys and processes are encrypted locally, maintaining zero-knowledge privacy throughout the recovery workflow.