Social Login Wallets
Sequence Wallet created with social logins are currently secured using three private keys: Session keys, a Guard key and a Torus key. The Session key and Torus key are both generated for the first time when a user creates their Sequence Wallet via social login or email authentication. At least two of the three keys are needed to unlock an account. This means that if one of the three keys is lost or compromised, a user can use the two remaining keys to replace the lost/compromised key. For example, if a user lost their device containing their Session Key, they can unlock their Sequence Wallet account by email or social login for the Torus key combined with the Guard key. Once done, another session key is auto-generated and the user is back in their account with all 3 keys accessible again.
Session Keys
Session keys are stored in the browser's IndexedDB. Users should be prudent in safeguarding their devices from unauthorized access since an attacker with access to their IndexedDB effectively has control of their session key.
Guard Key
A Guard key is a key owned by Horizon. This key allows Horizon to help users that lost their Session key and can require additional information from the user in case of suspicious activity, if the user wants this additional protection. This key would be compromised if a malicious actor took control over Horizon servers hosting the Guard key.
Torus Key
A Torus key is a key generated by the Torus network, and is generated using a user’s email or social login credentials such as Google or AppleID. Torus uses threshold cryptography to ensure that only the user can access their private key, making these keys non-custodial. A Torus key would be compromised if a malicious actor had control over the social account or email a user used to generate their Torus key. All Torus keys could be compromised if the Torus network itself was compromised.
While this is the default setup for new Sequence Wallets, we intend to add the ability for users to add, remove and replace the keys controlling their wallet such that users can choose their preference in terms of security and user experience tradeoff. Even the Guard key will be able to be removed. Security tips and recommendations will be added to ensure users are well informed of the risks and how to protect themselves against them.