User Authentication and Wallet Management System

This document describes the comprehensive architecture and implementation details of the Enterprise User Authentication and Wallet Management System, which integrates Okta, Firebase, 0box, zVault, and zAuth to securely manage enterprise user identities, authentication flows, cryptographic wallets, and transaction validation within Zus services.

Main Components and Their Roles

Architecture-Level Components

The system comprises multiple integrated services:

Authentication and Access Flow

Each service interacts to maintain robust security, administrative oversight, and secure wallet management:

Step 1: Admin Registers Users in Okta

• Enterprise users are registered in Okta, which stores their credentials

Step 2: User Logs in via Okta

• Users authenticate using email/password, and Okta generates a JWT auth token.

Step 3: User Signs in with Firebase (Using Okta Token for Verification)

• Users present their Okta JWT token to Firebase as proof of authentication.

• Firebase verifies the Okta token before issuing its own Firebase JWT token.

• This ensures that only authenticated Okta users can interact with Firebase services.

Step 4: JWT-Based Authentication for Vault Access

• Users authenticate with 0box using their Firebase JWT token.

• 0box validates access and provides a JWT for accessing zVault

Step 5: Wallet Generation and Registration in zVault

• The wallet is generated and registered in zVault using the JWT vault token for authentication.

Step 6: Transactions Require JWT Authentication via zAuth

• Any transaction or sensitive operation requires a valid JWT vault token.

• zAuth verifies the token before signing transactions.

Step 7: 0box Manages Registration Expirations

• If necessary, 0box can revoke a user's registration, restricting access to wallets and authentication services

Security and Authentication Mechanisms

Multi-Layered Authentication

• Each component issues its own JWT token to authorized users, ensuring secure access.

• Firebase verifies Okta authentication before issuing its token, ensuring enterprise users are authenticated.

• Wallets are generated and registered securely in zVault.

• 0box acts as the central access controller, regulating interactions with zAuth and zVault.

• Multiple authentication layers (Okta + Firebase + JWTs) enhance security and identity verification.

Frequently Asked Questions (Q&A)

Q: Does the user generate the wallet, or does zVault create it for them?

A: For enterprise users, wallets are securely generated directly in zVault. Sensitive keys (mnemonics and master keys) are never exposed to the client.

Q: Can Okta admins access a user’s wallet if they control the login?

A: Yes, zVault generates a pair of split-keys for admins, allowing continuous access to user wallets, even post-account revocation.

Q: What happens to the user’s wallet and data if they are revoked or leave?

A: User access is immediately revoked, rendering the wallet inactive for the user. Admins retain access via the provided split-key mechanism, ensuring continuous administrative control.

Benefits of Enterprise Integration with Zus

• Enhanced Security: Multi-layered authentication safeguards user wallets and sensitive transactions.

• Automated User Management: Instant synchronization and revocation of user access through webhook integration.

• Administrative Continuity: Admin-level split-key ensures continuous secure access to wallets post-user account deletion or revocation.

• Better User Experience: OAuth2-based Okta integration simplifies user identity management.

This system ensures secure authentication, controlled access to user wallets, and transaction security using JWT-based authentication.

By integrating Okta and Firebase for identity management and leveraging 0box for access control, the system maintains strict security policies while ensuring smooth user interactions.