Recovery

User Recovery

Both Employee and Enduser user types can recover their Dfns accounts by creating recovery credentials. Employees connected with your organization are provided a recovery kit when they register on the Dfns dashboard. They should store this recovery kit securely offline. If they need to recover their account credentials, they can do so at app.dfns.<TLD>/recover by providing the information from the kit and a verification code proving they still have access to their email. Alternatively, an existing organization user with administrative permissions can deactivate and re-create their account using a different email address.

It is possible to create as many recovery credentials as you want. Any recovery credential can be used to recover a User.

Once a recovery credential is used, all the user credentials (recovery and regular) are invalidated for security reasons. The user needs to create at least one new recovery credential, this can be done during the recovery process (see ).

Enduser recovery can be built by Dfns clients as described below.

End User Recovery

You can decide where in your UX flow to create recovery credentials for your end users. Depending on the value of assets and the users' ability to create credentials from multiple devices (which is recommended), you may want to make this mandatory upfront or optional later in your flow. In order to initiate recovery, however, an end-user must have credentials already registered with the system.

Here are the general steps required to perform an end-user recovery:

Verify the identity of your user via your existing authentication methods, KYC, etc.
Call the endpoint from a service account (DfnsApiClient.auth.createDelegatedUserRecovery in the SDK).
Dfns generates a new registration context, so that you can create the user’s new credentials. Forward this to your user.
The user creates a new credential (and optional new recovery credential)
The user signs the new credential(s) with their existing recovery credential, and sends the new credential(s) + signature to Dfns to endpoint (DfnsDelegatedApiClient.auth.createUserRecovery in the SDK)
Dfns verifies the signature is valid
Dfns archives all of the user’s current credentials (regular + recovery)
Dfns adds the user’s new credentials

Last updated 4 months ago

User Recovery

It is possible to create as many recovery credentials as you want. Any recovery credential can be used to recover a User.

Enduser recovery can be built by Dfns clients as described below.

End User Recovery

Here are the general steps required to perform an end-user recovery:

Verify the identity of your user via your existing authentication methods, KYC, etc.

Call the endpoint from a service account (DfnsApiClient.auth.createDelegatedUserRecovery in the SDK).

Dfns generates a new registration context, so that you can create the user’s new credentials. Forward this to your user.

The user creates a new credential (and optional new recovery credential)

The user signs the new credential(s) with their existing recovery credential, and sends the new credential(s) + signature to Dfns to endpoint (DfnsDelegatedApiClient.auth.createUserRecovery in the SDK)

Dfns verifies the signature is valid

Dfns archives all of the user’s current credentials (regular + recovery)

Dfns adds the user’s new credentials