Skip to main content
Non-custodial wallets are non-custodial: if a user loses access to their authentication method, they need a recovery path that does not require any party to hold their keys. OMS Wallet provides two complementary mechanisms: social auth recovery via multiple linked authentication methods, and timed recovery via a 24-word phrase.

Social auth recovery

The primary recovery path is multi-auth linking: a single OMS Wallet can be associated with several authentication methods (Google, Apple, email OTP, and custom OIDC providers). Any linked method resolves to the same wallet, so a user who loses access to one method can sign in through any other linked method and reach the same wallet. How it works:
  1. During onboarding (or at any point after), the user links additional authentication methods to their wallet.
  2. Each link requires fresh authentication via the new method; there is no silent cross-provider linking.
  3. If the user loses access to their primary method, signing in with any other linked method recovers the same wallet.
Why this works without operator involvement:
  • The wallet address is keyed to a stable internal Principal, not to any specific provider identity.
  • The WaaS enclave is the only party that can sign transactions on the wallet’s behalf, and it does so only after a successful authentication via a linked method.
  • The operator cannot bypass authentication or attach a new method without the user.
For the conceptual model, see Multi-Auth Linking.

Timed recovery

Timed recovery is the fallback for users who lose access to every linked authentication method. It uses a 24-word recovery phrase (a mnemonic) with a mandatory 30-day lockdown period before recovery executes. How it works:
  1. The user initiates recovery using their 24-word phrase and specifies a new destination wallet.
  2. A time-locked transfer bundle is queued onchain. The recovery does not execute immediately.
  3. During the 30-day window, a Watchtower service sends email notifications to the original auth email. If the request is fraudulent, the user can cancel it.
  4. After 30 days, the transfer executes and the user regains access through the new destination wallet.
Security properties:
  • The 30-day delay prevents instant silent takeovers (for example, if someone steals the phrase but not the device).
  • The process is operator-independent: users can run the recovery tool without operator involvement, as long as an EVM chain is live.
  • Session metadata is backed up to Arweave, ensuring the recovery bundle can always be reconstructed.
  • Notifications are sent via the user’s auth email; any unauthorized recovery attempt is surfaced.
Timed recovery is designed for worst-case scenarios. Encourage users to link multiple authentication methods during onboarding so social auth recovery covers the common cases (new device, lost provider account).

Recovery UX guidance for fintechs

For payment and banking products, consider the following:
ScenarioRecommended recovery path
User gets a new phoneSign in with any linked method on the new device
User loses their Google accountSign in with another linked method (Apple, email, or custom OIDC)
User loses every linked authentication method24-word timed recovery (30-day delay)
User forgets their phraseNo recovery possible; communicate clearly at signup
Make multi-auth linking part of your onboarding checklist. Products that surface it as an optional step see lower adoption; treat it as a required step for users who hold meaningful balances.

Further reading

Multi-Auth Linking

The capability that powers social auth recovery: many authentication methods, one wallet.

Timed recovery: technical reference

Full specification of the timed recovery flow, onchain observability, operator independence, and recovery FAQ.