Is it feasible to build a keyless wallet on ICP? about oisy-wallet HOT 5 CLOSED

Hi folks,

Would need your help and advice on the following proposal to see if it is technically feasible, thanks.

We are trying to build a keyless crypto wallet which works as follows:

1. The user does not need to manage private keys or seed phrase. The user just can access the wallet using his Web2 credentials (e.g. Google / Twitter accounts).
2. The assets in the wallet are further protected by MFA, say someone steals the user's Web2 credentials and tried to drain the wallet, it would kick off MFA (e.g. a SMS verification process would kick in).

My assumptions:

a. In order to achieve 1., the ICP protocol would need some programmable access conditions set up for the wallet, so that once the user is proven to have the correct Web2 credentials, he would be granted access to the wallet, and is able to retrieve key shares and perform tx signing aggregation.

b. In order to achieve 2., the ICP protocol would need to have some hooks / integration points in the architecture, such as pre-signing hook, for third-parties to hook up their services into.

c. In order to retrieve and aggregate key shares, the user would need an EOA (private key) to be able to invoke the smart contracts, are there options (e.g. AA) to make keyless possible?

Thanks and regards,

Hi @johnnynanjiang,

Great questions.

For 1, I would point you to nfid and their developer documentation.

For 2.b, you should checkout http outcalls

Finally, for c, I'm not sure I completely understand the use case, but you might want to check-out canister signatures

from oisy-wallet.

Hi folks,
Would need your help and advice on the following proposal to see if it is technically feasible, thanks.
We are trying to build a keyless crypto wallet which works as follows:

1. The user does not need to manage private keys or seed phrase. The user just can access the wallet using his Web2 credentials (e.g. Google / Twitter accounts).
2. The assets in the wallet are further protected by MFA, say someone steals the user's Web2 credentials and tried to drain the wallet, it would kick off MFA (e.g. a SMS verification process would kick in).

My assumptions:
a. In order to achieve 1., the ICP protocol would need some programmable access conditions set up for the wallet, so that once the user is proven to have the correct Web2 credentials, he would be granted access to the wallet, and is able to retrieve key shares and perform tx signing aggregation.
b. In order to achieve 2., the ICP protocol would need to have some hooks / integration points in the architecture, such as pre-signing hook, for third-parties to hook up their services into.
c. In order to retrieve and aggregate key shares, the user would need an EOA (private key) to be able to invoke the smart contracts, are there options (e.g. AA) to make keyless possible?
Thanks and regards,

Hi @johnnynanjiang,

Great questions.

For 1, I would point you to nfid and their developer documentation.

For 2.b, you should checkout http outcalls

Finally, for c, I'm not sure I completely understand the use case, but you might want to check-out canister signatures

Thanks @anedos-dfinity for your answers and advice, appreciate that.

I will definitely go check them out.

from oisy-wallet.

Hi @anedos-dfinity ,

I went through the references you advised, and they helped.

Just a couple of further questions that need your help.

1. The link (https://internetcomputer.org/docs/current/samples/t-ecdsa-sample) is broken in the text at https://github.com/dfinity/oisy-wallet

Read more about chain-key cryptography or start building based on chain-key signature sample code.

2. I had a look at the wallet at https://oisy.com/
   2.1. It does not support BTC, is there a plan to support it in the near future?
   2.2. It is Web based, is there a plan to have a mobile version of the wallet? I assume ICP SDK would need to go mobile first?
   2.3. Is it technically feasible to implement MFA (such as SMS) to Oisy Wallet?

A use case is that any withdrawals / transfers great than a certain amount would trigger MFA (e.g. via SMS)

Hi @johnnynanjiang ,

1. Noted, PR already open #726
   2.1. yes, native BTC support is planned, but no hard timeline yet
   2.2. Only as a PWA, no plans for a mobile app for Oisy and frankly the main USP for Oisy is that it doesn't require any downloads.
   2.3. That is a nuanced question. It is technically feasible to build MFA at the application level with HTTPS outcalls, however not sure about the development cost to do so. There is also Orbit wallet, which supports multi-sig and might be closer to use cases that traditionally would require MFA.

from oisy-wallet.

Thanks @anedos-dfinity for your advice.

I'm going through the references you provided, and will let you know how I go, cheers.

from oisy-wallet.

Hi @anedos-dfinity ,

I went through the references you advised, and they helped.

Just a couple of further questions that need your help.

1. The link (https://internetcomputer.org/docs/current/samples/t-ecdsa-sample) is broken in the text at https://github.com/dfinity/oisy-wallet

Read more about chain-key cryptography or start building based on chain-key signature sample code.

2. I had a look at the wallet at https://oisy.com/

   2.1. It does not support BTC, is there a plan to support it in the near future?

   2.2. It is Web based, is there a plan to have a mobile version of the wallet? I assume ICP SDK would need to go mobile first?

   2.3. Is it technically feasible to implement MFA (such as SMS) to Oisy Wallet?

A use case is that any withdrawals / transfers great than a certain amount would trigger MFA (e.g. via SMS)

from oisy-wallet.