The main theme of this course was to challenge preconceptions about how people around the world use Bitcoin. New behaviors have emerged and other cultures are using this asset in ways that break previously established molds.
One of the key trends emerging from this chaotic environment is the resurgence of seedless security models, which take a radically different approach to securing Bitcoin’s private keys. Proponents argue that established security practices are failing to meet the expectations of a growing number of users. Along with the maturation of custodial alternatives, the emergence of exchange-traded fund products raises concerns that users may in the future turn to more complex self-custodial solutions.
This isn’t the first time security experts have pointed fingers at seed statements when asked about the difficulties of self-custody of Bitcoin. Industry veteran Jameson Lopp pointed out that these statements are not true. It has been discussed for a long time. The challenges posed by the security model, and he remains vocal about its shortcomings. His company, Casa, a multi-signature wallet provider, was founded in part to address the problems caused by traditional backup methods.
In conversation with Bitcoin Magazine, the current Casa CEO Nick Newman echoed his colleague’s concerns:
“we We need to think more carefully about how we use it as an industry because the user experience of being exposed to a keyword the first time you set up a wallet is very difficult.“.”
Dangers of seed phrases
Despite the great progress made in the quality of Bitcoin products and applications, the self-custodial landscape remains risky for those whose comfort with technology is limited to their iPhones. Every other day, reports emerge of various successful phishing attacks targeting victims’ funds by hacking their wallet’s seed phrases.
Earlier in January, popular e-wallet provider Trezor announced that it had reason to believe that sensitive customer information had been leaked due to a breach in a third-party service provider’s systems. In the months since, X users have reported a new wave of phishing attempts hitting their inboxes.
In 2022, another reminder of the fragile state of the average person’s security practices came after a security vulnerability affected the popular password manager LastPass.
After a series of bizarre wallet drain incidents that affected both mobile and physical wallet users, The researchers eventually came to That the seed phrases stored on the service’s servers have been compromised. As of a few months agoThe losses were estimated It has reached over $250 million in various cryptocurrencies.
While prominent Bitcoin influencers have called for stronger security systems that include hardware wallets, a significant number of market participants have yet to adapt to the practice. Shahzan Maridia, founder of financial services firm Bitcoin Lava, sees a significant divide between security product developers and a large portion of the Bitcoin market.
“I’ve realized that most people start to question their ability to self-custody when it comes to hardware wallets and seed phrases. Half of them won’t do a good job of following instructions and the other half simply prefer to use custodians,” he noted.
Security experts stress that private essentials should remain offline at all times, but Maridia points out that the secure enclaves found in modern mobile phones are sufficient to thwart the majority of attacks affecting users today.
“Given the common reasons users lose money, it is rare to find examples of mobile key compromise.” He claims that users are more likely to do a poor job of securing a backup copy of their seed phrase or provide it during a phishing attack.
Challenges and opportunities of seedless agriculture
Bitcoin products have seen a lot of improvements since Casa began implementing a seedless wallet approach years ago, but few companies have yet followed suit. While self-custody apps are more powerful than ever, some of the changes have added extra steps to an already steep learning curve. It’s worth wondering whether a nihilistic attitude toward security has turned the practice into an unpalatable ritual for the average person.
Neumann remains optimistic. He notes that there has been a noticeable shift in the industry toward more realistic approaches, though he believes Bitcoin products are lagging behind.
“There are still quite a few wallets that force you to (save the seed phrase) in advance. I think this is some kind of risk management on their part, but it actually works against the goal of helping users feel comfortable holding their private keys.”
Regardless, the trend suggests that the rest of the industry is coming to terms with the risks users may face when handling sensitive information. Modern technologies such as passkeys have been implemented in the new Coinbase.Smart Wallet“It offers interesting alternatives to this new generation of products. Passwords They are new standards promoted by internet giants such as Apple and Google, which aim to replace traditional passwords with encryption keys linked to the user’s device and identity.
According to our research,Estimates from Top These results suggest that the technology has yet to solve significant standardization issues. Lava’s Maridia agrees that there is room for improvement. He recently launched a seedless solution that he believes makes the best security compromises one could expect from a mobile device.
Lava Vault draws heavy inspiration from old contributions from former Spiral developer Tankred Hase named Photon Software Development KitPhoton implements a seedless cloud backup similar to Casa’s early implementation of a portable key wallet but is fully open source, although it has not been maintained for some time. Maredia is convinced that the 2-by-2 solution he adapted from existing designs in the ecosystem can withstand most known attacks.
“We’ve looked at things like passkeys, but we don’t think they’re designed to secure critical assets like Bitcoin. They’re essentially replacing one piece of sensitive information with another and are typically stored in a password manager. In practice, most password managers don’t do a good job of handling them, and they can be deleted very easily, even on iCloud.”
Lava secures user phrases using a high-entropy key stored on a separate server. Once encrypted, the seed is saved to a private directory on the user’s cloud which can help prevent accidental deletion or malicious access. Users authenticate using a key server, which enforces a speed limit, using a 4-digit PIN of their choice. Lava does not require any account creation which keeps users private from the service and its servers. For day-to-day transactions, the wallet uses another key which is stored in the device’s secure enclave.
“Even if a third party gains access to encrypted information, there is no single point of failure because they have to know the encryption key. Users can forget to set up a PIN recovery method that allows them to change their PIN after a 30-day delay.”
Maridia expects his security protocol to evolve according to different user needs and risk profiles. Wallet policies such as two-factor authentication, withdrawal or spending limits, and whitelisted addresses are already on their way. “Lava Smart Key is a very flexible solution. Users can easily upgrade their self-custody settings, and we are open to meeting the needs of users with specific requirements,” he explains.
Although seedless backups have been criticized for exposing individuals to undue risk from third parties, open source implementations like the Photon SDK and Lava’s Vault model suggest that more vendors and service providers can implement similar standards and mitigate this issue.
Seed phrases remain an important component of the security suite, but both entrepreneurs consulted for this article believe they should be stripped from most users in the future.
“I think seed phrases in general are a very useful tool to make your keys more portable between wallets and give you an exit option if anything happens to the wallet software you’re using,” says Nick Newman, CEO of Casa.
In order to eliminate single points of failure, Casa encourages a range of multi-signature plans involving hardware but insists on adhering to its seedless principles wherever possible.
“Wallet software is designed to manage private keys. Humans are not qualified to manage private keys. So we should leave that task to wallets.”