Deep Dive
At Dapital, both security and experience are first-class citizens. Interacting with crypto has never been this seamless without significant security compromises and mental overhead. How is this possible? We provide answers to some frequently-asked concerns below.
How is Dapital both non-custodial and backed-up to the cloud?
Dapital is architected such that your wallet is downstream from your login method. Depending on how you signed up, this is either your Google/Apple account or a passkey you created.
- First, Dapital utilizes Turnkey to provision a seed phrase-based wallet .
- Turnkey has strong, provable security guarantees—all wallet code runs on trusted execution environments (TEEs) . TEEs are trustless, hardware-isolated, encrypted computing enclaves.
- Next, Dapital associates your login method with both your Turnkey-provisioned wallet and your Dapital account in parallel.
- For Google/Apple, this is via short-lived tokens provisioned by Google/Apple when you sign in.
- For passkeys, your biometrics via FaceID will produce an encryption key which is used to encrypt all sensitive data leaving your device. This key is solely utilized on-device; thus, Dapital nor any potential compromiser of Dapital can access your wallet.
- While logged into Dapital on your device, all secure data is stored in your Apple Keychain , which is your phone’s secure enclave on-device with similar hardware isolation and encryption guarantees as TEEs.
In summary, your wallet is intrinsically tied to your sign-up method. If you have access to your authentication method, then you have access to your wallet. Additionally, you can export your wallet’s seed phrase or private keys at any time if you want to migrate off of Dapital.
Is it possible at all for me to lose access to my funds on Dapital?
It isn’t a security discussion without discussing potential threat vectors; therefore, we lay out risks and best-practice mitigations below.
- If you sign up with Google/Apple and that account is compromised, then the attacker will also have full access to your wallet. In the event of compromise, Dapital has a few mitigation tools in place, but in most cases, this is a catastrophic security failure and you should transfer your funds as soon as possible.
- If you lose access to your passkey, you will lose access to your wallet. Because Dapital is non-custodial, we have no ability to recover your account.
- In most cases, passkeys are synced to the cloud via your password manager and accessible through biometrics.
- If you explicitly turn off passkey cloud syncing, then Dapital is similar to a hardware wallet: if you lose your device that stores the passkey, you will lose access to your Dapital account.
- For iPhones, your password manager is likely either Google Chrome or Apple. Similar to the above, if an attacker compromises your password manager’s account, this is a catastrophic security failure and you should transfer your funds as soon as possible.
- In most cases, passkeys are synced to the cloud via your password manager and accessible through biometrics.
Best Practices Cheat Sheet
Because Dapital provides strong security guarantees while also synced to the cloud, you can drastically simplify your security setup.
- Ensure your Google/Apple account or your password managers are secured: While most people have robust security setups in place for their Google/Apple accounts and/or their password managers, double check that your setup is protected with multiple factors of authentication.
- In the vast majority of cases, independently exporting your seed phrase is not necessary: Similar to hardware wallets, exporting your seed phrase is generally not advised because it breaks the security guarantees provided by Dapital. While you are free to do so at any time, if you export your seed phrase, you expose yourself to another, independent avenue for exploitation and must manually secure it. We heavily advise that you do not do this unless you know what you are doing!