Traditionally in Web3, you’ll need a private key to sign transactions, and seed phrases to derive your private key. Vessel uses a novel private key derivation process that allows us to securely derive a private key in a non-custodial manner, from the combination of email, password, and 6-digit PIN number.
Vessel uses the combination of the familiar web2.0 style login factors to create a high-entropy login challenge digest string that is easy for humans to remember. This digest is later fed to the very computationally intensive PBKDF2 key derivation algorithm in SHA512 mode for 3 million rounds. Specifically, each Vessel login components requirements are as follows:
- Email - We use this email address in a pure local-only fashion as part of key derivation process. This email address does not get transmitted anywhere automatically, and does not need to match the email address you use in a credential attestation in your browser extension. No minimum length check required; must contain the "@" symbol.
- Password - A standard, very strong password which should be completely unique to your Vessel passport. Much like email address, this password never gets transmitted anywhere and is only used locally as part of the key derivation process. Your password must be at least 12 characters long and contain upper, lower, symbols, and numbers. This password must also not be a previously breached password according to https://haveibeenpwned.com
- PIN - A 6-digit numeric pin. We use this pin to both strengthen the key derivation process and as part of simple multi-factor consent checks within Vessel itself, when you want to authorize certain types of transactions like sending crypto. The pin is never transmitted off machine at any point.
The above factors are used exclusively in a local-system only manner as inputs to the PBKDF^SHA512 key derivation process and are never stored anywhere in their cleartext form at any point.