1.1 You only need to input email and password and then verify an email OTP to get your UniPass accounts ready.
Master key is the execution key of an UniPass account. It is a 2-2 MPC(tss) key and the 2 slices are generated independently on the client side and server side.
The client slice will be encrypted with a password (processed by scrypt
first) to get a keystore file. The keystore can be stored either by UniPass or to a cloud storage provider such as Google Drive and iCloud.
The server slice will be encrypted by Amazon’s HSM (Hardware Security Modules) and stored on UniPass server.
The above flow chart shows the credentials needed to invoke both key slices so that the signature of the master key can be produced.
1.2 It is recommended to set up at least one guardian email during the registration process. Enter the email addresses of people you trust, and ask the them to click the accept button in the invitation email they received.
<aside> 💡 All email address will be hided by our ZKP solution
</aside>
1.3 Submit the registration and you will get a smart contract wallet address. You can now transfer some assets on Polygon main-net to try it out.
**EIP-2470:** Singleton Factory, ensuring that the user's wallet address is consistent in all EVM compatible blockchains.
2.1 Enter email and password along with an email OTP to login.
Session key is a temporary execution key which only works with a permit signed by the master key. The permit contains restrictions of the session such as valid period and allowed actions.
Login is needed when the local environment doesn't have a session key, or the permit of the session key is invalid. In such situations, the master key’s signature is needed by a new permit for either a newly generated session key or an existing one.
Email + password + email OTP can authorize the keystore download from the server to client environment. Then the keystore will be decrypted by the password and can be accessed in memory afterwards. Also users can import the keystore from other storage providers and use their password to decrypt it.
In a basic situation, server key slice can be invoked with a correct email OTP. However MFA can also be added by users to enhance the security, such as SMS, Google Authenticator, WebAuthn / Passkey. etc.
Invoke the 2 slices to generate a master key signature for current session key. If there’s no session key yet, generate a new one. The session key will be encrypted by Web Crypto API and stored in a safe environment at the client side.
<aside> 💡 Usually in a less secure environment like web browser, the permit is only valid for 4 hours or less.
</aside>
<aside> 💡 Considering the environment security, the session key solution is only used in Popup SDK and UniPass APP. In some embedded browsers such as Flutter SDK, the session key is not used.
</aside>
Currently only several Polygon assets like USDT / USDC / WETH / MATIC are supported in this poc product.
Also you can pay gas with any supported token for your transactions, which means you don’t need MATIC to transfer USDC.
The transaction is signed by the session key, and then submitted to relayers along with the permit.
UniPass Wallet enables flexible gas payment with Meta Transaction.
Unlike EOA wallets that users have to prepare and pay the gas fee by themselves, smart contract wallets like UniPass Wallet can decouple the gas fee payment with the account action. That is because the authentication process of smart contract wallet happens inside, and the gas fee can be paid by anyone (relayers) to send the action along with the user’s signature into the contract. In return, relayers can charge tokens from the users wallet contract and make profits.
If you forget your password and don’t have any previously active environment, you can start the social recovery to regain access to your UniPass account.
4.1 Enter email and verify the OTP
4.2 Set a new password
Authentication before entering the social recovery process.
Users need to set a new password to generate the new master key, same with the registration.
4.3 On the social recovery page: request the account recovery email
to be sent for desired email addresses. When enough emails are sent from those addresses as instructed, the recovery process will start.
Emails are sent from guardians email addresses to our email bot, and the bot will process these emails (such as running a zero knowledge proof to hide the email address) before sent them to the contract.
There will be different logic with different number of guardians chosen. If only one guardian’s email is received, the recovery will be delayed for 48h to prevent a single point risk of email hack. However if you submitted emails from 2 or more guardians, the recovery process will be effective immediately.
In the official version of UniPass, the logic will be upgraded into a RBAC (Role Based Access Control) system which enables more flexibility in the strategy used for social recovery. For example, you can set a lower weight for guardians but a higher weight for the registration email, so that guardians won’t have the right to start the recovery process along without the involvement of you.
4.4 When the social recovery is completed, you can login to UniPass with the new password.
The processed emails are sent to the smart contract. After the transaction confirmation and also the time lock (if any), the old master key will be replaced with the new one in the emails. Then the user will be able to control the account with the new master key.