Betfin uses the Privy service, which “powers” the built-in wallet and allows the user to create an account. This account works as a trusted environment: neither the Betfin operator, nor Privy, nor any third party can access the private key. The reason is simple: the key is split and encrypted and exists in its complete form only briefly and only when performing a specific action.
The private key is protected in two independent places:
- in the Privy infrastructure (in a secured TEE environment)
- on the user’s side through their login method (for example, passkey or e-mail/SSO).
Thanks to this, the key can be temporarily assembled only at the moment when the user needs to send funds, confirm a bet, or perform staking. Outside this moment, the key as a whole does not exist.
What is Privy
Privy is infrastructure for wallets and authentication that developers plug into their applications. A user can log in “with what they know” (e-mail/SSO) or “with what they have” (a passkey in the phone or laptop). Privy is non-custodial by design: sensitive operations take place in an isolated Trusted Execution Environment (TEE) and the private key is always split into encrypted shares.
Why neither Betfin nor Privy has access to the user’s data
The key is split into two encrypted parts (the so-called 2-of-2 model). One part is tied directly to the TEE (enclave share), the other is protected by user authentication (auth share). These parts are joined only temporarily and only inside the TEE when the user triggers a specific operation. The individual parts reveal nothing on their own, and outside the TEE the entire key does not appear.
What security guarantees Privy provides
1) Vault inside the server (TEE) + key splitting
Privy uses Trusted Execution Environments — specifically AWS Nitro Enclaves — where sensitive operations are performed separately from the rest of the system. The private key is split, so no single part reveals anything.
2) The key exists whole only at the moment of action
When signing a transaction, the two encrypted parts are temporarily joined in the TEE’s memory and, after completion, separated again. Nowhere does the complete key “lie around” permanently.
3) External security verification
Privy declares independent audits (e.g., Cure53, Zellic, Doyensec) and SOC 2 Type I/II.
4) Emergency exit: key export
The user can export the key and use the address in another wallet (e.g., MetaMask/Phantom). During export, the key is assembled on a different “origins” than the application runs on, so neither the application nor Privy can see it — only the user sees the key. (Once displayed, the key must be treated as the most sensitive secret.)
The user’s login method = the key to action
It is possible to use one or more methods.
Recommendation: have at least two (e.g., passkey + e-mail/SSO) so that a backup exists.
1) Passkey (recommended foundation)
What it is: A secure “key” tied to the user’s device, biometrics (fingerprint/face), and domain.
- More devices? The user can have multiple passkeys for the same account (e.g., phone and laptop).
- Backup: A passkey is not exported as a file, but it can be backed up via iCloud/Google or a password manager.
- Device loss: Without a backup, the user loses this way of access. Therefore, it is advisable to have a second method (e.g., e-mail/SSO).
2) E-mail / SSO (Google, etc.)
Simple entry: If the user gains access to their mailbox or Google/Apple account, they also get into the wallet.
- Independent backup: It works even if Betfin is temporarily offline or the domain is unavailable.
- After activation: Once this option is enabled, access is “backed up” — however, reliability also depends on the e-mail provider.
3) Export of the private key (for advanced users)
- After logging in, the user can export the private key and use it, for example, in MetaMask. They can also import it back into the Betfin wallet.
Important: Once the key is displayed, it is appropriate to treat it as highly sensitive and potentially at risk (it is no longer “hidden” only in a secure process). Export makes sense only if the user knows exactly what they are doing and how to store the key safely.
Practical tips for the average user
- Have at least two login methods (e.g., passkey + e-mail/SSO).
- Back up the passkey (password manager/iCloud/Google) and ideally have it on multiple devices.
- Use key export only when the user knows how to store the key safely.
- When changing settings, verify that the backup really works (try logging in from a second device).
Sources
https://docs.privy.io/welcome
