Overview

Mobile Key Share Backup allows you to recover the mobile key share of users with signing privileges. The three user roles with transaction signing privileges are Owner, Admin, and Signer. Key Share Backup helps prevent losing access to company assets due to human or signing device errors.

Events where you lose access to your key share

The following events block your ability to sign transactions on your mobile device. However, you can use Key Share Backup to recover your key share after any of these events:

1. You make any changes to your device's biometric settings or lose your PIN code.
2. You lose or damage your device.
3. You are replacing your device.
4. You delete the Fireblocks mobile app from your device.

Best practices to mitigate risks from these events

You must have at least two users with signing privileges in your workspace besides the workspace Owner. Having more signers lowers the risk of losing access to company assets.

All users with signing privileges were required to create a recovery passphrase when they were onboarded to the Fireblocks mobile app. They should store their passphrase in a secure location. They may need to enter their recovery passphrase if all workspace signing devices are damaged. It is important to either memorize it or have access to it for Key Share Recovery.

Learn more about the recovery passphrase and the implications of forgetting it, how to regain access to your key shares, and a safe way to reset it.

Mobile Key Share Recovery for a non-Owner device

Re-enrolling signing devices

This Key Share Recovery method recovers key shares for non-Owner users who lose access to or damage their mobile device or Fireblocks mobile app. Only your workspace Owner or an Admin and your workspace Owner can initiate it. Your workspace Owner is required to approve the MPC key share in step 4 below. This process does not require assistance from Fireblocks Support.

To recover a user’s key share by re-enrolling their mobile device:

1. In the Fireblocks Console, select Settings > Users.
2. Select More Actions (...) > Reset 2FA for the affected user.
   
   Note
   If the owner does not perform this step, the 2FA records will remain linked to the old device and the user cannot log in. In this case, contact Fireblocks Support.
3. Select More Actions (...) > Re-enroll mobile device on the affected user. Learn more about re-enrolling mobile devices.
4. The user installs the Fireblocks mobile app on their new device and then completes the enrollment process, which includes setting up biometric authorization and a PIN code. At this point, the user can perform certain workspace operations, but can only sign transactions once the workspace Owner approves their MPC key shares. 
5. The Owner receives a request on their mobile device to generate MPC key shares that include that user’s name and workspace. After they approve it, the user’s new key shares for their device are automatically generated and issued to the user.
6. The user receives a notification on their mobile device to authenticate, store, and back up the new key shares to finish MPC enrollment.

Mobile Key Share Recovery for the workspace Owner’s device

Unlike a Key Share Recovery for a non-Owner device, a Key Share Recovery for an Owner device requires help from Fireblocks Support and sometimes a Disaster Recovery Service (DRS) provider. Therefore, the time to complete an Owner Key Share Recovery is subject to their SLAs.

There are two options to perform a Mobile Key Share Recovery for an Owner’s device:

Option 1: Key Share Recovery by your company
You can use one of two methods:

• • Method 1: Using the Owner's recovery passphrase
  • Method 2: Using the mobile device of another user with signing privileges 

Option 2: Using a third-party DRS provider

Option 1: Key Share Recovery by your company

Method 1 - Using the Owner’s recovery passphrase

To recover the Owner's mobile key share, your workspace Owner can use their recovery passphrase. Learn more about setting up and changing your recovery passphrase.

If your Owner is replacing their device, they can migrate their key share from their current device with the Fireblocks mobile app. To do this, follow the steps in migrating to a new mobile device.

If your Owner does not have access to their signing device because of the following:

1. Changes to the device’s biometric setting or a lost Fireblocks app PIN code
2. Lost or damaged device
3. Deleted the Fireblocks mobile app from the device

Then complete the following steps:

1. Use the linked form to ask Fireblocks Support to move Fireblocks to a new device.
2. Support validates the request over a video conference call with the workspace Owner.
3. Support activates recovery mode for the Owner. This may take up to several days based on the Fireblocks SLA.
   
   Note
   Activating recovery mode is subject to strict security screening by Fireblocks Support, including identification over a video conference call.
4. The Owner downloads the Fireblocks app on a new device and enrolls through it:
   1. Verify your mobile device meets the minimum requirements. If you haven't already, configure your device's biometric authentication with your fingerprint or face ID.
   2. Download the Fireblocks mobile app from Google Play or the Apple App Store.
   3. Use the Fireblocks mobile app to scan the onscreen QR code. This pairs the device with your workspace.
   4. Follow the setup instructions on your mobile device.
   5. Allow the Fireblocks mobile app to use the device's biometric authentication.
   6. Enter the six-digit PIN code you want to use for authorization. We recommend you write down your six-digit PIN code and keep it secured and separate from your mobile device.
5. The app opens in Recovery Mode and the Owner enters their recovery passphrase.
6. The app then attempts to decrypt the key share locally with the entered passphrase.
7. The Owner’s app is ready.

Method 2 - Using the mobile device of another user with signing privileges 

This option allows you to temporarily make an existing Admin or Signer user become your new workspace Owner if you lose access to your Owner mobile passphrase.

To validate which workspace users are qualified, follow these steps:

1. Access your workspace user list in your Fireblocks Console. Go to Settings > Users.
2. Any Admin or Signer showing “Ready” under the Status column can be made the temporary Owner when using this recovery method.
   
   
   Important
   We highly recommend that the user you select remembers their recovery passphrase. This process does not require knowing your original Owner’s passphrase. However, because the temporary Owner may be the only user with signing privileges during this process, they must be prepared for the full range of events requiring a recovery passphrase to recover a key share.

Instead of needing your passphrase, this method relies on “who” you are by having a video conference with Fireblocks Support. However, for that reason, it can take longer than other options.

1. Use this form to ask Fireblocks Support to temporarily change your workspace Owner. The temporary Owner must be an existing user with signing privileges (Admin or Signer roles) with an operational Fireblocks mobile app.
2. Support validates your request through a conference call with both your existing Owner and the temporary Owner.
3. Support then adjusts your roles to reflect the temporary Owner. This can take several days based on our SLA.
4. Your original Owner now appears as a Signer user in your Fireblocks Console.
5. Your new Owner then navigates to Settings > Users and selects Reset Mobile Device for the Signer user.
6. The Signer user onboards the mobile device.
7. Contact Support to change the workspace Owner back to the original Owner user.
8. Support validates your request using a conference call with both your temporary Owner and your original Owner that you want to restore.
9. Fireblocks Support changes ownership. This may take several days based on our SLA.

Option 2: Using a third-party DRS provider

Learn more about Mobile Key Share Backup and Recovery with Third-Party DRS.