ServicesIAM
MPC Authentication
Multi-Party Computation authentication for secure key recovery
MPC Authentication
Hanzo IAM supports Multi-Party Computation (MPC) for secure key management and recovery. This enables users to recover their accounts without centralized key storage.
Overview
MPC authentication splits cryptographic keys across multiple parties (user device, Hanzo infrastructure, and optional third-party). No single party can reconstruct the key alone, providing security against both external attacks and insider threats.
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ MPC Key Distribution │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Share 1 Share 2 Share 3 (optional) │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Device │ │ Hanzo │ │ Third │ │
│ │ Key │ │ KMS │ │ Party │ │
│ │ Share │ │ Share │ │ Share │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ └──────────────────┼────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ 2-of-3 or │ │
│ │ 2-of-2 MPC │ │
│ │ Signing │ │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘Supported Schemes
2-of-2 MPC
Default scheme for most applications:
- Share 1: User's device
- Share 2: Hanzo KMS
const mpc = new HanzoMPC({
scheme: '2-of-2',
deviceShare: localStorage.getItem('mpc-device-share'),
hanzoEndpoint: 'https://kms.hanzo.ai'
})2-of-3 MPC
Enhanced security with third-party backup:
- Share 1: User's device
- Share 2: Hanzo KMS
- Share 3: Third-party custodian (optional recovery)
const mpc = new HanzoMPC({
scheme: '2-of-3',
deviceShare: localStorage.getItem('mpc-device-share'),
hanzoEndpoint: 'https://kms.hanzo.ai',
thirdPartyEndpoint: 'https://backup.example.com'
})Key Generation
Initialize MPC Wallet
import { HanzoMPC } from '@hanzo/mpc'
// Generate new MPC key
const mpc = await HanzoMPC.generate({
userId: 'user-123',
organization: 'hanzo',
keyType: 'secp256k1' // or 'ed25519', 'bls12-381'
})
// Store device share securely
await secureStorage.set('mpc-device-share', mpc.deviceShare)
// Public key for on-chain use
const publicKey = mpc.publicKey
const address = mpc.ethAddress // Ethereum-compatible addressKey Types
| Type | Algorithm | Use Case |
|---|---|---|
secp256k1 | ECDSA | Ethereum, Bitcoin, EVM chains |
ed25519 | EdDSA | Solana, Cosmos, general signing |
bls12-381 | BLS | Threshold signatures, aggregation |
ringtail | Post-quantum | Future-proof applications |
Signing Operations
Sign Transaction
// Sign Ethereum transaction
const tx = {
to: '0x...',
value: ethers.parseEther('1.0'),
gasLimit: 21000
}
const signedTx = await mpc.signTransaction(tx)
// Or sign arbitrary message
const signature = await mpc.signMessage('Hello, Hanzo!')Sign with TypedData (EIP-712)
const typedData = {
domain: {
name: 'My App',
version: '1',
chainId: 1,
verifyingContract: '0x...'
},
types: {
Order: [
{ name: 'maker', type: 'address' },
{ name: 'amount', type: 'uint256' }
]
},
message: {
maker: '0x...',
amount: 1000
}
}
const signature = await mpc.signTypedData(typedData)Recovery Flow
Social Recovery
Enable recovery through trusted contacts:
// Setup recovery guardians
await mpc.setupRecovery({
guardians: [
{ email: '[email protected]' },
{ email: '[email protected]' },
{ email: '[email protected]' }
],
threshold: 2 // 2-of-3 guardians needed
})Recovery Process
// 1. Initiate recovery
const recovery = await HanzoMPC.initiateRecovery({
userId: 'user-123',
email: '[email protected]'
})
// 2. Guardians approve (they receive email)
// Each guardian clicks approval link
// 3. Complete recovery when threshold met
const newMpc = await recovery.complete({
approvals: [guardianApproval1, guardianApproval2]
})
// 4. Store new device share
await secureStorage.set('mpc-device-share', newMpc.deviceShare)Device Recovery
When user has access to another authenticated session:
// On existing authenticated device
const recoveryToken = await mpc.createRecoveryToken({
expiresIn: '1h'
})
// On new device
const newMpc = await HanzoMPC.recoverFromToken({
token: recoveryToken,
newDeviceId: getDeviceId()
})Security Considerations
Device Share Storage
// Use secure storage APIs when available
if (window.PasswordCredential) {
// Use Credential Management API
await navigator.credentials.store(
new PasswordCredential({
id: 'mpc-share',
password: deviceShare
})
)
} else if (window.crypto.subtle) {
// Encrypt with device key
const encrypted = await encryptWithDeviceKey(deviceShare)
localStorage.setItem('mpc-device-share', encrypted)
}Session Management
// MPC sessions are time-limited
const session = await mpc.createSession({
expiresIn: '15m',
maxOperations: 10
})
// Sign within session
await session.signMessage('Hello')
// Session auto-expiresIntegration with IAM
MPC keys can be linked to IAM accounts:
// Link MPC key to IAM user
await fetch('https://iam.hanzo.ai/api/link-mpc', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
publicKey: mpc.publicKey,
keyType: 'secp256k1',
scheme: '2-of-2'
})
})
// Now user can authenticate with MPC
const authResult = await mpc.authenticate({
challenge: await getAuthChallenge()
})API Reference
POST /api/mpc/generate
Generate new MPC key pair.
curl -X POST https://kms.hanzo.ai/api/mpc/generate \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"userId": "user-123",
"keyType": "secp256k1",
"scheme": "2-of-2"
}'POST /api/mpc/sign
Request MPC signature.
curl -X POST https://kms.hanzo.ai/api/mpc/sign \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"deviceShare": "...",
"messageHash": "0x...",
"keyId": "key-123"
}'POST /api/mpc/recover
Initiate key recovery.
curl -X POST https://kms.hanzo.ai/api/mpc/recover \
-H "Content-Type: application/json" \
-d '{
"userId": "user-123",
"email": "[email protected]",
"recoveryMethod": "social"
}'Best Practices
- Never store device shares in plain text
- Use secure enclaves when available (iOS Keychain, Android Keystore)
- Implement session timeouts for signing operations
- Enable recovery guardians before going live
- Monitor for suspicious signing patterns
- Use hardware security modules (HSM) for enterprise deployments
Next Steps
How is this guide?
Last updated on