Skip to main content

Data Security and Shards

How Bron keeps your data protected.

Updated over 2 months ago

1. Bron Account

Bron doesn't support passwords. Logging in to your account using only a passkey offers a significant boost to data protection. Unlike traditional passwords, passkeys are based on strong cryptographic authentication and are never reused or stored in a way that can be easily stolen or leaked. When you log in with a passkey, your credentials are encrypted and securely stored on your device, making them resistant to phishing and brute-force attacks.

Passkeys are stored differently depending on your device, operating system, and preferences. You can store them using your OS’s native tools, a password manager, or a physical security key. They are always protected by strong encryption and, often, biometrics.

  • Apple devices: Passkeys are saved in iCloud Keychain, encrypted end-to-end, and synced across your Apple devices. To use a passkey, you confirm your identity with Face ID, Touch ID, or your device PIN — your biometric data never leaves the device.

  • Windows: Passkeys are stored locally with your Microsoft account and protected by Windows Hello, which uses biometrics (like facial recognition or fingerprint) or a PIN. Some synchronisation is possible with Android/iOS through Microsoft Authenticator.

  • Password managers (like 1Password, Bitwarden, Dashlane): Passkeys can also be stored in secure password managers, protected by your master password and, in many cases, biometric authentication.

  • Physical security keys (like YubiKey): Passkeys can be stored directly on hardware devices such as YubiKey. These are not cloud-synced and are tied to the physical device, making them extremely resistant to remote attacks. To use a passkey on a YubiKey, you need to physically insert the key and unlock it with a PIN or, on some models, a fingerprint scan. YubiKeys can store a limited number of passkeys, and the credentials cannot be copied or exported, providing maximum security for sensitive accounts.

2. Shards

Bron combines hardware-level security, industry-standard encryption (ECIES, RSA, HPKE), and distributed storage to keep your crypto assets safe — even in emergency situations. Here’s how it works:

Shards Instead of a Private Key

Instead of a single vulnerable private key, Bron generates three pieces called shards:

  • Shard 1 is stored on your device.

  • Shard 2 is stored in Bron’s secure infrastructure.

  • Shard 3 is stored in the trusted third party’s secure infrastructure.

Any two shards are enough to sign a transaction. Even if one shard is compromised, your assets remain safe.

How Shards Are Created and Encrypted

  • Generation: When you create a wallet, you, Bron, and the third party establish a secure connection through the Bron app.

  • Encryption: Each shard is encrypted before it’s stored. Bron uses the HPKE standard — a modern hybrid encryption method that combines symmetric and asymmetric encryption for maximum security.

Where and How Shards Are Stored

  • On Your Device (Shard 1): Shard is encrypted using HPKE key and this HPKE key is encrypted using one of hardware encryption system, available on device:

    • Mac: Apple Secure Enclave (a hardware chip in your Mac) with the P-256 algorithm and ECIES. This acts like a digital signature that cannot be forged.

    • Windows: TPM 2.0 (a hardware security module) using RSA-2048 and OAEP. Access is only possible through Windows Hello (biometrics or PIN).

  • In Bron’s Infrastructure (Shard 2):
    Stored in DataBase and encrypted by key, stored in HSM (Hardware Security Module) — specialised, physically isolated servers. The shard is encrypted with RSA-4096, one of the most secure encryption standards.

  • With the Third Party (Shard 3):
    Stored in similar secure infrastructure with the same level of encryption (RSA-4096). Bron does not have access to this shard.

Why Is This Secure?

  • Hardware protection: Secure Enclave and TPM 2.0 make it virtually impossible to extract encryption keys and get shard, even if the device is compromised.

  • Hybrid encryption: HPKE and RSA-4096 protect shards both in transit and at rest.

  • Decentralisation: Neither Bron nor the third party can access your wallet alone — at least two shards are always required.

If you have questions, contact our support team via messenger on the Bron platform or by email support@bron.org.

Related Articles
Passkeys
Create the First Account
Sign Up to an Existing Workspace
Sign Up to a New Workspace
MPC Security – Eliminating Single Points of Failure
Did this answer your question?