One-Time Codes for Secure, Familiar experiences

TL;DR

Enable customers to make transactions using one-time verification codes sent to their email. Set up a specific length for session keys to allow customers to complete transactions without needing a second verification step. One-time codes can be combined with Passkeys to let users optionally add a passkey as an additional security factor at a later date.

‍

Background

Passkeys offer an intuitive and step-forward experience for developers and users alike. Passkeys use popular keychain managers like iCloud or 1Password to safely secure and enable cross-device experience. In some cases, the experience of passkeys is still a few steps too advanced and developers want an alternative for their users to complete transactions using even more familiar functions. One-time codes offer a great solution. 

‍

Additionally, for customers that use Dynamic as an embedded solution across domains, the one-time code option offers flexibility as users would need to set up a passkey for each domain they interact with. 

‍

How it works

Using the authenticated email, Dynamic sends a secure one-time code (encoded in base65) at the time a transaction is initiated. This code must be pasted by the end-user and will grant them access to sign for transactions for their wallet. An encrypted key is stored in local storage based on a defined length (by the developer) so users can continue transacting without an additional prompt.

‍

One-time codes can also be combined with passkeys.

1. Customers can use one-time codes for the initial transaction, and prompt users to add a passkey afterward
2. Use one-time codes as a fallback for users who run into issues with their passkey

‍

Why did we release this feature?

1. Making it even simpler for customers to transact - especially if they use older devices and browsers.
2. Helping developers embed Dynamic across many domains where a passkey would be needed for each.
3. Helping Developers who want to use passkey as 2FA method and not as the initial signing method. 

‍

Restrictions:

1. If used as the only signing method, you must combine this with pre-generated Wallets.
2. If the user closes their session, the key will expire on its own. 
3. If the user traverses devices during this session, they will need to establish one-time code on the new device.

‍

FAQS: 

‍

What does the experience look if one-time codes are enabled:

The user logs in and has an embedded wallet created invisibly. At their first transaction or signing request, a one-time code is sent to their email. Once confirmed, the transaction will be processed. Users can continue transactions without an additional code until their session expires. Customers can add a passkey from their profile at any time.

‍

How is this different from pre-generated wallets with passkeys?

If you do not enable one-time codes, customers must set up a passkey before their transaction will process.

‍

How can I use one-time codes with Dynamic Embedded Wallets?

Use one-time codes as the primary or secondary method for signing transactions with your embedded wallet.

‍

How do I enable this feature?

Go to dashboard > enable Dynamic embedded wallets > select one-time codes as a signing/security method.

‍

How long does a session last?

This is a configurable field. It can be set to expire instantly or up to a few hours. It is your responsibility to evaluate how long the session key should last.

‍

How is the Session key stored and Secured?

The session key is stored in a secure iframe hosted by our key-management provider which provides isolation as well as a layer of security to guarantee the session key is never directly accessible from malicious scripts, the developer, or even Dynamic.

‍

Does the developer have access to the session key?

No. Wallets are non-custodial. The session key is never accessible by the developer. 

‍

Detailed Documentation: Go here.

‍