KoaichJoin waitlist
← All explainers

Why we don't have password recovery (and that's the feature)

Every workspace tool that lets you 'reset your password and get back in' is keeping a copy of your data somewhere they can decrypt. Here's why we made the opposite trade-off.

IN PLAIN ENGLISH
If you forget your password on Slack or Notion or Gmail, you click "forgot password," get an email, and you're back in. That convenience only works because the vendor kept a copy of your data they can hand back to you. We made the opposite choice. Lose all your Koaich devices without a recovery code? Your data is gone, permanently. That sounds harsh, but it's exactly what makes the privacy guarantee real — if there's no way to recover *without* us, then *we* don't have a way to read your data either.

Every tool that lets you reset your password and immediately access your data is keeping a copy of that data somewhere they can decrypt. That's how password recovery has to work mathematically: if the data is encrypted with a key derived from your password, and you lose the password, the only way to get back in is for the vendor to hold an additional copy of the key.

We chose not to have that copy.

What the trade-off looks like

If you forget your password on Slack, Notion, or Google Workspace, you click 'forgot password,' get an email, and you're back in. Your data was always there — the vendor never lost access to it.

If you lose all your Koaich devices at once and you didn't write down your recovery codes, your data is gone. Permanently. There's no support ticket that brings it back. There's no master key in our office.

Why this is the right trade-off for sensitive work

If we held a master spare, three things would follow: our staff could be compromised; an external request could compel us to decrypt your data; and a breach of our infrastructure would expose your data.

The Shamir-split recovery model gives you a path back as long as you have multiple devices: each device holds a share of the recovery secret. Lose one, recover from the others. Lose all of them at once without backup codes — you've accepted the consequence of true self-custody.

It's the same trade-off self-custodial wallets make for crypto. It's the property that makes 'we can't read your data' honest rather than aspirational.

Frequently asked questions

Why doesn't Koaich have password recovery?

Password recovery only works when the vendor holds a copy of the encryption key (or a key-wrapping key) that can be re-derived after a reset. We chose not to hold that copy. The trade-off is that lost access without recovery codes means lost data — the benefit is that no one inside Koaich can read your data, ever.

How do I recover my Koaich account if I lose my device?

Koaich uses Shamir's Secret Sharing across the user's own devices for mobile and WebAuthn passkeys for web. As long as you have one device or have set up your recovery shares, you can re-derive access. If you lose all devices and have no recovery shares, the data is unrecoverable.

Can Slack restore my account if I lose my password?

Yes — Slack can fully restore access because Slack holds the keys to your workspace data. The same property that makes recovery possible makes vendor-side data access possible.

Keep reading

Key custody, explained

Read →

What is end-to-end encryption?

Read →

Workspace privacy, by default.

Get on the Koaich waitlist.

Pre-launch · No spam · Unsubscribe anytime