Institutions are the stewards of large volumes of funds, either on behalf of their clients or themselves.

Securing these funds is thus a top priority for any discerning institution, which is achieved in the world of digital assets via the protection of private keys. In order to protect private keys, it is crucial to reinforce the security of the self-custody wallet where they are stored. Institutions should thus pay close attention to the design models of these wallets when deciding on a wallet to store their private keys.

In today’s market, there is a range of design models for wallets tailored for institutions. Of all the options available, institutions are highly recommended to deploy a multi-signature wallet because it accounts for the multiple stakeholders that own and manage institutional funds.

When choosing a multi-signature wallet, there are several factors institutions must look out for to ensure that robust security standards and protocols protect their private keys and funds. 

This article outlines 7 factors institutions should consider when exploring the options available to them.

What is a multi-signature wallet?

A multi-signature wallet is a step up from single-signature wallets, requiring at least two or more users to sign and approve transactions. Such wallets are paired with multiple private keys, each key responsible for applying a signature that represents its corresponding owner’s approval of the transaction.

As ownership of the key(s) held by the institution can be distributed to multiple users, multi-signature wallets are thus best suited for institutions where funds are typically owned and managed by a board of stakeholders. 

Under this configuration, stakeholders maintain joint ownership of the institution’s key(s), and a majority consensus must be reached amongst them to apply the requisite signature to approve any transaction.

Multi-signature wallets come in a range of quorums, with most designed to require a minimum threshold instead of all signatures to unlock access to assets. Below is a summary of the different quorums available:

• 2-of-3: A minimum of two signatures are needed to unlock a three-signature wallet
• 2-of-2: Two signatures are needed to unlock a two-signature wallet
• 3-of-3: All three signatures are needed to unlock a three-signature wallet
• 3-of-4: A minimum of three signatures are needed to unlock a four-signature wallet

Learn more about how multi-signature drives provable self-custody for institutions.

Features institutions should look out for when choosing a multi-signature solution

With this ground understanding of multiple-signature wallets in mind, institutions can now carry out their due diligence to determine the feasibility of a solution to address their security needs. 

Below is a recommended checklist of factors institutions should consider when choosing a multi-signature wallet:

1. Choose an n-of-m quorum solution over n-of-n

The n-of-m minimum threshold quorum is recommended for institutions as it gives them room to create at least one backup copy of their private keys.

Consider a 2-of-3 quorum as an example. Under this configuration, one of two active keys is held by the institution and kept online for ease of access. The second active key is held offline in an isolated hardware device by the wallet provider. 

The final key is inactive and also kept offline, serving as a backup that can be held either by the institution or the provider.

Given that two separate entities take charge of the active private keys, the wallet remains safe even if one of them is compromised. The offline backup acts as an additional layer of protection, granting the institution access to its funds even if the wallet provider becomes insolvent.

Generally, n-of-m is recommended over n-of-n as the latter entails an extremely high degree of trust and diligence across all stakeholders. This can potentially encumber institutions that handle high volumes of transactions, as the need to get requisite approvals from all stakeholders for every transaction inevitably impedes overall operational efficiency.

2. Ensure that the backup key is stored in a hardware security module (HSM) with minimum FIPS 140-2 standard

In the previous section, it is mentioned that at least one private key in any given quorum is kept as a backup in an offline hardware device. 

This device is better known as a Hardware Security Module (HSM), a tamper-resistant physical hardware used for the secure management of keys. A typical HSM comes with the following functions:

• Generate and manage keys
• Encrypt and decrypt data
• Create and verify digital signatures

When picking a HSM for its backup key, the institution must ensure that it meets minimum Federal Information Processing Standards (FIPS). Created by the National Institute of Science and Technology (NIST), FIPS is used as a guideline to approve cryptographic modules deployed by institutions.

At present, FIPS comprises four broad levels, with FIPS 140-2 Level 2  being the minimum standard that a secure HSM should adhere to. At this level, institutions must ensure that the HSM they deploy is outfitted with the following properties:

• Production-grade
• Has at least one tested encryption algorithm
• Utilizes role-based authentication
• Tamper-resistant
• Deploys an operating system that has been minimally assessed to be at Evaluation Assurance Level (EAL) 2 by the Common Criteria, a set of guidelines developed by the Cybersecurity & Infrastructure Security Agency (CISA) to assess the security levels of products and systems.

By deploying a FIPS 140-2 HSM, institutions ensure that their backup key can only be generated and managed in a secure, encrypted form that is resistant to malicious tampering. 

Levain’s wallet solution uses the Amazon Web Services (AWS) Key Management Service (KMS) as part of its wallet design, which is minimally FIPS 140-2-compliant. 

With this solution, institutions can be assured that their backup key is securely encrypted within a HSM that is solely owned and accessible by them - this means that neither Levain nor AWS’ service operators are able to view or export the key under any circumstance.

In this regard, institutions not just safeguard their assets with a high degree of security but also maintain full autonomy over how they are accessed and managed. By reducing dependency on the provider, institutions are better poised to take charge of their own funds and assets.

3. Ensure that the wallet has a stringent backup system for the recoverability of funds

As a follow-up to the previous point, institutions should also ensure that the wallet’s backup process is efficient yet secure. To this end, a robust backup system should begin by being operationally ready and able to be deployed at any time to swiftly respond to emergencies. 

Furthermore, the system should use a simple user interface that enables institutions to personally restore backups without relying on the wallet provider. This means that the wallet must provide institutions with easy access to necessary passwords, passphrases, and backup links to perform the backup process on their own.

Levain’s wallet solution achieves this by offering two options for both the institution’s active key and its private key:

1. The keys are recoverable via a 24-word seed phrase.
2. The keys are encrypted, requiring a password set by the institution to recover them.

Regardless of which option is chosen, the institution benefits from a backup process that is easy, seamless, and ultimately autonomous.

4. Work with an easy-to-use interface

Apart from the backup process, institutions should also ensure that the overall operational utility of the wallet is intuitive and easy to use. User experience is a key test of any product’s feasibility, and this philosophy also applies to enterprise-grade multi-signature wallets - especially those that are designed to be self-custodial. 

User experience is therefore a key priority in Levain's wallet solution. From intuitive interfaces to customizable dashboards, Levain offers institutions an easy way to manage their digital assets on their own without the need for deep technical expertise.

5. Pick a policy engine that affords flexible organizational management

To ensure that no one party can compromise a given institution’s assets, it is important for them to choose a wallet that enables them to establish a policy engine. This vital capability gives institutions the authority to manage users across their private keys and wallets, thereby giving them control over their digital assets. Below are some controls institutions should consider implementing in their policy engine:

• Who should be included in their enterprise account?
• How many wallets do they require? Who should manage these wallets?
• How should transaction flows across the initiation, checking, and approval stages be structured?
• Who should be responsible for each stage of the transaction flow?
• What are the appropriate approval thresholds for each user?

Specific to digital asset management, a highly flexible policy engine must give institutions the authority to customize their workflows according to their operational requirements. Apart from flexibility, policies at the wallet level – such as approval thresholds – must also be sufficiently stringent to minimize the risk of internal collusion or bad actors.  

Consider an asset management firm that is looking to expand its investment mandate with digital assets. From the point of initiation to the final approval of the transaction, multiple stakeholders are involved in the workflow. 

A junior trader initiates a typical transaction before it is sent to the operations team to run checks. A finance controller takes charge of the final stage, serving as the final stakeholder who decides whether or not to approve the transaction.

Given the multitude of stakeholders, it is thus crucial for the asset management firm to deploy a flexible policy engine that gives it the freedom to tailor precise workflows for every stage of the process and distribute ownership of its private keys.

Apart from asset management, other types of institutions also have specific needs that necessitate the availability of a flexible policy engine. Whether they are cryptocurrency traders, private banks, or commercial banks, these institutions operate differently, making a uniform solution inadequate to address all their needs.

That is why flexibility is intrinsic to Levain's policy engine. This solution cedes full authority to institutions to build unique workflows across three core levels: Enterprise-Level Users, Wallet-Level Users, and Wallet-Level Policy. 

6. Look for a transparent, provable security model

Finally, transparency is the most crucial factor that institutions must factor into their wallet selection process, in line with a core tenet of decentralized finance. 

In this regard, the wallet must give the institution full visibility and access over its holdings to ensure that the custody provider is only custodying what they claim.

It is also recommended that institutions work with custody providers who periodically self-test and audit their systems and controls.

Levain’s wallet solution offers full transparency to institutions. To begin, Levain does not decrypt institutions’ encrypted keys despite storing them on its servers. To verify this, institutions need only inspect the relevant API calls and web traffic, where they will find that the wallet password used to decrypt their keys is not sent to Levain's servers.

Furthermore, the same master dashboard that institutions use to configure their policy engines also doubles as a tool for them to monitor their digital asset holdings and track all transaction flows. 

Secure your institution’s access to DeFi protocols with Levain's multi-signature wallet

This article has thus far outlined six key features that institutions should look out for in their search for a viable multi-signature wallet to secure their digital assets.

Apart from scrutinizing the security of digital asset custody, institutions must also pay close attention to the workflow management capabilities of the solution they pick. 

Given the large volumes of funds managed by institutions, it is essential that they set up a stringent reporting workflow that enables them to meticulously manage every transaction across the initiation, checking, and approval stages. Furthermore, the users involved in each stage of the transaction also need to be considered. 

Aside from providing institutions with a secure yet autonomous method to custodize their digital assets, Levain's solution is also augmented with portfolio monitoring capabilities that give them a visualization of their overall transaction history and portfolio performance.

Find out more about how Levain empowers your institution to get a head start into The DeFi Future.

Get in touch at levain.tech/contact-us.