Capsule employs a multi-layered approach to security, incorporating various mechanisms to protect user assets and data. This document outlines the key security features implemented in Capsule’s architecture.

Multi-Party Computation (MPC)

At the core of Capsule’s security is its use of Multi-Party Computation (MPC) for key management. MPC enhances security by:

  • Preventing the entire private key from being in one location
  • Eliminating single points of failure
  • Enabling secure key generation and transaction signing without exposing the full private key

Hardware Secure Enclaves

Capsule leverages hardware secure enclaves available in modern devices for additional security. These enclaves offer:

  • A dedicated, isolated environment for sensitive operations
  • Hardware-level protection for cryptographic keys
  • Secure biometric authentication capabilities

Passkeys and WebAuthn

Instead of traditional password-based authentication, Capsule implements the WebAuthn standard to create passkeys. This approach:

  • Eliminates risks associated with password-based authentication
  • Leverages device-specific security features
  • Provides phishing-resistant authentication

Distributed Key Generation (DKG)

Capsule uses Distributed Key Generation to create key shares without ever assembling the full private key. DKG:

  • Ensures no single party has access to the complete private key
  • Provides protection against key theft during the generation process
  • Allows for secure key refresh and rotation

Permissions Framework

Capsule implements a sophisticated permissions system to control transaction signing across multiple applications. This framework:

  • Allows granular control over what actions applications can perform
  • Mitigates risks associated with compromised applications
  • Enables users to manage their wallet’s exposure across different apps

Two-Factor Authentication (2FA)

Capsule supports 2FA for additional account security, particularly during the wallet recovery process. The 2FA implementation:

  • Is an optional feature that can be enabled by users
  • Utilizes time-based one-time passwords (TOTP)
  • Adds an extra layer of security for critical operations

Secure Backup and Recovery

Capsule provides robust mechanisms for wallet backup and recovery, including:

  • Recovery secrets generated during wallet setup
  • Support for multiple backup devices
  • 48-hour delay for recovery attempts to prevent unauthorized access
  • Capsule Backup Kit for censorship resistance

Encryption and Secure Communication

All communication between the user’s device, Capsule’s servers, and connected applications is encrypted. This includes:

  • Use of TLS for all network communications
  • End-to-end encryption for sensitive data
  • Secure storage of user data with encryption at rest

Regular Security Audits

Capsule is committed to maintaining the highest security standards through regular third-party audits. The audit process includes:

  • Periodic audits by reputable security firms
  • Comprehensive review of cryptographic implementations
  • Continuous monitoring and improvement of security measures

Censorship Resistance

Capsule’s design ensures that users maintain control over their assets even in the event of service disruptions. Measures include:

  • Option for users to export their Cloud Key
  • Ability to sign transactions independently if Capsule services are unavailable
  • Decentralized nature of key management prevents single points of failure

By implementing these comprehensive security mechanisms, Capsule provides a robust framework for protecting user assets and data. This multi-layered approach ensures that Capsule-powered wallets remain secure against a wide range of potential threats while maintaining a seamless user experience.

Was this page helpful?

Key Management SystemWallet Recovery Process