---
id: task-10
title: Design EncryptID unified identity system for r-ecosystem
status: Done
assignee: []
created_date: '2026-02-05 15:02'
updated_date: '2026-02-05 15:05'
labels:
  - architecture
  - security
  - rSpace-ecosystem
dependencies: []
priority: high
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Design and document the EncryptID unified identity/authentication system for rspace.online, rwallet, rvote, rmaps, and rfiles.

Key requirements:
- WebAuthn/Passkey as primary authentication
- WebCrypto API for key derivation and client-side encryption
- Account Abstraction smart wallet integration
- Social recovery (NO seed phrases)
- Cross-app SSO across all r-ecosystem apps
- DID:key for decentralized identity
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 Architecture document complete with all 5 layers defined
- [x] #2 Social recovery mechanism designed (no seed phrases)
- [x] #3 Cross-app SSO strategy documented
- [x] #4 Integration path with existing CryptID documented
- [x] #5 Provider comparison (ZeroDev vs Safe vs Privy) complete
<!-- AC:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
## Completed Research

Created comprehensive ENCRYPTID-SPECIFICATION.md covering:

### 5-Layer Architecture
1. **Layer 1: WebAuthn/Passkeys** - Hardware-backed primary auth
2. **Layer 2: Derived Keys (WebCrypto)** - Encryption, signing, DID keys via HKDF
3. **Layer 3: Smart Wallet (AA)** - ZeroDev + Safe hybrid for on-chain ops
4. **Layer 4: Social Recovery** - Guardian-based, no seed phrases, 48h time-lock
5. **Layer 5: Session/SSO** - Related Origin Requests for cross-app auth

### Social Recovery Design
- 3-of-5 guardian threshold recommended
- Guardian types: secondary passkey, trusted contacts, hardware key, institutional
- 48-hour time-lock with user notification and cancellation
- Privacy-preserving (guardians don't know each other)

### Provider Comparison
- **ZeroDev**: Best for custom flows, native passkey support via Turnkey
- **Safe**: Best for DAOs/shared treasuries, multi-sig native
- **Privy**: Quickest integration, managed recovery
- **Turnkey**: Infrastructure layer, TEE-backed

### Key Research Sources
- Yubico PRF Extension Guide
- Vitalik's social recovery recommendations
- ZeroDev/Safe documentation
- Corbado passkey guides
<!-- SECTION:NOTES:END -->