Account and MPC Key Share Security

TSI prioritizes the security of user accounts and MPC key shares to protect digital assets from unauthorized access and potential threats. We employ a multi-layered approach that combines robust authentication measures, device binding, and the cryptographic strength of MPC.

Two-Factor Authentication (2FA)

  • Mandatory 2FA: All user accounts are required to configure 2FA using an authenticator app. This adds an extra layer of security during login, as users need to provide a unique, time-based code from their authenticator app in addition to their password.

  • Enhanced Login Security: Even if a user's password is compromised, their account remains secure because a hacker cannot log in from another device without the 2FA code. This significantly reduces the risk of unauthorized account access.

MPC Key Share Protection

  • Device and Browser Binding: Each MPC key share is uniquely bound to the specific device and browser used during its generation. This prevents the key share from being used on any other unauthorized device, even if the encrypted key share is compromised.

  • Organization Admin Approval: All MPC key attachments to a device require approval from the organization admin. This adds another layer of control and oversight to the key management process.

Passphrase Confidentiality

  • Local Storage: The passphrase, which is crucial for decrypting the MPC key share, is only stored within the user's local browser storage and any backups they create.

  • No Server-Side Storage: Fireblocks and TSI do not store or have access to the user's passphrase. This eliminates the risk of the passphrase being compromised from the server-side.

  • Decentralized Decryption: The decryption of the MPC key share using the passphrase happens exclusively within the user's local browser environment. This ensures that the passphrase is never exposed over the network or to any external parties.

  • Restricted API Access: Even if a hacker obtains both the encrypted MPC key share and the passphrase, they cannot initiate transactions or withdraw assets solely through API calls. TSI's security mechanisms require user interaction within the platform's interface for transaction authorization.

User Responsibility and Backup

While TSI implements robust security measures to protect user accounts and MPC keys, users also have a responsibility to:

  • Securely Store Passphrase: Keep your passphrase confidential and store it securely. Consider using a password manager or other secure storage methods.

  • Regularly Back Up Passphrase: Create backups of your passphrase and store them in a safe location. This ensures you can recover your key share if you lose access to your primary device or browser.

Note: Although TSI takes significant measures to protect your assets, losing your passphrase will result in the permanent loss of access to your funds. It is crucial to keep your passphrase safe and secure.

PreviousSecurity OverviewNextCloud Infrastructure Security

Last updated