When you register a user under your tenancy, the Upvest Blockchain API supplies a Recovery Kit for the user.
The recovery kit is an encrypted artifact containing two things: metadata (KYC data) about the user that was created, and an encrypted seed to restore the private key. You pass this recovery kit to the user in whichever form you choose (it’s a QR code), and they can store it wherever, because it’s already encrypted (technically twice) it’s not strictly dependent on secure storage, unlike conventional seeds and private keys.
If the user forgets the password for unlocking their wallet, they can come to you with this recovery kit. As the outer layer is encrypted using a public key for which only you have got the decryption key, you will decrypt it in order to obtain the previously mentioned metadata and the encrypted seed. After performing an appropriate KYC process (which can include some of the metadata contained within the recovery kit), you can use the Upvest Blockchain API’s reset password endpoint to set a new password for the user. On our end, we decrypt the seed and regenerate all of their wallets, which we then re-encrypt using their new password.