Blind Signing Resistance
The security of human wallet is geared toward being like standard financial services: even though users custody their own funds, they shouldn't have to worry about losing them if their device is compromised. In standard financial servies this luxury is due to centralization: one company with a large budget for security controls the entirety of user funds. However, with Human Wallet, security is outsourced without a company being able to access any funds!
Human wallet uses a combination of transaction simulation, malware-resistant multifactor devices, cold storage, and trusted execution environments (TEEs) to make negligable the risk of blind signing.
Communication Channel between Secure Device and TEEs​
The way that human wallet resists blind signing is through a secure communication channel between a secure device, e.g. a hardware wallet or mobile phone, and a TEE that runs multiple transaction simulations. The TEE sends the human-readable simulation response to the hardware wallet or phone, which gives a signature not of the transaction but of this response. This shows that the user has confirmed on a secure device what the readble transaction output is, rather than the raw transcaction itselfs.
Using with SAFE​
Human wallet can be used as a SAFE signer. If not using hardware wallets, this helps hedge the risk across multiple mobile phones. It also hedges against the risk of Human Wallet not existing; while we do not believe this is a serious risk, customers often have this concern. Hence, using Human Wallet as a signer on a multisignature wallet offers the security that in case Human Wallet doesn't exist or loses user keys, user wallets will still be recoverable. For this setup, the multisig should have a backup key in cold storage. This is used as a backup cold signer and human wallet is used as the a hot signer for everyday transactions because of its resistance to malware and blind signing.
How to setup Human Wallet against blind signing:​
Please refer to this tutorial on X