Web3 signers hold a key shard on their mobile device using the Coinbase Prime Approvals app. If the mobile device is lost, broken or the app is uninstalled that user loses access to their shard and cannot sign transactions.
The Coinbase Prime Web3 Wallet is equipped with multiple recovery options to help you avoid losing access to your wallet. However, if the necessary precautions are not taken there is the potential risk of losing access to your wallet. Lets run through some examples:
Web3 Wallet access example: | At least 1 signer has access to shard | At least 1 user has access to recovery passphrase | Recovery Method to use |
Individual Web3 Signer lost access to key shard Ex. Signer deletes the Prime Approvals app or lost device | True | True | ✅ Existing signer reprovisions user access |
Individual Web3 Signer lost access to key shard Ex. Signer deletes the Prime Approvals app or lost device | True | False | ✅ Existing signer reprovisions user access |
All signers have lost access to their devices Ex. Company wide swipe of mobile devices | False | True | ✅Recover key with recovery passphrase |
Recovery passphrase lost Ex. File storing recovery passphrase deleted | True | False | ✅Replace recovery passphrase but requires at least one web3 signer with access to the key shard |
All signers and access to their shard passphrase lost Account has only 1 signer, who has left the company, and that individual was the only person with the recovery passphrase saved on their mobile device. | False | False | ❌No recovery options available and wallet access permanently lost. |
In the event a user loses access to their mobile device or the Prime Approvals app, another Web3 Signer in the portfolio can clone the shard to reprovision their access. Note that this method can only be used when another web3 signer in the portfolio has access to the wallet.
To reprovision a web3 signer’s access to a wallet there are 2 core steps:
Step 1: Remove and reinitiate Web3 Signer permission for the impacted user (Administrator)
Log into prime and click the settings gear icon on the left side.
Click the Web3 icon and scroll down to User Access.
Click the three dots next to the impacted user.
Click Remove Web3 Signer and verify with your Yubikey.
Reach consensus to approve the change.
Once reached, navigate back to the Web3 Settings page and click Add Web3 Signer.
Select the team member from the dropdown.
Initiate the activity and authenticate with your Yubikey.
Reach consensus to approve the change.
Step 2: Re-enroll device (Web3 Signers)
Impacted Web3 Signer: Request to re-enroll device
Log into prime and click the Tasks bell icon on the top right section of the page.
Open the Add New Web3 Signer activity and click Enrollment Instructions to start the device enrollment process.
Review the requirements and click Continue.
Scan the QR code with your mobile device and log into the Prime Approvals mobile app
Click Get Started on the Device Enrollment page.
If you are not automatically shown the device enrollment page, open the Device Enrollment activity from your Tasks tab in the respective portfolio.
Enable biometrics if required and click Done. If facing an issue make sure Biometrics is enabled on the device.
Follow the prompts to request access to the Web3 key.
On the Request Sent page, click Done to complete this step.
Existing Web3 Signer: Approve enroll device request
Log into prime and click the Tasks bell icon on the top right section of the page
Open the Add New Web3 Signer activity and click Signing Instructions
Scan the QR code with your mobile device and log into the Prime Approvals mobile app.
Click Review Request on the Add New Web3 Signer page.
Select “Approve & Sign” and verify with biometrics to clone the key shard.
Impacted Web3 Signer:
Open the mobile notification from the Prime Approvals app or open the task in your respective portfolio if you have missed the notification.
Review the final message to complete device enrollment and click Done to complete the process (without clicking on Done you won’t have a valid key shard on your device yet).
You now have the wallet key shard on your device and can sign transactions as a Web3 Signer.
In the event all your Web3 Signers have lost access to their devices, you can still recover access using the recovery passphrase. During onboarding, Coinbase will create an encrypted recovery backup for your key shard encrypted with a 12 word recovery passphrase and encryption ensures your key shard never gets exposed to Coinbase. Your 12 word recovery passphrase is NOT your private key, it is an encryption key for the encrypted recovery backup stored by Coinbase.
Take the following steps to initiate your device recovery.
Administrator: Designate the Web3 Signer to complete the device recovery
Log into Prime and click the settings gear icon on the left side.
Click the Web3 icon and locate the Key Management section on the right hand side.
Under Recover Web3 Key click Initiate Recovery and Continue.
Select an existing Web3 Signer from the dropdown who will complete the key recovery. Note: the signer will need Prime Approvals mobile app and access to the 12 word recovery passphrase.
Initiate the activity and authenticate with your Yubikey.
Reach your portfolio’s General Consensus approval threshold to approve the request.
Designated Web3 Signer to perform recovery: Complete device recovery
Log into prime and click the Tasks bell icon on the top right section of the page.
Open the Recover Web3 Key activity and click Continue.
Scan the QR code with your mobile device and/or log into the Prime Approvals mobile app.
Enable biometrics (Face ID). If you face any issue make sure biometrics is enabled on your mobile device.
Enter the 12 word recovery passphrase & click Continue.
Once you see the confirmation that the key recovery is complete, click Done.
In the event you lose access to the recovery passphrase for your wallet or want to rotate your recovery passphrase, you can generate a new backup and recovery passphrase to replace it as long as one of your signers has access to their device and web3 key shard. Replacing a recovery backup will invalidate the previous recovery passphrase.
Administrator: Designate the Web3 Signer to complete the recovery backup replacement
Log into prime and click the settings gear icon on the left side.
Click the Web3 icon and locate the Key Management section on the right hand side.
Under Replace Recovery Backup option and click Initiate Replacement and Continue.
Select an existing Web3 Signer from the dropdown who will complete the recovery backup replacement. Note that this user must have access to their device that holds the key shard.
Initiate the activity and authenticate with your Yubikey.
Reach your portfolio’s General consensus approval threshold to approve the request.
Web3 Signer: Complete recovery backup replacement
Log into Prime and click the Tasks bell icon on the top right section of the page.
Open the Replace Recovery Backup activity and click Continue.
Scan the QR code with your mobile device and log into the Prime Approvals mobile app.
On the “Create New Recovery Backup” activity page, click Create New Backup.
NOTE: Once you take this step, your initial backup will be invalid. You cannot cancel the activity and must complete the steps to create the new backup to ensure you have a valid recovery backup for your wallet. Once your backup is invalidated and you lose access to all signers - you lose access to wallet
Authenticate with biometrics (Face ID).
View the 12 word recovery passphrase and store it in a safe location.
Once you are confident the passphrase is stored safely, click Continue. Note the passphrase will not be shown again after you hit Continue.
Select the first (1st) and last (12th) word of your passphrase to confirm it is saved.
Once you see the confirmation that the new backup and passphrase are created, click Done.
