NotATether - “In general, services should not be giving people QR codes as a recovery option”
I hope you never need something recovered in future, and if you do, that you can do it by verifying yourself. I’d hate to think that someone’s bitcoin could be lost and unrecoverable because a service they’re using refuses to help them if they get stuck.
You misunderstood my point. I said that rather offering QR codes, they should've been providing one-time passwords from the beginning. It's similar to something Google already does; They give you 10 codes that look like this:
12345-67890
Which are shown on their creation, which you are to store somewhere safe, and they are never shown again. And each of them can only be used once (which for 10 codes makes 10 recoveries)
It is more secure than the entire system of providing QR codes. I never said they shouldn't have given you the QR code.
For TrustedCoin this would have provided protection in case the email account that they send the QR code to is compromised, because it is actually
very easy for somebody to gain access to someone's email if they have control of the recovery email associated with it, or (particularly with Gmail and Outlook) the date you signed up, your previous passwords, date of birth etc.
Actually I can apply this suggestion to any site that sends you a code to recover a forgotten password, which is the majority of sites. But most of those sites do not store people's money in them so this reduced security is acceptable.
Personally, when money is on the line I wouldn't feel comfortable using a service that is able to recover my wallets through email, because that system can be compromised and recovery codes stolen, and I'd rather that I'd be able to do so by using a means that malicious third-parties can't access e.g. OTPs and seed phrases (which by the way I'd also expect online banks to support but they are very very behind on this unfortunately).
