Account Recovery Standard

The new recovery process uses encryption and cloud storage to ensure that your private keys are protected. It works as follows.

On wallet creation, ‘Yuki generates a random “key-encryption-key” (KEK) that is unique to a particular wallet. (A KEK is a cryptographic key that is used for the encryption or decryption of other keys).

Each user KEK will encrypt their private keys or Key Shares (plural because it applies to all the keys or Key Shares tied to the users).

The encrypted private keys or Key Share are then stored in the user's local iCloud / Google Drive under their control. Their KEK, meanwhile, is sent to Yuki servers.

This split gives users added protection. If anyone gets access to their iCloud or Google Drive, they can’t decrypt the keys without the KEK that Yuki has. And if a malicious actor gets access to Yuki’s infrastructure, they won’t be able to access the user's wallet as they won’t have their encrypted private keys.

At no point will Yuki have access to users' funds or your private keys, and we will never ask for them.

During the recovery process

The first thing that will happen is that Yuki will try to detect the encrypted private keys stored on iCloud / Google Drive.

We require adding an authentication challenge, before making an API call for wallet recovery so that you can verify that the requester is the legitimate wallet owner.

Last updated