Standard Recovery Flow

Dynamic’s embedded wallets use a 2-of-2 threshold signature scheme where one User Share is held by the user on their device and a Dynamic Server Share is held by Dynamic. For basic recovery scenarios, when a user logs in on a new device:

  1. The user authenticates with their credentials
  2. Dynamic provides their encrypted copy of the User Share
  3. The share is decrypted through the Encryption Proxy Service (Dynamic does not have access to encryption/decryption keys)
  4. The decrypted share is stored on the new device
  5. The wallet is ready for use immediately

This process happens invisibly to the end user, providing a seamless recovery experience. In other words, the user does not need to know a recovery occurred.

Enhanced Security with Passcode Protection

For additional security, users can opt to protect their stored User Share with Passcode Encryption:

  • The stored User Share is encrypted with the user’s passcode
  • When recovering on a new device, users must enter their passcode to decrypt the share
  • Without the correct passcode, the stored share cannot be accessed
  • This provides an extra layer of security but requires users to remember their passcode

You can toggle this option as required or optional in your developer dashboard.

Cloud Backup Recovery (2-of-3 Setup)

Users can enable additional recovery options through User Share Backup Options, storing their User Share to Google Drive, Apple iCloud, or downloading it locally.

When this is enabled:

  • The system automatically upgrades to a 2-of-3 threshold scheme through Key Resharing
  • The user maintains their local User Share
  • A copy of the User Share is stored using their chosen backup option
  • Dynamic continues to secure the Dynamic Server Share

This creates three recovery paths:

  1. Using the stored User Share from backup + Dynamic Server Share
  2. Using the local User Share + Dynamic Server Share
  3. Using the local User Share + stored User Share from backup (Independent Recovery)

When a user has access to both their local User Share and the stored backup copy, they can perform Independent Recovery without requiring Dynamic’s share. As long as they are logged in and have access to the client-side SDK, they can use these two shares to export their private key completely independently of Dynamic’s systems. This ensures a critical self-custody guarantee, allowing users to recover their wallet even if Dynamic’s services are unavailable.

We also offer additional more sophisticated recovery configurations including custom threshold schemes and Developer-Hosted Backups, see our Advanced Features documentation.