When Multisig or Even MPC Alone Is Not Sufficient

Decentralized Keys

Single key, single signature wallets are simple and highly vulnerable to key theft or misuse. Compromising a single system or a malicious user with access can transfer all of an organization's assets without recourse.

‍

Replacing a single centralized key with (MPC) or multisig eliminates a single point of failure, when implemented correctly. However, as we've seen in hacks over recent years, having multiple keys or even key shares is not sufficient to assure security. Care must be taken to assure the key shares, or multiple keys, are stored in secure environments, with different administrative access to avoid a single point of failure.

‍

Decentralized Administrative Access

Generating and storing MPC key shares or multisig keys in different locations, under varied administrative access greatly improves security. A common admin with access to all key materials introduces a single point of failure. Hacking a single admin's credentials or malicious actions should never grant access to all key materials.

‍

In practice, it's important to separate the administration of hosting environments from access to the key materials. This can be useful in smaller organizations with more limited IT team resources.

‍

Secure Enclaves

Storing distributed key materials in secure enclaves like AWS Nitro further prevents administrators from having direct access to the hosting infrastructure, further improving security. This also reduces the risk of access by external malicious parties, adding another security layer.

‍

Institutional Wallet supports automated deployment in secure clouds such as AWS and Azure, enabling secure hosting without requiring cloud security expertise.

‍

Cryptographically Enforced Policies

Traditional secure enclaves like Hardware Security Modules (HSMs) offer secure physical storage for digital materials. However, once accessed by an authorized user or hacker, most HSMs cannot enforce policies requiring predefined approvers. Therefore, secure enclaves alone are insufficient.

‍

MPC-based wallets like Blockdaemon Institutional Wallet ensure key materials and policies co-reside on common machines and are cryptographically enforced. As a result, key shares can only be used after satisfying all policies. Storing key shares and policies in secure enclaves with cryptographic enforcement eliminates blind signing and improves security.

‍

Biometrically Authenticated Users

While multi-factor authentication is recommended, adding biometric authentication for critical users adds another layer of security.

Biometric authentications like face ID or fingerprints have advanced with mobile devices and can integrate into systems like the Institutional Wallet to verify credentials and user authenticity.

‍

Summary

The dust has yet to settle on the latest exchange hack, resulting in a loss of over $230 million and damaging brand reputation. Preliminary data suggests private key theft and misuse were central to the problem. Institutions should evaluate highly secure wallet systems with multiple layers of advanced security to protect their digital assets.

‍

Interested to learn more? Visit https://www.blockdaemon.com/wallet/institutional-wallet and request access to our wallet sandbox to experience advanced security yourself.

Public link

Please use the above public link if you want to share this noodl on another website.