With passwords lol. When the weakest link in your chain is some terrible password your user picked, then all your fancy crypto is pointless. (It also still allows a user’s message history to be destroyed when they inevitably forget your password)
The best solution I’ve seen for this is the BIP39 mnemonics that crypto wallets use (because they face exactly the same problem - making the user the ultimate custodian of the keys). But it’s still terrible and barely usable.
You can also do the 1Password approach and have other users that you trust store all or part of your key material. But all any of the solutions mentioned in this comment do is spread the problem around a bit, not solve it.
The best solution I’ve seen for this is the BIP39 mnemonics that crypto wallets use (because they face exactly the same problem - making the user the ultimate custodian of the keys). But it’s still terrible and barely usable.
You can also do the 1Password approach and have other users that you trust store all or part of your key material. But all any of the solutions mentioned in this comment do is spread the problem around a bit, not solve it.