Capsule's architecture and product were created with user asset security and resilience to common threats in mind. The following outlines a subset of the mechanisms Capsule employs to limit risks of attack.
In any blockchain-based system, there is a non-zero risk of funds loss. This is particularly true in a non-custodial setup. With this in mind, Capsule's philosophy is to limit cases of funds loss and empower users and app developers to make choices around key management and backup that are context-appropriate.
Capsule embedded wallets are secured by hardware enclaves in users’ devices, are fully self-custodial, and easy to integrate. Neither Capsule nor applications integrating with Capsule ever have access to private keys. Read more about Capsule key management in depth here.
Capsule leverages a 2-of-2 MPC scheme. The Capsule Cloud Key is stored securely in Capsule's cloud hardware-security modules (HSMs). Capsule's setup provides a noncustodial backup of the user's key while still offering resilience to events of device loss or, in certain cases, compromise. Capsule plans to eventually further distribute its responsibilities.
Instead of storing keys in the browser or relying on easily-compromised social logins for access, Capsule implements the WebAuthN standard to create passkeys to manage user shares. Passkeys were developed by Apple, Google, Microsoft and the Fido alliance to make accounts online secure and simple to access. Passkeys create cryptographically secure secrets using users' personal devices that serve as an alternative to a traditional username and password-based logins. Unlike passwords which are easily forgotten, passkeys are generated on device and stay on device. Passkeys can be easily set up, either with FaceID, TouchID, or passwords on your device.
Passkeys are used in the Capsule system to protect the user share on the user’s device. Social logins are often compromised, and as a result even if the social login in a Capsule wallet is at risk, the security of the keys are not. This is because the passkey is reliant on physical device access (typically gated by system passwords, biometrics, or similar) to access the user share.
When the wallet needs to produce a signature, the Capsule SDK coordinates signatures from the user’s device and from Capsule’s cloud. Shares do not need to be reassembled. For more information on how Capsule coordinates transaction signing, look here.