Publish the first trust story collection
validate / validate (push) Successful in 23s

This commit is contained in:
Compleet
2026-07-14 13:58:14 +01:00
parent e7e690a8ed
commit eaf9a614d9
39 changed files with 1815 additions and 327 deletions
@@ -0,0 +1,77 @@
---
title: "Your old phone is the real identity test"
description: "Login demos happen on new devices. Trust is decided after a theft, a dead battery, a changed number, or a relationship someone needs to escape."
published: 2026-07-14
editorialOrder: 2
reviewed: 2026-07-14
author: "Ana"
maintainers: ["Ana"]
status: developing
featured: false
homepage: true
section: "Recovery"
frontTone: paper
draft: false
tags: ["recovery", "passkeys", "wallets", "safety"]
image: "https://images.unsplash.com/photo-1654944932733-bca31b703dd7?auto=format&fit=crop&w=1600&q=82"
imageAlt: "A bunch of keys, one inserted into an old wooden door"
imageCredit: "Raphael GB"
imageCreditUrl: "https://unsplash.com/photos/a-key-on-a-door-dofnXBVZ51c"
trustPattern:
claim: "Keeping credentials on a personal device gives the individual control."
trusted: "The person must trust device backups, account recovery, telecoms, support staff, and any family or platform account involved in synchronisation."
failure: "When the device disappears, control may quietly return to the institution—or to whoever controls the recovery channel."
---
Security products are usually demonstrated in the first five minutes of ownership. The phone is charged. The screen is intact. The face scanner recognises its owner. A credential appears with a satisfying animation.
The meaningful demonstration starts two years later.
The phone fell into the sea. The number was recycled. A cloud account is shared with a spouse the owner is trying to leave. The name on a government record changed but the bank's record did not. The person has their password but not the old device; their document but not the email address; their face but not quite the face the enrollment camera remembers.
At that point, the recovery system becomes the identity system.
## Recovery is governance
Passkeys, digital wallets and hardware-backed credentials can remove whole classes of attack. They can also make an account wonderfully easy to use on an ordinary day. But none abolishes the question of who restores access.
Recovery may depend on:
- another device already signed into the same platform account;
- a cloud-synchronised credential store;
- a phone number and mobile network;
- identity documents checked by support staff;
- a bank branch, municipal office or employer;
- trusted contacts or recovery codes;
- creating an entirely new credential and convincing every relying party to accept it.
Each option is a governance choice disguised as a help screen. It decides which evidence outranks which, who may make an exception, and who can be locked out by a person with access to their household devices.
## The safest default for whom?
"Ask the account owner" works badly when account ownership is itself contested. "Send a code to the phone" works badly after theft or coercive control. "Visit an office" may be a humane fallback for one person and an impossible journey for another. Social recovery distributes power, but it also reveals dependencies and assumes the social circle is safe.
There is no perfect answer. There are only threat models that admit whom they protect.
This suggests a better product review. Do not ask only whether enrollment resists fraud. Test the five ugly transitions:
1. lost device;
2. changed phone number;
3. changed legal name;
4. death or incapacity;
5. escape from a controlling household.
A system that cannot explain these cases has not finished its security model. It has stopped at the happy path.
## The constitutional layer
Recovery feels secondary because it is used less often. Constitutions are also used less often than ordinary procedures. Both matter most when normal authority breaks down.
Whoever controls recovery can override keys, records and prior consent. That actor may be a state, a platform, a bank, a group of friends or the user alone with a piece of paper. The choice can be reasonable. It cannot be absent.
The old phone is useful because it makes the hidden constitution visible. When the elegant credential is gone, whom does the system believe?
### Further reading
- [FIDO Alliance: Passkeys](https://fidoalliance.org/passkeys/)
- [European Digital Identity Wallet architecture](https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework)