> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getpara.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Para protects user assets with non-custodial key management, phishing-resistant authentication, and server-side enforcement

export const Link = ({href, label, newTab = false}) => {
  const [isHovered, setIsHovered] = useState(false);
  return <a href={href} target={newTab ? '_blank' : '_self'} rel={newTab ? 'noopener noreferrer' : undefined} className="not-prose inline-block relative text-black font-semibold cursor-pointer border-b-0 no-underline" onMouseEnter={() => setIsHovered(true)} onMouseLeave={() => setIsHovered(false)}>
      {label}
      <span className={`absolute left-0 bottom-0 w-full rounded-sm bg-gradient-to-r from-orange-600 to-purple-600 transition-all duration-300 ${isHovered ? 'h-0.5' : 'h-px'}`} />
    </a>;
};

Para's security model is built on a simple principle: **no single party (not Para, not the integrating application, not even the user's device alone) ever holds a complete private key.** This eliminates the most common attack vectors in wallet infrastructure and provides a foundation that compliance and security teams can trust.

## Security at a Glance

| Property                       | What it means                                                                                                         |
| ------------------------------ | --------------------------------------------------------------------------------------------------------------------- |
| **Non-custodial**              | Para never has access to users' full private keys                                                                     |
| **No single point of failure** | Keys are split across the user's device and Para's hardware security modules. Compromising one reveals nothing useful |
| **Phishing-resistant**         | Passkey-based authentication means there are no passwords to steal, no seed phrases to phish                          |
| **Censorship-resistant**       | Users can export their key share and sign transactions independently if Para is ever unavailable                      |

## Why This Matters

**For product teams:** Non-custodial wallets unlock capabilities that custodial models can't offer:

| Benefit                      | Why it matters                                                                                                                                                     |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Day-1 asset access**       | Users hold their own keys from the moment of wallet creation, with no waiting for custodial onboarding or KYC approval before they can receive and use assets      |
| **Global expansion**         | Non-custodial infrastructure avoids per-jurisdiction money transmitter licensing, enabling faster launches in new markets without wallet-layer regulatory blockers |
| **No key management burden** | Para handles MPC, HSMs, and signing ceremonies so our partners can confidently deliver new product features                                                        |
| **Seamless UX**              | Biometric login, no seed phrases, instant wallet creation: users get a familiar experience while your app gets enterprise-grade security underneath                |
| **User trust and retention** | Users own their assets outright. There's no platform risk: even if your app goes offline, users retain full control of their wallets                               |

**For compliance and risk teams:** Para's non-custodial architecture means the integrating application can move faster, minimizing licensing obligations that come with custodial wallet models. Every transaction is checked against an approved [permissions policy](/v2/concepts/permissions) before signing, creating an auditable enforcement layer.

**For security teams:** Threat models are significantly reduced. Integrating applications don't store private keys, so a breach of their infrastructure doesn't expose user assets. Para's MPC signing ensures that even a compromise of Para's systems alone cannot produce valid signatures.

## How Keys Are Protected

Para uses a **2-of-2 Multi-Party Computation (MPC)** system where the private key is split into two shares (one on the user's device, one in Para's cloud HSMs). To sign a transaction, both shares participate in a cryptographic ceremony that produces a valid signature **without ever reconstructing the full private key**.

Neither Para nor the integrating application ever sees the full key. This is true during key generation, signing, and recovery.

<Card title="Key Management" icon="key" href="/v2/concepts/key-management">
  Deep dive into MPC implementation, distributed key generation, hardware secure enclaves, passkeys, and how MPC compares to multi-sig.
</Card>

## Authentication

Para supports multiple authentication methods to fit different user bases and product requirements.

### Email and Social Logins

| Method        | Details                                   |
| ------------- | ----------------------------------------- |
| **Email**     | Passwordless login via email verification |
| **Phone**     | SMS-based verification                    |
| **Google**    | OAuth social login                        |
| **Apple**     | OAuth social login                        |
| **Twitter/X** | OAuth social login                        |
| **Discord**   | OAuth social login                        |
| **Facebook**  | OAuth social login                        |

### Additional Account Protection Options

| Method       | Details                                                                                                                          |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| **Passkey**  | Built on the WebAuthn standard. Phishing-resistant, origin-bound, biometric verification via Face ID, fingerprint, or device PIN |
| **PIN**      | Numeric PIN set by the user                                                                                                      |
| **Password** | Traditional password-based login                                                                                                 |

These options can be layered on top of authentication to provide additional security when authorizing transactions.

### Session Management

Para uses sessions as a security measure when signing transactions. Session length is configured per API key, enforced by the Para API, and can be adjusted in the [Security section of the Developer Portal](https://developer.getpara.com) or CLI.

## Encryption and Secure Communication

All communication between the user's device, Para's servers, and connected applications is encrypted:

* **TLS** for all network communications
* **End-to-end encryption** for sensitive data in transit
* **Encryption at rest** for all stored user data

## Censorship Resistance

Para's architecture ensures users maintain control over their assets even if Para's services are unavailable:

* Users can **export their Para Share** at any time via <Link label="Para Connect" href="https://connect.getpara.com/" />
* With both shares, users can **sign transactions independently** without Para's servers
* The <Link label="Para Backup Kit" href="https://blog.getpara.com/censorship-resistance-why-its-critical-and-how-were-tackling-it/" /> provides a censorship-resistant fallback for full self-sovereignty

This design ensures that Para cannot censor transactions and that users are never locked out of their own assets.

## Backup and Recovery

Device loss, theft, and hardware failure are inevitable. Para's recovery system ensures **users can always regain access to their wallet** without the need for application-level recovery flow build-outs. All recovery flows are handled through the Para Portal, a managed web experience that walks users through verification and key restoration.

| Mechanism                     | How it works                                                                                                                                                            |
| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Recovery secret**           | A unique secret generated during wallet setup, stored by the user. Not related to the MPC key shares. Used solely to restore wallet access. Para never has access to it |
| **Para Backup Kit**           | A copy of the Para Share given to the user at setup, providing censorship resistance and protection against downtime                                                    |
| **Backup devices**            | Users can register secondary devices (laptop, smartwatch) during setup. If the primary device is lost, they log in from a backup and add new devices                    |
| **Key rotation**              | After any recovery event, Para prompts a full key rotation, generating entirely new key shares and invalidating the old ones                                            |
| **Multi-factor verification** | Recovery requires the recovery secret plus optional 2FA (TOTP), protecting against impersonation                                                                        |

### Security Measures

| Measure                       | How it protects users                                                                                                                                                                                      |
| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Multi-factor verification** | Recovery requires the recovery secret plus optional 2FA (TOTP). No single factor alone can restore wallet access, protecting against social engineering and impersonation                                  |
| **Key rotation**              | After every recovery event, Para prompts a full key rotation, generating entirely new key shares and invalidating the old ones. Even if old keys were compromised, they become useless                     |
| **Backup devices**            | Users can register multiple backup devices (laptop, smartwatch, tablet) during setup. If the primary device is lost, they log in from a backup device without needing to go through the full recovery flow |
| **48-hour recovery delay**    | Recovery attempts initiated via the Para Portal include a waiting period, giving users time to detect and cancel unauthorized recovery attempts                                                            |
| **Para Portal managed flow**  | All recovery is handled through the Para Portal, removing the need to build or manage recovery UI. This reduces implementation surface area and ensures consistent security across all integrating apps    |

### Best Practices for Users

<CardGroup>
  <Card title="Secure Storage" icon="lock">
    Store the recovery secret in a secure, offline location. Never share this secret with anyone, including Para.
  </Card>

  <Card title="Enable 2FA" icon="shield-check">
    Activate two-factor authentication for an additional layer of security during the recovery process.
  </Card>

  <Card title="Multiple Backup Devices" icon="mobile-screen">
    Add multiple backup devices when possible to increase recovery options.
  </Card>

  <Card title="Regular Verification" icon="clipboard-check">
    Periodically verify the ability to access the account from backup devices to ensure they remain functional.
  </Card>
</CardGroup>

## Audits and Compliance

Para is SOC 2 Type II compliant and regularly undergoes system-wide audits and penetration tests covering MPC implementation, infrastructure, API security, and recovery flows.

<Card title="Audits & Compliance" icon="clipboard-check" href="/v2/concepts/compliance">
  Custody classification, regulatory posture, audit history, data handling, encryption details, and risk model, for CISOs and compliance teams.
</Card>

## Security FAQs

<AccordionGroup>
  <Accordion title="How does Para handle session management?">
    Para uses sessions as a security measure when signing transactions. Developers configure session length per API key and can implement [session management logic](/v2/react/guides/sessions) in their applications to maintain active sessions when required.
  </Accordion>

  <Accordion title="How does Para ensure transaction signing if its servers go offline?">
    As long as the Cloud Share sent during onboarding is not deleted by the user, they can always refresh keys, export, or sign transactions independently. This design ensures that Para cannot censor transactions. See our blog post on [censorship resistance](https://blog.getpara.com/censorship-resistance-why-its-critical-and-how-were-tackling-it/) for more details.
  </Accordion>

  <Accordion title="What social login options does Para support?">
    Para supports sign-in via Google, Apple, Twitter/X, Discord, and Facebook. This allows developers to offer a range of authentication options to their users, increasing adoption and ease of use.
  </Accordion>

  <Accordion title="How does Para handle wallet recovery in case of device loss?">
    Para implements a robust recovery mechanism involving a recovery secret generated during wallet setup, optional backup devices, two-factor authentication, and a key rotation process after recovery. The recovery process is managed through the Para Portal, reducing the implementation burden on individual developers.
  </Accordion>

  <Accordion title="Can users export their private keys with Para?">
    Yes. While most users don't need to export their private keys given Para wallets are universal and usable across apps and chains, users are able to do so in [Para Connect](https://connect.getpara.com/).
  </Accordion>
</AccordionGroup>

<CardGroup cols={2}>
  <Card title="Permissions" icon="lock" href="/v2/concepts/permissions">
    How Para enforces fine-grained access control
  </Card>

  <Card title="Universal Wallets" icon="right-left" href="/v2/concepts/universal-embedded-wallets">
    One wallet across your entire ecosystem
  </Card>
</CardGroup>
