WebAuthn passkey as primary, BIP39 seed for recovery, no reset possible. Why the absence of a recovery net is a deliberate design choice.
Most credential leaks come from the password and its reset channel. No email, no phishing via reset link. No password, no credential stuffing. We removed both at the root. Identity is proven by a key, never by a memorized secret.
Passkey as primary
Authentication relies on WebAuthn. The private key stays in the device secure enclave or in a hardware authenticator. The server only stores a public key and a signature counter. No shared secret travels. A phishing attempt fails by construction: the passkey is bound to the cryptographic origin of the domain.
The account is created in a single ceremony. No double opt-in, no inbox to confirm. The user registers one or more passkeys at onboarding, across several devices when possible. Multi-device is the real redundancy.
Recovery by seed, no reset
The only net is a 24-word BIP39 seed, generated client side and shown once. It derives the recovery material. No one on the server side can reconstruct it. If the user loses every device and the seed, the account is permanently unreachable. We cannot reset it, and that is the point.
This choice shifts the cost. Onboarding must teach the user to keep the seed offline. Support never handles a recovery request, so no social engineering vector targets our agents. The principle to keep: a system that cannot recover an account cannot be forced to hand one over.