Portal

Portal

Portal Team

Share the love

Want to stay updated? Subscribe below to keep in touch.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="mask0_996_146" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="1" y="1" width="46" height="46"> <path d="M46.5882 1.41177H1.41174V46.5882H46.5882V1.41177Z" fill="white"/> </mask> <g mask="url(#mask0_996_146)"> <path d="M26.5425 39.4729C24.1381 41.4971 21.1623 42.7211 18.0294 42.9744C14.8966 43.2274 11.7629 42.4969 9.06481 40.8847L2.06244 43.2C1.55421 43.3694 1.30009 43.1153 1.4695 42.6353L3.81302 35.5765C2.48566 33.338 1.75682 30.7954 1.69667 28.1936C1.63651 25.5918 2.24707 23.0183 3.46957 20.7208C4.69207 18.4233 6.48535 16.4791 8.67686 15.0754C10.8683 13.6716 13.3843 12.8556 15.9825 12.7059C14.4182 15.0595 13.4461 17.7562 13.1487 20.5665C12.8514 23.3768 13.2377 26.2174 14.2748 28.846C15.3119 31.475 16.9691 33.814 19.1051 35.6643C21.2411 37.5148 23.7926 38.8213 26.5425 39.4729Z" fill="currentColor"/> <path d="M43.7068 29.9848C45.6014 26.8096 46.2703 23.0518 45.5881 19.418C44.906 15.7842 42.9196 12.5249 40.0026 10.2532C37.0856 7.98141 33.439 6.85375 29.7487 7.08232C26.0587 7.31088 22.5792 8.87992 19.9648 11.4943C17.3505 14.1086 15.7814 17.5882 15.5529 21.2783C15.3243 24.9685 16.452 28.6151 18.7237 31.532C20.9955 34.449 24.2548 36.4354 27.8886 37.1176C31.5221 37.7997 35.28 37.1308 38.455 35.2365L45.4574 37.58C45.9656 37.7495 46.2197 37.4953 46.0503 37.0153L43.7068 29.9565V29.9848Z" fill="currentColor"/> </g> </svg>
General
4 min read

How Portal Thinks About Security

An Interview with Portal CTO, David Scrobonia

April 3, 2024

How Portal Thinks About Security

In an insightful interview, David Scrobonia, CTO & Co-Founder of Portal, shares his passion for merging security with user experience in the Web3 and crypto space. He highlights Portal's mission to simplify secure wallet infrastructure and payments, setting it apart from other providers with a security-first approach. 

On What Makes Portal Special

With your experience in security and development, what drew you to focus on the Web3/crypto space, and what excites you about Portal's approach?

I really enjoy the intersection of security and user experience. There are a lot of opportunities in this space to improve both the user and developer experience, and when money is involved security has to be a requirement along the way. At Portal, we’re continually trying to figure out how we can simplify access to secure wallet infrastructure and payments.

How does Portal's security-first mindset and infrastructure differentiate it from other wallet providers in the market?

Starting with a founding team with backgrounds in security means that we’re always designing with security in mind. Baking in defense-in-depth from the start makes it much easier to build secure systems. By following security fundamentals from day one, Portal has put itself in a position to have a secure foundation to build from. 

On Portal’s Approach to Security

What specific security practices and controls does Portal implement as part of the "defense in depth" approach mentioned in the blog post?

Portal implements defense-in-depth at every layer of our tech stack: from our SDKs, to our backend services to our cloud infrastructure and internal IT security. One example of this can be seen in how we manage changes to our cloud resources. First, access is gated by our SSO provider, which requires a physical Yubikey to complete authentication - a requirement for every Portal employee. Next, security groups govern which employees have access to which cloud resources - discrete groups limit access across the environment and cloud service. And finally, all infrastructure changes are managed by source code using Terraform IaC, which requires a code review before changes can be committed. This path requires multiple forms of authentication and peer review, which provide multiple layers of checks and security.

How does the principle of "least privilege" get applied across Portal's systems and employee access controls?

We rely on the principle of least privilege across the board at Portal - employee access, service account access, source code management, developer tooling, and application access. For example, every backend service is deployed with a unique service account that has only the permissions it needs for that specific service to operate, and engineer access to our environments is gated with tiered permission groups.

What are the biggest security challenges facing companies operating in the Web3/crypto space, and how is Portal addressing them?

The “move fast and break things” mantra of Silicon Valley creates a difficult tension for a lot of companies in the space. They are trying to balance rapid innovation with the inherent requirement for security to come first where every interaction involves users’ money. When you can make architectural design decisions that build in defense-in-depth you can provide layers of security that provide a secure foundation for innovation.


Portal’s MPC wallet infrastructure removes the single point of failure for wallet infrastructure. When you’re using MPC wallets, you don’t need to worry that an attacker will be able to quietly steal your users seed phrases or that a breach of your backend will leave your users exposed. By splitting responsibility of key management, you can provide your users with control over the assets and additional security.

With Portal’s extensive focus on security, are there any types of organizations that would benefit most from Portal? Why?

Yes! If you need wallets for your users - Portal is a great solution! With security at the forefront and an easy developer experience, you can move much quicker (and safer!) than building out that infrastructure for yourself.

On Portals’ Security Certifications and External Verification

Can you explain the significance of Portal's SOC 2 Type II certification and the rigorous audit process involved?

SOC 2 Type II is the industry standard for ensuring secure development practices. Every year, we are required to re-validate and re-verify that we are following best practices and secure development. We’re constantly undergoing either a pentest or audit to ensure that we also receive independent feedback and a review of our security posture.

Why does Portal undergo quarterly penetration testing by external firms, and what value does this provide?

Having a trained third-party test the security protections you’ve put in place is an essential verification step. We always run our pentests as an open box engagement so that the firms we work with have access to our internals to increase the accuracy and likelihood of findings. Some companies are just looking for a clean report and prefer to hide issues in their pentests. At Portal, we want the most secure product, and so we do our best to provide areas of interest and threat models during our pentests.

You mentioned having an external code review and audit for your MPC product. Can you elaborate on the importance of these external verifications?

Cryptography is hard. Ensuring that you’re executing correctly and securely requires going a step further and having detailed code reviews on formally audited core libraries. At Portal, we ensured that not only was our core MPC library formally audited, but that the integration of that library was reviewed in detail by security experts with a focus on cryptography to make sure that every BigInt operation and random number was being handled securely. 

On Portal’s Approach to Key Management

Can you walk us through the key backup and recovery process for Portal wallets and how user assets are protected in case of device loss or theft?
Every user of a Portal wallet has control over their assets by controlling one of the two MPC shares required to sign a transaction. This share is securely stored on a user’s device. In case that device is lost, backup and recovery will allow them to reset it. 

Portal provides a range of backup methods to give our customers flexibility in how they want to provide backup options for their users, depending on their use case. For example, one method leverages iCloud to store a key that protects the backup share, and another uses WebAuthn Passkeys to secure the backup.

To learn more about Portal’s security-first approach, please reach out to chat with us.