Repost: General Questions

[hmarnold]

The following question was posted to Turnkey's docs prior to our migration to docs.turnkey.com. It's being re-posted here verbatim, along with answer, for future reference:

Question:
Are Ethereum private keys bound to the Authenticator device? Meaning, are they only usable when the end user signs via their hardware keys? Or does turnkey have the ability to sign with those keys, even if it’s against policy or made very difficult?

Can an end user use the same Ethereum private key across multiple apps, owned by different organizations? As in, do the keys move with you, like with metamask etc.

If the above is possible, do you plan on integrating with wallet display modals such as web3 mods, family, rainbow kit, etc?

I dig the simplicity to end users, but I am wondering about limitations in the web3 world.

[hmarnold]

Answer:
Good Qs.

Private keys are only accessible via your Turnkey credentials (i.e., an authenticator or API key). Further, the use of private keys is gated by your Policies, which specify which users can take which actions against those keys (e.g., “Only Dan can sign with Private Key 123”). Each request (e.g., sign a transaction) must in turn be stamped by a valid credential for a user who has been explicitly granted permission to take that specific action. Turnkey cannot unilaterally access your private key, transfer your funds, or take any other action with that private key, as our infrastructure requires your authentication secret in order to decrypt the private key within the enclave.

Today, Turnkey provides the underlying infrastructure to generate private keys and sign transactions, but we leave the UI/UX to our customers who are primarily themselves apps or businesses. If an app facilitates wallet creation for their end users and uses passkeys as the only authenticator, that end user would not be able to authenticate requests via other apps and would need to export the private key in order to bring the key with them (this feature is on our near-term roadmap).

However, there is no technical limitation preventing an individual end user from creating a private key themselves directly on Turnkey and using that private key to interact with any apps they’d like. We are exploring integrations with wallet display modals which will make that use case more practical for the average user.

-H