Aaron Li: 1Wallet with Smart One-Time-Password Authentication


Good afternoon - I am Aaron Li, the creator behind 1wallet. 1wallet is the next-generation open-source smart-wallet built for Harmony, but can support and potentially run on all Ethereum compatible blockchains, because that's what Harmony is. It was released to the Harmony community by word of mouth in September. To date, it is used by thousands of people on Harmony, transacting millions of dollars in value. It is made to be secure, durable, and easy-to-use. It is a non-custodial wallet that is owned by you, and you only. It is audited by both professional security auditing firms, as well as prominent researchers in the industry.


1wallet is perhaps the first wallet that operates without any seed phrases, private keys, or single point of failure. As a crypto wallet user for 10 years, I know how painful these things are. They are arguably some of the biggest user experience hurdles that everyone has to overcome in the web3 world. We got rid of all of them. We designed the wallet from scratch, and invented new mechanisms at each step to do it better. Yet, we made no compromise on safety and security. Every cryptography primitive we use is battle-tested for decades. Every mechanism we use is documented and can be reviewed by scholars, security researchers, and the community.


Setting up a 1wallet is easy. You already saw a demo of a mobile app version from Zi in previous presentations. But if you want to try it today, feel free to go to Github and follow the link there after today’s presentations. You can create a 1wallet in the browser of your phone or your computer. On average, everyone can create a 1wallet in under 10 seconds. All you need to do is to open your camera, and scan a unique QR code on your screen. If you are already on your phone, just tap the QR code. Then, copy the 6-digit code from the authenticator to the browser. That’s it. After a few seconds, your 1wallet will be ready to go.

The authenticator code controls your 1wallet. You need that for almost every transaction. Each code is 6-digit, and you get a new one every 30 seconds. If other people see your code, you don’t need to worry about it. Because the code is valid for only 30 seconds, and 1wallet has extra protections against letting other people use the code.

Unlike many hardware wallets and air-gapped wallets, we make no compromise on user experience by having these extra protections. Everything you do with the wallet can be completed in 5 seconds, from when you type your 6-digit code, until the transaction is confirmed on the blockchain.


Despite the simplistic user experience, 1wallet comes with many layers of security protection. First of all, your authenticator code is generated completely offline by Google authenticator. The information goes one way only - from the authenticator to the user. Other standard authenticator apps and authenticator hardware devices do the same. The setup seed is sealed off from regular access. This is a big deal, because this mechanism removes one of the biggest security risks in private-key based wallets: the leaking of private keys.

In those wallets such as MetaMask, you have to retrieve your entire private key to produce a valid signature for any transaction. Every time you do that, it provides an opportunity for the attacker to steal the private key. Once the private key is stolen, they can do whatever they want. For those hardware wallets, you have to send all your transaction data to the wallet, have the hardware to sign it, and get the signature back. If the attacker manipulates the process and gets your hardware to sign a manipulated transaction, all your assets can similarly be stolen in one transaction. Or, the attacker can just get the private key from the hardware, if the hardware is not secure enough.

The second highlight of 1wallet is how resilient it is in unsafe environments. If your client is compromised - that means your computer or your browser - it does not mean your 1wallet is compromised. Unlike MetaMask and other private-key-based wallets, an attacker can’t do anything with the data stored or generated at your client unless they also get the right authenticator code for the right time. This again, prevents one of the biggest security risks in wallets like MetaMask: that somebody can simply read the data stored on the hard drive, crack or steal your password, and get the private key from there.

Likewise, an attacker who only has your authenticator code can’t do anything with your wallet, unless they also somehow bypass many layers of security protections and manage to steal some unique data generated by the setup seed from your devices. The time constraints make it extremely difficult for any attacker to succeed. Even if they do succeed, there are spending limit and other mechanisms built-in at 1wallet to keep the damage minimal and even negligible in many cases.

There are many other security highlights that I want to talk about, but we don’t have enough time today for all of them. But to give you a peace of mind, be rest assured that we designed mechanisms against many types of attacks that other wallets and smart contracts have suffered from over the last few years, lessons which they already paid hugely to learn.


We designed 1wallet with the goal such that you cannot lose your assets you stored in 1wallet, no matter what stupid things you do. First, as long as you have your authenticator code entry, you can restore your 1wallet anywhere, on any device, using only authenticator codes or a setup seed QR code exported by some authenticators. Since each authenticator app has backup and restore functions by themselves, this made it almost impossible to make your 1wallet inaccessible. Secondly, even if you lose your authenticator code, you can still recover all your assets stored in 1wallet at any client you used before, as long as you configured a recovery address for your 1wallet. Thirdly, even if you lose access to your client, you can still recover all your assets from the recovery address, by just sending 1.0 ONE to the 1wallet after 14 days of inactivity in your 1wallet. Lastly, even if you forgot to set up a recovery address, we have a default recovery address called 1wallet DAO, which can help you recover your assets in those rare cases.


There is still lots of work to be done with 1wallet, and I really look forward to working with developers in this community to make 1wallet better. We have a big upgrade coming in during the next two weeks to enable several key features and make 1wallet 100% faster. 1wallet already supports dApps integration and has built-in integrations with apps such as SushiSwap, Gnosis Safe, also known as Harmony Multisig, and daVinci NFT marketplaces.  Over the next few months. we will launch more apps, native clients, and make integrations as easy as calling the standard web3 library or by just one-line of code. We will give every user a domain name that works on both web2 and web3, where they can customize their personal space. We will make NFT social and peer to peer, such that you can follow, discover, and trade NFTs without a marketplace. We will leverage privacy mixers and be among the first wallets to offer built-in private transactions and services. We will make the use of zero-knowledge proof central to 1wallet and make cross-chain use cases efficient and practical. There will be many more exciting features to come: things such as staking, basic income, such that every participant of the crypto economy system on Harmony will have a simple way to get their fair share of reward.

That’s it. Thank you all for listening. Enjoy the rest of the conference. 1wallet project is looking for more developers - please let me know if you are interested.