Prime

Safely Enrolling a New Mobile Device as a Web3 Signer

Failure to create a device recovery backup and maintain more than one valid Web3 Signer can result in a total loss of access to your wallet.

This article provides step-by-step instructions on how to enroll a new mobile device when you are already a Web3 Signer. There are several situations where enrolling a new device is necessary, such as:

  1. Upgrading to a new mobile device. The older device able to sign is still available and in the user’s possession.

  2. Replacing a damaged or lost device. The older device able to sign is not available.

The flow to enroll a user’s new device is to first ensure another signer is available, then have an admin remove and re-add that user’s signer role, and finally execute the device onboarding flow.

Whenever new mobile devices are enrolled, it is important to follow these guidelines for every portfolio to ensure the safety and security of the wallet access and assets.

The steps to enroll a new mobile device for an existing Web3 Signer will depend on the current set up of your account, follow these steps. Expand the sections below to learn how you can secure your Web3 Wallet.

If multiple users are enrolling new devices, complete the device enrollment process for one user at a time to ensure a signer retains access to the key shard at all times.

Failure to create a recovery backup and maintain at least one valid Web3 Signer other than yourself can result in a total loss of access to your wallet.

Before proceeding with any changes, it is crucial to ensure you have the following for every Portfolio your device has a key shard for: 

  1. Make sure you have access to your recovery passphrase: Before initiating any process, it is essential to ensure you already created a recovery backup for your portfolio and have access to the recovery passphrase. The recovery passphrase will still be valid after enrolling the new device.

  2. Maintain at least one valid Web3 Signer other than yourself: To ensure uninterrupted access to your portfolio, it is important to always maintain at least one valid Web3 Signer since you will be temporarily removed from the signer role. This will ensure the portfolio has a functioning key shard to approve the enrollment of your new device.

  3. When possible, retain access to your old device until you have completed all steps to enroll the new one.

Failure to create a recovery backup and maintain at least one valid Web3 Signer other than yourself can result in a total loss of access to your wallet.

If your portfolio has multiple Web3 Signers and these users have access to the key shard, use an existing Web3 Signer with access to the key shard to re-enroll the new device.

The process includes: 

  1. Have an Administrator remove the Web3 Signer permission of the user who wants to enroll a new device. Only remove and reprovision access for one Web3 Signer at a time. Complete step b & c for that user.

  2. Re-add the web3 signer permission to the user by going to Settings > Web3 > add Web3 Signer

  3. Complete the process to enroll the new device of the user outlined below

Administrator: Remove the Web3 Signer permission for the user to invalidate the key shard on the old device

  1. Log into Prime on your desktop/web browser.

  2. Open Settings by clicking the gear icon.

  3. Navigate to the Web3 Settings by clicking the web3 planet icon.

Next to the user, click the three dot menu … and select Remove Web3 Signer Role.

Administrator: Next, re-add the user as a web3 signer:

  1. Log into Prime on your desktop/web browser.

  2. Open Settings by clicking the gear icon.

  3. Navigate to the Web3 Settings by clicking the web3 planet icon.

  4. Click Add Web3 Signer.

New & Existing Web3 Signers: Complete new device enrollment with the Prime Approvals app:

  1. In the Prime Approvals app, the enrolling Web3 Signer completes the Web3 Signer Device Enrollment activity from the Tasks tab to request Access to the wallet key. 

  2. An existing Web3 Signer approves this request from their mobile device. 

  3. The new Web3 Signer accepts the key on their mobile device to complete enrollment. 

If you need to ensure the device has a valid key shard you can after enrolling a device, execute a test transaction to ensure the device is able to sign for that portfolio.


If enrolling multiple new devices, complete the steps above separately for each user. Removing all Web3 Signers from your portfolio can result in a total and permanent loss of access to your wallet and assets stored on your web3 wallets within the impacted portfolio.

We do not recommend having a portfolio with a single user. View how to add new Web3 Signers to your account here.

Portfolio with a single user (not recommended) - use Passphrase to restore to the new device:

  1. Verify that you have access to the passphrase associated with your device recovery backup

  2. Have an Administrator initiate the “Recover Web3 Key” activity by going to Settings > Web3 > Recover Key

  3. Complete the process to enroll the new device of the user

Take the following steps to initiate your device recovery. 

Administrator: Designate the Web3 Signer to complete the device recovery

  1. Log into Prime and click the settings gear icon on the left side.

  2. Click the Web3 icon and locate the Key Management section on the right hand side.

  3. Under Recover Web3 Key click Initiate Recovery and Continue.

  4. Select the existing Web3 Signer from the dropdown who will complete the key recovery. Note: the signer will need Prime Approvals mobile app and access to the 12 word recovery passphrase.

  5. Initiate the activity and authenticate with your Yubikey.

  6. Reach your portfolio’s General Consensus approval threshold to approve the request.

Designated Web3 Signer to perform recovery: Complete device recovery

  1. Log into prime and click the Tasks bell icon on the top right section of the page.

  2. Open the Recover Web3 Key activity and click Continue.

  3. Scan the QR code with your mobile device and/or log into the Prime Approvals mobile app.

  4. Enable biometrics (Face ID). If you face any issue make sure biometrics is enabled on your mobile device.

  5. Enter the 12 word recovery passphrase & click Continue.

  6. Once you see the confirmation that the key recovery is complete, click Done.