PrimeVault FAQs
Approvals and Devices
3 min
where do approvals happen — in the web app or on phones? makers set up requests in the web app or over the api approvals happen on the approver’s phone each approver’s signing key is created and kept inside the phone’s secure enclave that means the key lives in a tamper resistant hardware area on the device where the operating system and apps (including ours) cannot read it when you approve a transaction/dapp, etc, the enclave performs the cryptographic signature inside that protected area after you unlock the phone with your pin or biometrics only the signature leaves the device, not the key itself so even if a browser session were compromised, an attacker could not approve without physical control of the registered phone the private key never appears in the browser, and it never sits on primevault’s servers this keeps custody clean and ties approvals to possession of the registered device how does device onboarding work? does primevault ever see our private keys? when you invite a user, the mobile app generates a new key pair on that phone the private key stays sealed in the device’s secure hardware only the public key is registered, so the system can recognize the approver primevault never receives private keys in plaintext each user has one active device at a time replacing a device requires an admin defined recovery quorum, for example, two of three admins approving the new device, after which the previous device is revoked by policy can we restrict devices and recover safely if a phone is lost or stolen? yes we enforce one active device per user, and recovery is approval gated if a phone is lost or stolen, an admin quorum first approves recovery and deregisters the lost device key in policy the user then enrols a new device in practice, our recovery flow treats “key recovery” as registering a new device key, and the system immediately replaces the old public key with the new one, so a revoked device cannot approve anything this requires multi party approval to add the new device and prevents anyone from adding a second device without the configured quorum