Multi-Device Sync
Overview
Your HUMΛN Passport isn't tied to a single device—it syncs securely across your Device Mesh: phone, laptop, tablet, watch, and any other trusted device you own. This creates a distributed personal identity network where no single device holds complete authority, and losing one device doesn't mean losing your identity.
Why Multi-Device Sync?
- Portability: Your identity follows you across all your devices
- Resilience: Losing one device doesn't lock you out
- Redundancy: No single point of failure
- Sovereignty: You control which devices are part of your Mesh
- Recovery: Any 2-of-3 (or 3-of-5) devices can recover your full identity
- Privacy: Data syncs through your chosen cloud (iCloud, Google Drive, self-hosted S3), not HUMΛN's servers
Think of it like: Your phone, laptop, and tablet form a secure "council" where any majority can authenticate you—even if one is stolen or broken.
How Device Mesh Works
HUMΛN uses a threshold identity model to distribute trust:
- Device Enrollment: Each device gets a unique Device Passport Key
- Threshold Authentication: Any N-of-M devices (e.g., 2-of-3) can authenticate you
- Encrypted Sync: Each device holds an encrypted replica of your Passport data
- Local-First: Data originates on your device, encrypted before sync
- Cloud-Agnostic: You choose where encrypted data is stored (iCloud, Google Drive, OneDrive, S3, etc.)
┌─────────────┐ ┌──────────────┐ ┌───────────────┐
│ Phone │────│ Laptop │────│ Tablet │
│ (Device 1) │ │ (Device 2) │ │ (Device 3) │
└─────────────┘ └──────────────┘ └───────────────┘
│ │ │
└────────────────────┼─────────────────────┘
│
┌────────▼────────┐
│ Encrypted Sync │
│ (Your Cloud) │
│ iCloud/Drive/ │
│ Self-Hosted │
└─────────────────┘
Any 2 of these 3 devices can:
- Authenticate you
- Rotate keys
- Add a new device
- Remove a compromised device
- Recover your full Passport
SDK Examples
1. Enroll a New Device
typescript:TypeScript
```typescript
import { HumanOS } from '@human/sdk';
async function enrollNewDevice(
existingDevices: Device[],
newDeviceName: string
) {
// Step 1: Generate Device Passport Key on new device
const deviceKey = await HumanOS.Passport.generateDeviceKey({
deviceName: newDeviceName,
deviceType: 'laptop', // 'phone', 'tablet', 'watch', etc.
});
// Step 2: Request approval from existing devices (2-of-3 threshold)
const enrollmentRequest = await HumanOS.Passport.requestDeviceEnrollment({
deviceKey: deviceKey.publicKey,
deviceName: newDeviceName,
humanDid: "did:human:alice-smith",
});
console.log(`Enrollment request sent to ${existingDevices.length} devices`);
console.log(`Awaiting approval from 2 devices...`);
// Step 3: Existing devices approve (threshold met)
const approval = await HumanOS.Passport.waitForEnrollmentApproval({
enrollmentRequestId: enrollmentRequest.id,
requiredApprovals: 2,
timeout: 300000, // 5 minutes
});
if (!approval.approved) {
throw new Error('Device enrollment rejected or timed out');
}
console.log(`✓ Device enrolled successfully!`);
console.log(` Approved by: ${approval.approvedBy.join(', ')}`);
// Step 4: Sync encrypted Passport data to new device
await HumanOS.Passport.syncToDevice({
deviceKey: deviceKey,
encryptedPassportData: approval.encryptedData,
});
return deviceKey;
}
```
python:Python
```python
from human_sdk import HumanOS
async def enroll_new_device(
existing_devices: list,
new_device_name: str
):
# Step 1: Generate Device Passport Key on new device
device_key = await HumanOS.Passport.generate_device_key(
device_name=new_device_name,
device_type='laptop' # 'phone', 'tablet', 'watch', etc.
)
# Step 2: Request approval from existing devices (2-of-3 threshold)
enrollment_request = await HumanOS.Passport.request_device_enrollment(
device_key=device_key.public_key,
device_name=new_device_name,
human_did="did:human:alice-smith"
)
print(f"Enrollment request sent to {len(existing_devices)} devices")
print("Awaiting approval from 2 devices...")
# Step 3: Existing devices approve (threshold met)
approval = await HumanOS.Passport.wait_for_enrollment_approval(
enrollment_request_id=enrollment_request.id,
required_approvals=2,
timeout=300 # 5 minutes in seconds
)
if not approval.approved:
raise Exception('Device enrollment rejected or timed out')
print("✓ Device enrolled successfully!")
print(f" Approved by: {', '.join(approval.approved_by)}")
# Step 4: Sync encrypted Passport data to new device
await HumanOS.Passport.sync_to_device(
device_key=device_key,
encrypted_passport_data=approval.encrypted_data
)
return device_key
```
2. Sync Passport Updates Across Devices
typescript:TypeScript
```typescript
// Automatic sync when Passport is updated
async function updatePassportWithSync(
passportDid: string,
newCapability: Capability
) {
// Update Passport locally
const updatedPassport = await HumanOS.Passport.addCapability({
passportDid: passportDid,
capability: newCapability,
});
// Encrypt update
const encryptedUpdate = await HumanOS.Passport.encryptUpdate({
update: updatedPassport,
vaultKey: await getVaultKey(), // Device Vault key
});
// Sync to user's chosen cloud (iCloud, Google Drive, etc.)
await HumanOS.Passport.syncToCloud({
encryptedUpdate: encryptedUpdate,
cloudProvider: 'icloud', // or 'google-drive', 'onedrive', 's3'
conflictResolution: 'newest-signature', // or 'manual'
});
console.log('✓ Passport update synced to all devices');
// Other devices will pull update automatically
return updatedPassport;
}
```
python:Python
```python
# Automatic sync when Passport is updated
async def update_passport_with_sync(
passport_did: str,
new_capability: Capability
):
# Update Passport locally
updated_passport = await HumanOS.Passport.add_capability(
passport_did=passport_did,
capability=new_capability
)
# Encrypt update
encrypted_update = await HumanOS.Passport.encrypt_update(
update=updated_passport,
vault_key=await get_vault_key() # Device Vault key
)
# Sync to user's chosen cloud (iCloud, Google Drive, etc.)
await HumanOS.Passport.sync_to_cloud(
encrypted_update=encrypted_update,
cloud_provider='icloud', # or 'google-drive', 'onedrive', 's3'
conflict_resolution='newest-signature' # or 'manual'
)
print('✓ Passport update synced to all devices')
# Other devices will pull update automatically
return updated_passport
```
3. Recover Identity After Device Loss
typescript:TypeScript
```typescript
// Scenario: Lost phone, recovering on new device
async function recoverPassportOnNewDevice(
humanDid: string,
remainingDevices: Device[] // e.g., laptop + tablet
) {
// Step 1: Verify you control remaining devices (threshold authentication)
const authProofs = await Promise.all(
remainingDevices.map(device =>
HumanOS.Passport.generateAuthProof({
deviceKey: device.privateKey,
humanDid: humanDid,
challenge: generateChallenge(),
})
)
);
// Step 2: Meet threshold (2-of-3 devices authenticate)
const recovery = await HumanOS.Passport.recoverIdentity({
humanDid: humanDid,
authProofs: authProofs,
requiredProofs: 2, // 2-of-3 threshold
});
if (!recovery.success) {
throw new Error('Recovery failed: insufficient devices or invalid proofs');
}
console.log('✓ Identity recovered!');
console.log(` Authenticated by: ${recovery.authenticatedBy.join(', ')}`);
// Step 3: Download encrypted Passport data from cloud
const encryptedPassport = await HumanOS.Passport.downloadFromCloud({
humanDid: humanDid,
cloudProvider: 'icloud',
authProofs: authProofs,
});
// Step 4: Decrypt with recovered vault key
const passport = await HumanOS.Passport.decrypt({
encryptedData: encryptedPassport,
recoveryKey: recovery.vaultKey,
});
console.log('✓ Passport restored on new device');
return passport;
}
```
python:Python
```python
# Scenario: Lost phone, recovering on new device
async def recover_passport_on_new_device(
human_did: str,
remaining_devices: list # e.g., laptop + tablet
):
# Step 1: Verify you control remaining devices (threshold authentication)
auth_proofs = await asyncio.gather(*[
HumanOS.Passport.generate_auth_proof(
device_key=device.private_key,
human_did=human_did,
challenge=generate_challenge()
)
for device in remaining_devices
])
# Step 2: Meet threshold (2-of-3 devices authenticate)
recovery = await HumanOS.Passport.recover_identity(
human_did=human_did,
auth_proofs=auth_proofs,
required_proofs=2 # 2-of-3 threshold
)
if not recovery.success:
raise Exception('Recovery failed: insufficient devices or invalid proofs')
print('✓ Identity recovered!')
print(f" Authenticated by: {', '.join(recovery.authenticated_by)}")
# Step 3: Download encrypted Passport data from cloud
encrypted_passport = await HumanOS.Passport.download_from_cloud(
human_did=human_did,
cloud_provider='icloud',
auth_proofs=auth_proofs
)
# Step 4: Decrypt with recovered vault key
passport = await HumanOS.Passport.decrypt(
encrypted_data=encrypted_passport,
recovery_key=recovery.vault_key
)
print('✓ Passport restored on new device')
return passport
```
Use Cases
1. Add Work Laptop to Personal Device Mesh
Scenario: You have a phone and personal laptop (Device Mesh). Now you want to add your work laptop.
typescript:TypeScript
```typescript
// On work laptop (new device)
async function addWorkLaptop() {
const workLaptop = await HumanOS.Passport.enrollDevice({
deviceName: "Alice's Work Laptop",
deviceType: 'laptop',
humanDid: "did:human:alice-smith",
});
// Notification sent to phone + personal laptop
// User approves on both devices (meets 2-of-3 threshold)
console.log('✓ Work laptop added to Device Mesh');
console.log(' Can now authenticate with any 2 of 3 devices');
}
```
python:Python
```python
# On work laptop (new device)
async def add_work_laptop():
work_laptop = await HumanOS.Passport.enroll_device(
device_name="Alice's Work Laptop",
device_type='laptop',
human_did="did:human:alice-smith"
)
# Notification sent to phone + personal laptop
# User approves on both devices (meets 2-of-3 threshold)
print('✓ Work laptop added to Device Mesh')
print(' Can now authenticate with any 2 of 3 devices')
```
2. Revoke Compromised Device
Scenario: Your phone was stolen. Immediately revoke its access using remaining devices.
typescript:TypeScript
```typescript
async function revokeCompromisedDevice(
stolenDeviceId: string,
remainingDevices: Device[]
) {
// Revoke device with approval from 2 remaining devices
const revocation = await HumanOS.Passport.revokeDevice({
deviceId: stolenDeviceId,
reason: "Device stolen",
authProofs: remainingDevices.map(d => d.authProof),
requiredApprovals: 2,
});
console.log('✓ Compromised device revoked');
console.log(' All delegations from that device are now invalid');
// Stolen phone can no longer:
// - authenticate
// - access Passport data
// - participate in threshold authentication
// - sync updates
return revocation;
}
```
python:Python
```python
async def revoke_compromised_device(
stolen_device_id: str,
remaining_devices: list
):
# Revoke device with approval from 2 remaining devices
revocation = await HumanOS.Passport.revoke_device(
device_id=stolen_device_id,
reason="Device stolen",
auth_proofs=[d.auth_proof for d in remaining_devices],
required_approvals=2
)
print('✓ Compromised device revoked')
print(' All delegations from that device are now invalid')
# Stolen phone can no longer:
# - authenticate
# - access Passport data
# - participate in threshold authentication
# - sync updates
return revocation
```
3. Peer-to-Peer Local Sync (No Internet Required)
Scenario: You're offline but have multiple devices nearby. Sync via Bluetooth/Wi-Fi Direct.
typescript:TypeScript
```typescript
// Phone updates Passport offline
const updatedPassport = await HumanOS.Passport.updateLocal({
passportDid: "did:human:alice-smith",
update: newCapability,
});
// Sync to nearby laptop via Bluetooth
await HumanOS.Passport.syncP2P({
targetDevice: {
deviceId: "laptop-device-id",
transport: 'bluetooth', // or 'wifi-direct', 'ultra-wideband'
},
encryptedUpdate: updatedPassport,
});
console.log('✓ Synced to laptop via Bluetooth (offline)');
// When devices regain internet, they'll sync to cloud
```
python:Python
```python
# Phone updates Passport offline
updated_passport = await HumanOS.Passport.update_local(
passport_did="did:human:alice-smith",
update=new_capability
)
# Sync to nearby laptop via Bluetooth
await HumanOS.Passport.sync_p2p(
target_device={
'device_id': 'laptop-device-id',
'transport': 'bluetooth' # or 'wifi-direct', 'ultra-wideband'
},
encrypted_update=updated_passport
)
print('✓ Synced to laptop via Bluetooth (offline)')
# When devices regain internet, they'll sync to cloud
```
Conflict Resolution
When multiple devices update the Passport simultaneously, conflicts are resolved using:
1. Newest Valid Signature (Default)
// Device A and Device B both add capabilities offline
// When they sync:
const resolvedUpdate = {
capability1: { timestamp: '2026-01-10T12:00:00Z', signature: '0xabc...' }, // Device A
capability2: { timestamp: '2026-01-10T12:05:00Z', signature: '0xdef...' }, // Device B (newer)
};
// Device B's update wins (newer timestamp + valid signature)
2. Manual Resolution (Human Override)
await HumanOS.Passport.resolveConflict({
conflictId: "conflict-abc123",
resolution: 'manual',
selectedVersion: 'device-b-version', // Human chooses
});
Security Considerations
DO:
- Use at least 2-of-3 threshold (never 1-of-1)
- Immediately revoke lost/stolen devices from remaining devices
- Store encrypted backups in your cloud (not HUMΛN's)
- Regularly rotate device keys (annually recommended)
- Use biometric authentication on each device (local protection)
DON'T:
- Enroll untrusted devices (e.g., public kiosks, shared computers)
- Use 1-of-1 threshold (no recovery if device is lost)
- Share device keys across devices (each device = unique key)
- Skip device revocation when upgrading (revoke old device first)
- Disable encryption for "convenience"
Privacy by Design
HUMΛN never sees your Passport data:
| Component | Who Controls | Where Stored | HUMΛN Access |
|---|---|---|---|
| Passport Data | You | Your device + Your cloud | ❌ No |
| Device Keys | You | Your devices (Secure Enclave) | ❌ No |
| Vault Encryption Key | You | Split across devices (threshold) | ❌ No |
| Sync Metadata | You | Your cloud provider | ❌ No |
HUMΛN only knows:
- Public keys (for verification, publicly available)
- Ledger anchors (public blockchain data)
We cannot:
- Read your Passport data
- Impersonate you
- Access your vault
- Revoke your devices (only you can)
smartphone:Seamless Login|Authenticate on any device without re-entering credentials
shield:Device Loss Recovery|Recover identity using remaining devices if one is lost or stolen
building:Enterprise Mobility|Employees access company resources from multiple trusted devices
network:Agent Deployment|Deploy agents across distributed infrastructure with consistent identity
do:Use threshold authentication (N-of-M devices) for critical operations
do:Encrypt all sync data before uploading to cloud storage
do:Implement device attestation to prevent unauthorized enrollment
do:Enable automatic device revocation for lost/stolen devices
dont:Store unencrypted private keys in cloud storage
dont:Allow single-device recovery without multi-factor verification
dont:Skip conflict resolution - handle concurrent device updates
dont:Trust device enrollment without physical confirmation
Next Steps
- Learn how to Create a Passport
- Understand Offline Verification
- Explore Delegation