For power users, if they forget their pw, they lose their coins. Period. That's the option I would use, as someone who never lost an important pw thanks to my use of redundant password safes.
For other users, when creating an account, coinbase.com could email them a "key recovery" file (or mail them a physical QR code), with instructions to keep it permanently stored in a safe place. This key recovery file would be K encrypted with a unique IV and a key known by coinbase.com, who would not keep a copy of the key recovery file. This would satisfy all my requirements: coinbase.com would be unable to steal/access the users coins, and an attacker merely getting access to the key recovery file would be unable to do anything with it.
For power users, if they forget their pw, they lose their coins. Period. That's the option I would use, as someone who never lost an important pw thanks to my use of redundant password safes.
For other users, when creating an account, coinbase.com could email them a "key recovery" file (or mail them a physical QR code), with instructions to keep it permanently stored in a safe place. This key recovery file would be K encrypted with a unique IV and a key known by coinbase.com, who would not keep a copy of the key recovery file. This would satisfy all my requirements: coinbase.com would be unable to steal/access the users coins, and an attacker merely getting access to the key recovery file would be unable to do anything with it.