In the world of Web3, the saying "not your keys, not your tokens" has long been the rule. However, this has also made managing seed phrases a major psychological burden, often deterring people from entering the space.
The imToken Web account system is based on account abstraction (AA). By introducing passkeys and account recovery, we aim to change this status quo. Your sense of security no longer needs to come from a piece of paper filled with words, but is instead built on the devices you use every day, your biometrics, and trusted, convenient backup methods.
Here are the three pillars of security for your imToken Web account, along with a few simple steps you need to take to ensure lasting protection.
1. Your Device is the Strongest Shield
On imToken Web, logging in is as simple as unlocking your phone. You don't need to set complex passwords or worry about forgetting a seed phrase; your login credential is called a passkey.
- Prevents Brute Force Attacks: Your passkey is stored in the secure chip of your phone or computer. Apart from your own authorization via biometrics (Face ID/Touch ID) or screen lock PIN, no one (including Apple, Google, or imToken) can access it.
- Immune to Phishing: The passkey is cryptographically bound to the imToken Web domain. If you accidentally click on a fake phishing website, your passkey will recognize the domain mismatch and automatically refuse authorization. This solves the most common risk of theft in Web3 at the source.
2. Encrypted Cloud Sync for Extra Protection
"What if my phone is lost?" This is often the first reaction users have. In the design of imToken Web, losing your phone does not mean losing your assets.
As long as you have enabled cloud sync via iCloud Keychain or Google Password Manager (professional password managers like 1Password also work), your passkey is encrypted and backed up to the cloud (Rest assured, this process uses end-to-end encryption, which means that even cloud service providers (such as Apple or Google) cannot view or access your key information.)
If you lose your phone, you simply need to switch to a new device, log in to the same Apple ID or Google Account, and verify your fingerprint or face. Your wallet and assets will appear on the new device immediately.
What do you need to do?
- Check Sync Settings: Make sure the sync function for iCloud Keychain or Google Password Manager on your phone is Enabled. This is the fastest and easiest way to recover your account.
3. Account Recovery as a Safety Net
What happens in an extreme scenario where your phone is lost, Cloud Sync wasn't enabled, or you can't even log in to your cloud account? This is where account recovery plays a critical role.
imToken provides a security mechanism that works alongside cloud sync. You can link a commonly used Ethereum wallet (such as the imToken App wallet on your phone) to your account. The private key of this linked wallet becomes your recovery key.
The Mechanism of Account Recovery
Account abstraction involves two concepts directly related to security: the Owner Key and the Guardian Key. In imToken Web, the Owner Key corresponds to your passkey, and the Guardian Key corresponds to your recovery key. By linking the two, you get a recovery mechanism that balances security and convenience:
- Passkey (Owner) Operations are Immediate:When you use your passkey to log in or make changes, the request is processed instantly.
- Recovery Key (Guardian/Linked Wallet) Operations are Delayed: If you initiate a recovery using the recovery key, the system adds a 12-hour security delay before the request is executed. After the delay, you can reset the passkey.
Why wait 12 hours?
This isn't to waste your time, but to protect your assets. Suppose your linked wallet (Recovery Key) is stolen by a hacker who then attempts to reset your account. Thanks to this 12-hour waiting period, the hacker cannot succeed immediately. During this time, as the account owner, you still hold the highest authority and can use your original passkey to cancel the hacker's request, thereby securing your assets.
How to enable this protection?
You need to set your imToken App wallet as the recovery key in the "Manage Account" page on imToken Web beforehand. Check the detailed tutorial for instructions.
Final Note: You Are Ultimately Responsible for Your Assets
Although passkeys and account recovery significantly lower the barrier to entry, in the decentralized world, you are still the ultimate person responsible for your assets. Beyond relying on imToken's mechanisms, there are three things you must remember:
-
Guard your Cloud Account
- Ensure your cloud account password is complex enough and enable 2FA.
- Do not lend your device or cloud account to others casually.
-
Guard your Recovery Key
- The linked wallet corresponding to your recovery key is still a traditional mnemonic-based wallet. Ensure you have a secure offline backup of its seed phrase.
- Do not import this seed phrase into unknown websites. If you suspect a leak, change the recovery key and migrate your assets immediately.
-
Beware of Social Engineering Attacks
- Passkeys can prevent technical phishing, but they cannot stop you from voluntarily transferring money to a scammer.
- Before every transaction or signature, double-check the amount, address, and authorization details.
- Passkeys protect your keys, not your judgment.
On imToken Web, security is no longer about nervously protecting a piece of paper. It is a three-layer defense system built on Device Security, Cloud Backup, and Account Recovery — reinforced by your basic security practices. Together, they let you maintain full control of your assets while enjoying a seamless, passwordless experience.