Zel ID — Security Features of the ZelCore Multi-Asset Wallet

Flux Official
6 min readOct 9, 2018

An in-depth look at the secure, convenient system that protects users’ assets within the encrypted ZelCore platform

  • Zel ID — Double-hashed username+password selected by the user to generate master private key for ZelCore
  • d2FA — decentralized 2-Factor Authentication, selectable PIN stored securely on blockchain
  • Easy Login — biometrics- or passphrase-protected wallet access and Tx confirmation
  • Message signing — Confirm messages are sent from you (no full node/syncing required)

Zel ID — The first layer of security for ZelCore accounts

After installing the ZelCore multi-asset platform, a new user is prompted to create a username and password. The username and password (login credentials) should be unique and strong, ones not used for other services/logins and not easily guess-able or personally identifiable. These credentials will secure your assets, just like your standard login for a banking app or brokerage account.

The username+password are then locally hashed with salts to generate a master private key for the wallet, and in turn this master key is used to generate public and private keys for all assets within ZelCore. No account, login, or private key information is stored remotely by ZelCore; treat your username+password as you would a mnemonic passphrase or priv key as it cannot be recovered if lost/forgotten.

Since no personal data is stored by ZelCash, your private keys are generated by ZelCore on each login, and an account is registered to a specific device. If you wish to have access to the same account on desktop and mobile, you must register the exact same username+password locally on the new device, then login. There is no backup to restore or files to move to the new device as the lightweight addresses are accessed via your login credentials.

Please remember: There is no solution for a compromised private key besides moving funds to a secure one. A malicious actor with access to a private key can import a balance to a full node or lightweight wallet and send to a different address. There are no do-overs in crypto. Take the time to protect your assets and do not reveal your private keys to ANYONE you do not want to have direct access.

See Zel ID Website.

Left to Right: Login Screen | Portfolio Screen | Single Asset Screen | Zel ID Setup Screen | Biometric Login

d2FA — decentralized 2-Factor Authentication provides a second layer of security, encrypted and stored on the blockchain

d2FA is an optional but recommended additional security layer within Zel ID. This layer utilizes a user-selectable PIN that is attached to a Zel ID which is required for account access and to confirm transactions before transmitting to the public ledger.

Setting up or deactivating d2FA requires a small transaction of Zel (~0.0002 Zel) which is stored on-chain and is not accessible. The transaction is necessary to confirm that you are the owner of the priv keys for the account by signing a message (which proves full access to said public address). The standard Tx fee for the transaction is given to the miners as a standard Tx fee would. Use of d2FA to log in or send Tx’s does not require a transaction and does not cost any Zel. Only setting up or deactivating d2FA costs Zel.

d2FA significantly differs from current 2-Factor Auth systems like Google Authenticator or Authy as the credentials are not linked to a phone number or single security device. d2FA helps mitigate against known security vulnerabilities and attack vectors like:

  • Using the same login credentials across multiple websites/services
  • Entering login credentials on a compromised or malicious website
  • SIM swap attacks and socially-engineered number ports via Telco’s
  • Data breaches and attacks on centralized infrastructure

Once d2FA is set up, the encrypted PIN is stored on the blockchain and follows the account. For example, if you login on ZelCore desktop and enable d2FA PIN security, then login to the same account on mobile, ZelCore will prompt for the established d2FA PIN on mobile. The PIN should follow the same security rules as login credentials. Avoid easily-guessed or identifiable number sequences, such as birthdays or “123456”.

To set up d2FA: Log into ZelCore and select the “Apps” button (left-bottom on desktop, bottom-right on mobile). Then select the “Zel ID” logo. From here, select “create or change your d2FA PIN”, follow the on-screen dialog and establish your PIN. Once complete, log out from the Settings screen, and your PIN will be required once logging back into ZelCore. The feature can also be disabled within the same Zel ID screen.

SMS-based 2FA has been extensively abused lately to maliciously gain control of wallet priv keys.

Easy Login — Use biometrics (fingerprint/iris scanning) or passphrase with ZelCore

Easy Login can utilize a device’s built-in biometric security features to log into ZelCore. The feature must already be enabled on the device, for example as your lock screen credential, which can in turn be set up within Zel ID to access ZelCore.

For users that either do not have biometric features on device or do not wish to use them, Easy Login can also be associated with a selectable passphrase for more convenience. Easy Login is stored per device, and must be set up on each device for which you wish to use the feature.

To set up Easy Login: Log into ZelCore and select the “Apps” button (left-bottom on desktop, bottom-right on mobile). Then select the “Zel ID” logo. From here, select “create or change Easy Login”, and select biometrics or passphrase. Follow the dialog prompts, and upon logging back into ZelCore, the Easy Login credential will be required. The feature can also be disabled within the same Zel ID screen. d2FA needs to be set up prior to enabling Easy Login.

Use Android/iOS biometrics or a selected passphrase to conveniently access ZelCore

Message Signing — Verify you are the address owner and message sender

Many cryptocurrencies contain a feature to simply yet effectively prove a message sender’s identity as an address holder by sending signed messages. These messages are digitally signed with an address’s private key to prove that the address custodian sent the message.

Two problems with this feature historically have been 1) it requires a full node wallet which in turn requires downloading and syncing of an entire blockchain (which can be very large to store), and 2) owning the priv key doesnt necessarily verify the sender as genuine if the priv keys have been compromised and/or stolen from the original owner.

ZelCore message signing aims to help solve these issues. Message signing within ZelCore can be done with a light address, allowing signing to be performed on a mobile device and without syncing a blockchain. Trusted ownership of an address is kept more secure by enabling d2FA, adding second security layer to protect access to a user’s account and private keys.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —-

Written by Zel Technologies, GmbH — 09 October 2018 — Rev. 1