Coming Soon: TSS-MPC Embedded Wallets

We announced our new TSS-MPC offering at EthDenver 2025, and its rolling out in the coming weeks - contact us for early access or to learn more. If you’re looking to start using Dynamic today, we recommend starting with our TEE wallets. When our TSS-MPC wallets are rolled out, you’ll have a clear upgrade path to transition your users to the new system.

Standard Recovery Flow

Dynamic’s TSS-MPC wallets use a 2-of-2 threshold signature scheme where one key share is held by the user on their device and another by Dynamic. For basic recovery scenarios, when a user logs in on a new device:

  1. The user authenticates with their credentials
  2. Dynamic provides their encrypted backup share
  3. The share is decrypted through a third-party encryption proxy service (Dynamic does not have access to encryption/decryption keys)
  4. The decrypted share is stored on the new device
  5. The wallet is ready for use immediately

This process happens invisibly to the end user, providing a seamless recovery experience. In other words, the user does not need to know a recovery occurred.

Enhanced Security with Passcode Protection

For additional security, users can opt to protect their backup share with a passcode:

  • The backup share stored by Dynamic is encrypted with the user’s passcode
  • When recovering on a new device, users must enter their passcode to decrypt the share
  • Without the correct passcode, the backup share cannot be accessed
  • This provides an extra layer of security but requires users to remember their passcode

You can toggle this option as required or optional in your developer dashboard.

Cloud Backup Recovery (2-of-3 Setup)

Users can enable an additional recovery option by backing up a second share to iCloud or Google Drive, or alternatively download the second share to their local device.

When this is enabled:

  • The system automatically upgrades to a 2-of-3 threshold scheme
  • The user maintains their local device share
  • A second share is stored in their cloud storage (e.g. iCloud or Google Drive)
  • Dynamic continues to secure the third server share

This creates three recovery paths:

  1. Using the cloud backup share + server share
  2. Using the local device share + server share
  3. Using the local device share + cloud backup share

When a user has access to both their local device share and cloud backup share, they can perform an offline recovery without requiring Dynamic’s share. As long as they are logged in and have access to the client-side SDK, they can use these two shares to reconstruct and export their private key completely independently of Dynamic’s systems. This provides an important self-custody guarantee - users can always recover their wallet even if Dynamic’s services are unavailable.

We also offer additional more sophisticated recovery configurations including custom threshold schemes and enterprise backup solutions, see our Advanced Features documentation.

Was this page helpful?

TransactionsImport & Export