Few questions about cloud agents: authentication and wallet storage


Hello everyone,

let’s say I want to “create” an agency and provide cloud agents for my customers.

Here how I see it: When my customer register to my service, I will create for him a wallet in my cloud that he can access from an interface on his edge device.

Do the wallet have to be host in a virtual machine to be able to use its functionality ?

How to ensure the security and privacy of my customers?

Do my customer still need an edge agent (wallet on his device) since he can use my service to connect to its cloud agent ?

Can I use traditional 2-factor authenticationor other traditional methods to log the customer in his cloud agent or is it recentralizing the system and not self-sovereign anymore ?

If I can’t use traditional authentication methods to connect my user to its cloud agent, is it the purpose of the edge agent ?

Thank you, I might have more question but that’s already a lot.

Best regards,



My two cents:

No, the wallet doesn’t have to be hosted in a virtual machine. Many different ways to host the wallet are all equally valid.

Ensuring security and privacy is a very, very big topic. There’s no 1-sentence or 1-paragraph answer that will do it justice. However, I would say that the biggest guideline is: never let the agency hold keys that could impersonate or spy on a user.

Do customers need an edge agent? It is possible to write an agent that’s cloud-only (no mobile app). In such a case, the customer would have to “log in” to their cloud agent via some sort of web portal, to be able to make decisions. The trust of such an agent is lower, because a malicious sysadmin or hacker inside the agency infrastructure can compromise the agent. It is also lower because you would be using traditional 2-factor auth or similar to log in to that console. There may be a market for this type of agent; I don’t have a strong opinion.

The purpose of an edge agent is to put high-stakes keys and control in the hands of an identity owner, avoiding too much trust in a service.


Thanks Daniel,

I was indeed thinking of cloud-agent only,
I was thinking of this solution for organizations that require multiple access to a single wallet. So multiple employees can operate in the behalf on the organization.

For the cloud wallet to be operational I suppose we can’t just encrypt everything then decrypt when the user access via the web portal so even if the agent is compromised you can’t do anything with it.

Maybe we could just encrypt the “keys that could impersonate or spy on a user” and decrypt some of them(depending in the level of access) when authenticating ?

Now, concerning the different way to host a wallet on a cloud, what are the different alternatives ? Can I find some documentation on that last point ?