Architecture

Authentication

Passwordless Authentication

Harpie utilizes passwordless authentication with MFA to securely authenticate all of our users. We generate key-pairs for your account and Harpie proxy using the Ethereum network. This private key is used to generate a cryptographically verifiable proof of identification and authorization. This proof is then sent to our resource servers to validate claims and recover privileged information, without ever needing a password. This claim format is an adaption of the W3C Decentralized Identifiers protocol for globally unique and resolvable identifiers.

Non-Custodial Key Management

When something is non-custodial, you have sole control over your private keys. With sole control over your private keys, you have full control and ownership of your cryptocurrency. Users directly interface with AWS KMS and AWS Cognito for critical encryption and decryption to guarantee Harpie stays non-custodial. We never access or see our users' private keys, reducing the risk of unauthorized access to your wallet or Proxy.
When a user successfully authenticates through our auth relayer, users receive a time-bound access token. This time-based access token is then traded for scoped credentials, which enables users to directly communicate with AWS and use their master keys for encryption and decryption. This entire process completely bypasses the Harpie backend. Both access tokens and scoped credentials are created dynamically by AWS, with audit logs, and with TTLs enabled, and are exclusively exchanged with the client. We have also removed permission to decrypt with AWS KMS, preventing any malicious internal attacks or negligence.
Public-and-private key-pairs are generated client-side using 256-bits of entropy and directly encrypted and decrypted by AWS KMS.

Multi-factor Authentication

Harpie offers end-user Multi-factor Authentication (MFA) through mobile authenticator apps like Authy or other QR-based authenticators. MFA is essential for account security because it provides a second layer of protection to your account. With MFA enabled, attackers would need access to both your email and secondary device in order to access your Harpie account. MFA functionality is enabled for all users. There are future plans to extend MFA authentication to hardware devices (like YubiKey) and biometrics.

Zero-Knowledge Proofs + HSMs

Hardware Security Modules (HSMs) hosted by Amazon Web Services' Key Management Service (KMS) provide secure encryption and decryption operations for authentication and identification. These HSMs are a sort of black box, similar to hardware-based cold wallets like Trezor or Ledger, where data can be signed and validated without exposing the secrets stored within them.
A user-specific master key generated using AES-256 with 384-bits of entropy is stored within these HSMs. Private keys generated for use by the Harpie Proxy are then encrypted by a user's master key. An attacker who would want access to your account or Proxy would need to gain access to these hardware modules to retrieve the private keys.

Network Architecture

TLS, HSTS, and SSL

Harpie uses industry-standard network protocols for all communications between users and our servers. The Transport Layer Security (TLS) protocol, HTTP Strict Transport Security (HSTS) standard, and Secure Sockets Layer (SSL) protocol help to mitigate the risk of man-in-the-middle and downgrade attacks on our service by providing end-to-end encryption for all of our users.

CSRF + XSS

Harpie enforces strict CSP headers to reduce the risk of XSS and data ingestion exploits. CSRF tokens are unique, secret, unpredictable values that are generated server-side. We use CSRF tokens to ensure that all requests are authentic and have not been forged by malicious attackers.

Phishing Protection

Harpie has reduced the risk of phishing attacks. A phishing attack is where a malicious attacker pretends to be an authentic service. A phishing site usually asks for a password or seed phrase and compromises your account as soon as you use them. Harpie NEVER asks for a password or your wallet seed phrase, so any sites pretending to be Harpie should be immediately reported to our team at [email protected]
Harpie authenticates logins through magic links sent to your email. If by any chance that a magic link is lost, stolen, or compromised in transit, the token included in the email is only privileged to verify a login request from the device and/or browsing context that initiated the request. An attacker would require physical access to the user's device and unencrypted email inbox to be malicious.
We also whitelist domains. Even if a direct 1-to-1 copy of our site is created with compromised API keys, illegitimate applications would not be able to forge requests on a user's behalf.