An underlying theme of this cycle has been challenging preconceived notions about how people use bitcoin around the world. New behaviors are emerging and other cultures are using the asset in ways that break previously established molds.
One important trend emerging from this chaotic environment is the resurgence of seedless security models, which take a radically different approach to protecting bitcoin private keys. Proponents argue that established security practices are failing to meet the expectations of a growing number of users. Along with the maturation of custodial alternatives, the emergence of ETF products is raising concerns about the potential for future users to jump on board with more complex self-custody solutions.
It's not the first time security specialists have pointed out key phrases when asked about the difficulties of bitcoin self-custody in crossing the chasm. Industry veteran Jameson Lopp has long debate The challenges of the security model and remains outspoken about its difficulties. His company, multi-signature wallet provider Casa, was formed, in part, to address the problems created by traditional backup methods.
In a conversation with bitcoin Magazine, current Home CEO Nick Neuman echoed his colleague's concerns:
“Us We need to think more carefully about how we use them as an industry because the user experience of receiving a seed phrase the first time they set up a wallet is very difficult..”
The dangers of seed phrases
Despite significant advances in the quality of bitcoin products and applications, the self-custody landscape remains perilous for those whose comfort with technology is limited to their iPhones. Every other day, accounts emerge of several successful phishing attacks targeting victims’ funds by compromising their wallets’ seed phrases.
In early January, popular e-wallet provider Trezor announced that it had reason to believe that sensitive customer information had been leaked due to a breach in a third-party service provider’s systems. In the following months, x users reported a new wave of phishing attempts arriving in their inboxes.
Another reminder of the fragile state of the average person’s security practices came in 2022 following a security vulnerability affecting the popular password manager LastPass.
Following a series of curious incidents affecting mobile and hardware wallet users alike, Researchers finally discovered that seed phrases stored on the service's servers had been compromised. x.com/tayvano_/status/1788039611627000244″>A couple of months agoLosses have occurred x.com/tayvano_/status/1788039611627000244″>My dear having reached more than 250 million dollars in various cryptocurrencies.
While popular bitcoin influencers have made a case for the adoption of more robust security systems involving hardware wallets, a large number of market participants are yet to warm to the practice. Shehzan Maredia, founder of bitcoin financial services firm Lava, sees a significant divide between security product developers and a large portion of the bitcoin market.
“I've noticed that most people start to question their self-custody capabilities when it comes to hardware wallets and seed phrases. Half of them won't follow instructions well and the other half will simply prefer to use custodians,” he said.
Security experts insist that private key material should remain offline at all times, but Maredia suggests that the secure enclaves present in modern mobile phones are sufficient to thwart most attacks affecting users today.
“If we look at the most common reasons responsible for the loss of user funds, it is rare to find examples of compromised mobile keys.” Instead, he argues, users are more likely to fail to protect their seed phrase backup well or reveal it during a phishing attack.
Challenges and opportunities without seeds
bitcoin products have seen many improvements since Casa pioneered the seedless wallet approach years ago, but so far few have followed in the company’s footsteps. While self-custody applications are more robust than ever, some changes have introduced additional steps to an already significant learning curve. It’s worth asking whether a nihilistic attitude toward security has pigeonholed the practice into rituals unpleasant for the average person.
Neuman remains optimistic. He suggests there has been an observable shift in the industry toward more realistic approaches, although he believes bitcoin products are lagging behind.
“There are still quite a few similar wallets that force you to store your seed phrase in advance. I think it’s a kind of risk management measure on their part, but it actually defeats the purpose of helping users feel comfortable with their own keys.”
However, the trend suggests that the rest of the industry is beginning to understand the risks involved in handling confidential information by users. Recent technologies, such as passwords, implemented in the new “Smart Wallet”, offer interesting alternatives for this new generation of products. Access keys They are a new standard promoted by Internet giants such as Apple and Google, which seek to replace traditional passwords with cryptographic keys linked to the device and the user's identity.
According to our research, tx.com/johnjohnson/status/1811451151096906025″>estimates of x.com/martypartymusic/status/1803829746117284185″>early adopters They say the technology still has to solve important standardization issues. Lava's Maredia agrees that there is room for improvement. He recently launched a seedless solution that he believes achieves the best security trade-offs one can expect from mobile devices.
The Lava Vault draws heavily on previous contributions from former Spiral developer Tankred Hase, called the Photon Software Development KitPhoton implements a seedless cloud backup similar to Casa’s initial implementation of the mobile key wallet, but it is completely open source, although it has not been maintained for some time. Maredia is convinced that the 2-of-2 solution he has adapted from existing designs in the ecosystem can withstand most known attacks.
“We’ve looked at things like passcodes, but we don’t think they’re designed to protect important key material like bitcoin. They’re basically trading one piece of sensitive information for another, and they’re typically stored in a password manager. In practice, most password managers don’t manage them well – they can be deleted very easily even in iCloud.”
Lava protects users’ seed phrases using a high-entropy key stored on a separate server. Once encrypted, the seed is saved in a special directory on the user’s cloud that can help prevent accidental deletion or malicious access. Users authenticate with a key server, which applies rate limiting, using a 4-digit PIN of their choosing. Lava does not require the creation of any account, preserving the privacy of users of the service and its servers. For day-to-day operations, the wallet uses another key stored in the secure enclave of the device.
“Even if one party gains access to encrypted information, there is no single point of failure because they would need to know the encryption key. Forgetful users can set up a PIN recovery method that allows them to change their PIN after a 30-day delay.”
Maredia expects its security protocol to evolve based on user needs and different risk profiles. Wallet policies such as 2FA, withdrawal or spending limits, and whitelisted addresses are already on the way. “Lava Smart Key is a very flexible solution. Users can update their self-custody settings easily, and we are open to adapting to users who have specific demands,” he explains.
While seedless backups have been criticized for exposing people to undue risks from third parties, open source implementations such as the Photon SDK and Lava's vault model suggest that more vendors and service providers could implement similar standards and mitigate this problem.
Seed phrases remain an important component of the security stack, but both business owners consulted for this article believe it is essential to abstract them away from most future users.
“I think seed phrases in general are a really useful tool to make your keys more portable between wallets and give you that exit option in case something happens to the wallet software you’re using,” says Casa CEO Nick Neuman.
To eliminate single points of failure, Casa promotes a combination of multi-signature schemes involving hardware devices, but insists on sticking to its seedless principles whenever possible.
“Wallet software is designed to manage private keys. Humans are not made to manage private keys. Therefore, we should leave that task to wallets.”
