Dynamic’s embedded wallets use a 2-of-2 threshold signature scheme where one User Share is held by the user on their device and a Dynamic Server Share is held by Dynamic. For basic recovery scenarios, when a user logs in on a new device:
The user authenticates with their credentials
Dynamic provides their encrypted copy of the User Share
The share is decrypted through the Encryption Proxy Service (Dynamic does not have access to encryption/decryption keys)
The decrypted share is stored on the new device
The wallet is ready for use immediately
This process happens invisibly to the end user, providing a seamless recovery experience. In other words, the user does not need to know a recovery occurred.
Users can enable additional recovery options through User Share Backup Options, storing their User Share to Google Drive, Apple iCloud, or downloading it locally.
When this is enabled:
The system automatically upgrades to a 2-of-3 threshold scheme through Key Resharing
Using the stored User Share from backup + Dynamic Server Share
Using the local User Share + Dynamic Server Share
Using the local User Share + stored User Share from backup (Independent Recovery)
When a user has access to both their local User Share and the stored backup copy, they can perform Independent Recovery without requiring Dynamic’s share. As long as they are logged in and have access to the client-side SDK, they can use these two shares to export their private key completely independently of Dynamic’s systems. This ensures a critical self-custody guarantee, allowing users to recover their wallet even if Dynamic’s services are unavailable.