No passwords
Anchorage Digital forgoes the use of usernames and passwords, which are susceptible to fraud, impersonation, and abuse.
No emails or texts
Anchorage Digital does not use emails or phone numbers, so attackers cannot gain access by triggering email or SMS-based account recovery.
No unauthorized devices
Only pre-approved devices may access an account.
How it works
Anchorage Digital’s transaction flow is designed to prove with certainty that a given transaction reflects an organization’s intent. Once all three steps are complete, we process the transaction within minutes.A 3-step transaction process
1
Multi-user approval
Every transaction requires approval from at least two members of the organization, using authentication through authorized devices. Each user’s identity is tied to a unique and unforgeable cryptographic key, created and stored in the iOS Secure Enclave.
2
Transaction review
Using automated outlier detection and human oversight, Anchorage Digital authenticates each approval based on detailed behavioral analytics. Individual and organization behavioral data—including biometrics, transaction details, and location—is examined and compared against historical patterns to detect and flag any outliers. Every transaction is independently reviewed by Anchorage Digital; no transaction moves forward without human confirmation.
3
Hardware-enforced logic
Only when both the organization and Anchorage Digital have approved, Hardware Security Modules (HSMs) process the transaction. Private key material is generated and processed in air-gapped HSMs and is not exported outside the HSM boundary in plaintext. The system signs transactions without exposing sensitive key material. Custom logic verifies that each operation has a valid quorum of client approvals as well as Anchorage Digital approval.
Why HSMs?
A Hardware Security Module (HSM) is a dedicated, tamper-resistant device built for one job: generating and using cryptographic keys without ever exposing them. They’re the same class of hardware banks use to protect payment systems, and they’re the answer to the core problem in digital asset security — a private key is just data, and data can be copied.- Key material stays inside secure hardware. Private key material is generated and processed in HSMs with no direct connection to the internet. Key material is not exported outside the HSM boundary in plaintext; signing happens in protected hardware, which returns only the signature.
- Tamper resistance is physical. The HSMs are air-gapped and housed in protected data centers with 24/7 physical security. Attempts to physically open or probe the hardware destroy the keys rather than reveal them.
- The approval logic runs in the hardware, not around it. Custom logic on the HSM verifies that every operation carries a valid quorum of client approvals plus Anchorage Digital approval before it will sign. The rules can’t be bypassed by compromising a server or an app, because the server and app never hold sensitive key material.