An Expanding Set of Configurations for Transactional MFA

For the crypto industry to become mainstream, it must innovate to simplify and improve the wallet experience for users. Email, Social login and Embedded wallets are a meaningful step in this direction, as they remove friction and provide users with a familiar Web2-like experience. Regardless of their impact, it is still important to know how they operate and what the security implications are.

In this write up, we explore security considerations around embedded wallets, and highlight additional security measures that Dynamic end users can implement. Lastly, we dive into our transactional MFA suite of tools that allow you to choose the right experience based on your customers’ specific use case.
‍

Embedded Wallets: Enhanced Security and User Experience

Embedded wallets are digital wallets that are directly integrated into applications, platforms or websites. This offers users a seamless and customizable experience, without compromising on security. It also offers developers significant flexibility, enabling them to create custom wallet flows that align with their project’s branding.

In addition to creating a superior user experience, embedded wallets also improve security for crypto users. Once created, the wallet is fully owned and controlled by the user, who alone has the ability to export private keys or access the digital assets within the wallet. Additionally, developers can implement advanced security at the authentication level, as well as at the transaction level.

Similarly, Dynamic-powered embedded wallets are non-custodial, meaning they are always end-user owned and controlled. Only the end-user has ownership and access to their wallet private keys. These can be used in a range of scenarios - from ways to ease onboarding on your websites to working as the base for building your own full stack wallet.
‍

How are Private Keys Stored with Dynamic?

To securely store private keys, Dynamic built a robust solution, utilizing Trusted Execution Environments (TEEs) to secure keys, generate sessions, and more.

All private keys are encrypted, and never stored in raw form. End user private keys are not accessible to Dynamic, the developer or underlying TEE and key management infra providers. All decryption functions to use private keys must be user-initiated and done so in secure enclaves. Dynamic does not sign transactions on an end-user's behalf, and end-users have to take explicit actions to sign transactions. Dynamic also does not offer APIs to sign transactions on behalf of end-users.

Additionally, Dynamic leverages isolated iframes to further limit access or control of the wallet private key by anyone other than the end-user, and further ensures the wallet private key does not leave its secure environment. Users can export their private key and import it to Metamask or other EOAs at any time.
‍

Security is Progressive, Depending on the Wallet Use Case

Dynamic-powered embedded wallets are equipped with several ways to add extra layers of security. This is divided into two types of MFA: authentication MFA, where users must use 2FA when logging in, and transactional MFA, where users are required to explicitly sign each transaction.

Dynamic-powered embedded wallets offer the following forms of multi-factor authentication (MFA):

• Passkeys: Passkeys offer a simpler and more secure alternative to passwords. By using a biometric sensor such as a fingerprint, users don’t need to remember passwords or worry about unauthorized access.‍
• Email One Time Codes: One time codes allow users to transact using temporary codes sent directly to their email. For added security, these codes can also be paired with passkeys.‍
• Time-Based One Time Codes (TOTP): Google Authenticator or similar tools can be used to further secure login.‍
  ‍

Flexible Transactional MFA Options

In addition to the above, we also offer an option to turn off transaction MFA, which should be used with care. This allows transactions for logged-in users to be processed without additional verification steps. By removing complexity, users benefit from a frictionless experience that is more comparable to existing Web2 onboarding flows. Users can add passkeys or additional security measures later in their onboarding journey, but these are not required to use the wallet to start, and can transact freely.

For developers, this improves how configuring embedded wallets works. You can show or hide wallet prompts in the dashboard, and decide when to enforce passkeys for your users. Overall, this feature provides increased flexibility for user onboarding.

For end users, signing up through any onboarding method will instantly create a wallet without requiring a passkey or a one-time email code. Users can add additional security measures at any point if they choose. Either way, they can login and transact within seconds.

Interested in implementing Dynamic? Try it out for yourself here! You can also dive into our docs to learn more, or book a quick call to discuss it with us here.