User and Wallet Creation

The creation of a new wallet in Capsule leverages robust cryptographic techniques to ensure security and ease of use. It involves an array of mechanisms including biometric authentication, Distributed Key Generation (DKG) ceremony, and device enclave key usage. The process is as follows:

Step 1: Biometric Authentication

To start, the Capsule-enabled application prompts the user for biometric authentication. This step ensures secure access to the device enclave public key, also referred to as the app key. Following successful authentication, the user is redirected to the Capsule Portal to finalize their onboarding. The app key is safely transmitted to the Capsule Portal using a URL query string.

Step 2: User Verification

In the Capsule Portal, the user enters their email address as a means of verification. Upon submission, Capsule sends a unique 6-digit PIN to the provided email, which the user enters in an input modal on the portal. If the user already possesses a Capsule wallet, they have the option to connect it at this stage. If not, the process to create a new wallet begins.
Note: Phone verification can be supported in cases where email is not readily available. However, this scenario requires separate integration plans for the storage of the recovery key, as SMS is not considered secure for delivering this key.

Step 3: Key Generation

The client initiates the creation of a new wallet by generating a Device Key. The public keys of the app key, portal key, and Device Key are then transmitted to the Capsule server, accompanied by the Device Key, which is encrypted with the app key for secure transmission. The Capsule server takes these keys and initiates the DKG (Distributed Key Generation) ceremony, employing its application-specific HSM (Hardware Security Module) Cloud Key and the Device Key. The Device Key is securely stored in the browser's storage to enable future management via the Capsule Portal.

Step 4: Retrieving the Account

Upon redirection back to the application, the client requests the account from the Capsule server. The server responds with the encrypted Device Key and the account's public key. The client then decrypts the Device Key using the device enclave-based app key and securely stores the Device Key in the KeyChain.
Note: For mobile SDK usage, the Device Key is stored in the KeyChain. Please refer to the JS SDK section for more information on how the key is stored for web applications.
This comprehensive procedure ensures that wallet generation is secure and user-friendly, fostering trust and a seamless experience for the user. With Capsule, your wallet's security is our utmost priority.