ZelCore — Security, Convenience, Full Custody
ZelCore utilizes multiple novel security layers to intuitively access and maintain complete ownership of your crypto assets
See summarized security Tips & Recommendation at the end of this post.
The ZelCore encrypted multi-asset wallet was developed using the ubiquitous account scheme of a username and password. While this concept is well-known for things like website and email log-in, it hasn’t been used often in the crypto world because typically the username and/or password are stored in a centralized database and concerns over net traffic logging, tracking, and/or monitoring by 3rd parties (i.e. privacy concerns). Numerous stories of data breaches and malicious, socially engineered workarounds to gain account access have been prominent in tech-related news for years. Common backup methods such as mnemonic seed phrases have provided good security in the past, but are difficult to remember and use for everyday access to crypto funds.
ZelCore solves many of these issues and concerns by:
- Allowing the user to choose a username and password that can be more conveniently memorized and used for every day use
- Using a double hash of the username+password with salts to generate a master private key for the wallet, which in turn is used to generate the private keys for each asset
- Performing all hash functions locally on the device running ZelCore
- Not storing any account, login, or private key data remotely
This system of security, named Zel ID, provides convenience for everyday wallet use without sacrificing safety; the unique double-hash strategy produces a highly random master private key where the function inputs are not stored remotely and are only known to the account creator. The user should select login credentials that are sufficiently long, not personally identifying or easily guessed, and not used for other services in case of past/future data breaches of these other services. Back up your username+password with pen and paper and store in a secure location, just like a mnemonic pass phrase or private key.
Additional Layers of User Security
Complimenting Zel ID are two more security features, decentralized 2-Factor Authentication (d2FA) and Easy Login. d2FA ties a user-selected PIN to a ZelCore account by encrypting the PIN and storing the number on the Zel blockchain. The PIN is required as step-up authentication to gain access to ZelCore and to transmit send transactions. The credential follows the address so if you set up d2FA on desktop, the same account on mobile will require the PIN during login without needing to set up the feature on multiple devices.
Easy Login is coupled with the security features deployed on your mobile device within Android and iOS, allowing biometric features like fingerprint, iris, and face scanning, or a selected passphrase, to log into your ZelCore account. This feature is device-dependent and must be set up once on each device accessing ZelCore, allowing for example fingerprint scanning to be present on a mobile device and a passphrase for logging in on desktop. d2FA must be enabled to set up Easy Login, but the PIN is not required as a log-in credential if the user wishes.
Top Tips and Recommendations When Using ZelCore
(or any wallet for that matter)
- Your ZelCore username+password combination is used to generate private keys for all ZelCore Portfolio assets. It is imperative to protect these credentials by selecting a strong and unique combo that is not used elsewhere and is not to be shared with anyone.
- Your ZelCore username and a hash of your password is stored locally on your device; your plaintext password is not stored anywhere and no credential is transmitted or stored remotely. Users are 100% in control of their security.
- ZelCore can be installed on many devices which allows users to access the same Portfolio anywhere. Each new device needs to be registered using the same username+password if you want access to the same account.
- If you suspect your login credentials have been compromised for any reason, immediately create a new, strong account and transfer funds to the new set of addresses to avoid future losses.
- Never download ZelCore from any source besides the ZelCore website, Android Play Store, and Apple App Store. All other sources are untrusted and could be repackaged with keylogger or other malicious software.
- You can check the SHA256 hash of your ZelCore download against the published hashes to ensure you have the proper install file.
- To calculate the SHA256 hash value of ZelCore installer, you can use
sha256sum <filename>on Linux OR
- The d2FA PIN will only help to prevent unauthorized access to an application, transmitting a transaction, or to change security settings; d2FA can’t stop malicious activity if someone gains access to either your username+password or your plain-text private keys (your user+pass is your priv key).
- d2FA is a feature that allows the use of Easy Login either with a user-selected pass phrase or biometric security features installed on a mobile device such as fingerprint and iris scanning.
- The d2FA PIN selected for a user’s account is encrypted, hashed, and salted before being stored on the Zel blockchain. Setting up or deactivating d2FA requires a transaction of ~0.0002 Zel, but the usage of d2FA does not require any spending of Zel.
- Biometrics or passphrase used with Easy Login stay with the individual device. This information cant leave your device and is part of the security design of the device’s operating system/hardware. Easy Login credentials must be set up on each device used to access your ZelCore account.