This article provides step-by-step instructions on how to enroll a new mobile device when you are already an Onchain Signer. There are several situations where enrolling a new device is necessary, such as:
Upgrading to a new mobile device. The older device able to sign is still available and in the user’s possession.
Replacing a damaged or lost device. The older device able to sign is not available.
The flow to enroll a user’s new device is to first ensure another signer is available, then have an admin remove and re-add that user’s signer role, and finally execute the device onboarding flow.
Whenever new mobile devices are enrolled, it is important to follow these guidelines for every portfolio to ensure the safety and security of the wallet access and assets.
The steps to enroll a new mobile device for an existing Onchain Signer will depend on the current set up of your account, follow these steps. Expand the sections below to learn how you can secure your Onchain Wallet.
Before proceeding with any changes, it is crucial to ensure you have the following for every Portfolio your device has a key shard for:
Make sure you have access to your recovery passphrase: Before initiating any process, it is essential to ensure you already created a recovery backup for your portfolio and have access to the recovery passphrase. The recovery passphrase will still be valid after enrolling the new device.
Maintain at least one valid Onchain Signer other than yourself: To ensure uninterrupted access to your portfolio, it is important to always maintain at least one valid Onchain Signer since you will be temporarily removed from the signer role. This will ensure the portfolio has a functioning key shard to approve the enrollment of your new device.
When possible, retain access to your old device until you have completed all steps to enroll the new one.
Failure to create a recovery backup and maintain at least one valid Onchain Signer other than yourself can result in a total loss of access to your wallet.
The process includes:
Have an Administrator remove the Onchain Signer permission of the user who wants to enroll a new device. Only remove and reprovision access for one Onchain Signer at a time. Complete step b & c for that user.
Re-add the onchain signer permission to the user by going to Settings > Onchain > add Onchain Signer
Complete the process to enroll the new device of the user outlined below
Administrator: Remove the Onchain Signer permission for the user to invalidate the key shard on the old device
Log into Prime on your desktop/web browser.
Open Settings by clicking the gear icon.
Navigate to the Onchain Settings by clicking the onchain planet icon.
Next to the user, click the three dot menu … and select Remove Onchain Signer Role.
Administrator: Next, re-add the user as a onchain signer:
Log into Prime on your desktop/web browser.
Open Settings by clicking the gear icon.
Navigate to the Onchain Settings by clicking the onchain planet icon.
Click Add Onchain Signer.
New & Existing Onchain Signers: Complete new device enrollment with the Prime Approvals app:
In the Prime Approvals app, the enrolling Onchain Signer completes the Onchain Signer Device Enrollment activity from the Tasks tab to request Access to the wallet key.
An existing Onchain Signer approves this request from their mobile device.
The new Onchain Signer accepts the key on their mobile device to complete enrollment.
If you need to ensure the device has a valid key shard you can after enrolling a device, execute a test transaction to ensure the device is able to sign for that portfolio.
If enrolling multiple new devices, complete the steps above separately for each user. Removing all Onchain Signers from your portfolio can result in a total and permanent loss of access to your wallet and assets stored on your web3 wallets within the impacted portfolio.
Portfolio with a single user (not recommended) - use Passphrase to restore to the new device:
Verify that you have access to the passphrase associated with your device recovery backup
Have an Administrator initiate the “Recover Onchain Key” activity by going to Settings > Onchain > Recover Key
Complete the process to enroll the new device of the user
Take the following steps to initiate your device recovery.
Administrator: Designate the Onchain Signer to complete the device recovery
Log into Prime and click the settings gear icon on the left side.
Click the Onchain icon and locate the Key Management section on the right hand side.
Under Recover Onchain Key click Initiate Recovery and Continue.
Select the existing Onchain Signer from the dropdown who will complete the key recovery. Note: the signer will need Prime Approvals mobile app and access to the 12 word recovery passphrase.
Initiate the activity and authenticate with your Yubikey.
Reach your portfolio’s General Consensus approval threshold to approve the request.
Designated Web3 Signer to perform recovery: Complete device recovery
Log into prime and click the Tasks bell icon on the top right section of the page.
Open the Recover Onchain Key activity and click Continue.
Scan the QR code with your mobile device and/or log into the Prime Approvals mobile app.
Enable biometrics (Face ID). If you face any issue make sure biometrics is enabled on your mobile device.
Enter the 12 word recovery passphrase & click Continue.
Once you see the confirmation that the key recovery is complete, click Done.