An underlying theme of this cycle has been challenging preconceived notions about how people around the world use Bitcoin. New behaviors are emerging and other cultures are using the asset in ways that are breaking previously established molds.
One major trend emerging from this chaotic environment is the resurgence of seedless security models, which take a fundamentally different approach to securing bitcoin private keys. Proponents argue that established security practices are failing to meet the expectations of a growing number of users. Along with the maturation of custodial options, the rise of ETF products is raising concerns about the possibility that future users will be drawn into more complex self-custodial solutions.
This is not the first time security experts have pointed the finger at seed phrases when asked about the difficulties of Bitcoin self-preservation. Industry veteran Jameson Lopp has said that security experts have pointed the finger at seed phrases when asked about the difficulties of Bitcoin self-preservation. There has been a long standing debate He is forthright about the challenges of the security model and also candid about its disadvantages. His company, multi-signature wallet provider Casa, was formed, in part, to address the problems posed by traditional backup methods.
In conversation with Bitcoin Magazine, the current Casa CEO Nick Newman echoed his colleague's concerns:
“We We need to think more carefully about how we use them as an industry because the user experience of getting hit with a seed phrase the first time you set up a wallet is very difficult,
The Dangers of Seed Phrases
Despite the remarkable progress in the quality of Bitcoin products and applications, the scenario of self-preservation remains perilous for those whose comfort with technology is limited to their iPhone. Every other day, accounts emerge of various successful phishing attacks targeting victims’ funds by compromising their wallet seed phrases.
Earlier this January, popular hardware wallet provider Trezor announced that they had reasons to believe that sensitive customer information had been leaked due to a breach in a third-party service provider’s systems. In the following months, X users reported a new wave of phishing attempts in their inboxes.
Another reminder of the fragile state of the average person's security practices came in 2022, following a security exploit that affected the popular password manager LastPass.
Following a number of wallet outage incidents affecting mobile and hardware wallet users alike, Researchers finally figured it out Seed phrases stored on the service's servers were compromised. a few months agoThere has been a loss estimated More than $250 million has been invested in various cryptocurrencies.
While popular bitcoin influencers have pushed for the adoption of more robust security systems associated with hardware wallets, a large number of market participants have not yet begun to adopt this practice. Shehzan Maredia, founder of bitcoin financial services company Lava, sees a significant divide between security product developers and a large portion of the bitcoin market.
He said, “I’ve realized that when you involve hardware wallets and seed phrases, most people start to question their ability to self-custody. Half of them will do a poor job of following the instructions and the other half will simply prefer to use a custodian.”
Security experts are adamant that private key material should remain offline at all times, but Maredia suggests that the secure enclaves present in modern mobile phones are sufficient to thwart most attacks affecting users today.
“Given the common causes responsible for users losing funds, it is rare to find instances of mobile keys being compromised.” Instead, he argues, it is more likely that users will do a poor job of keeping their seed phrase backup safe or will give it away during a phishing attack.
Seedless Challenges and Opportunities
There have been many improvements to bitcoin products since Casa introduced the seedless wallet approach several years ago, but so far very few have followed in the company's footsteps. While self-custodial applications are more robust than ever, some changes have added extra steps to an already significant learning process. It's worth questioning whether a nihilistic attitude towards security has turned this practice into distasteful rituals for the general public.
Newman remains optimistic. He suggests there has been a clear shift in the industry toward a more realistic approach, although he thinks bitcoin products are lagging behind
“There are still some wallets that force you to [save your seed phrase] I guess this is a form of risk management on their part, but it actually works against the goal of helping users feel comfortable holding their own keys.
Regardless, this trend shows that the rest of the industry is becoming increasingly aware of the risks to users handling sensitive information. Recent technologies such as the passkey implemented in Coinbase’s new “Smart Wallet”This new generation of products offers interesting options. Passkeys It is a new standard promoted by internet giants such as Apple and Google, which aims to replace traditional passwords with cryptographic keys linked to the user's device and identity.
According to our research,Estimate From early adopters There are indications that the technology still has to sort out important standardisation issues. Lava's Maredia agrees there is room for improvement. They recently launched a seedless solution that they believe achieves the best security compromise expected from a mobile device.
Lava Vault takes heavy inspiration from ex-Spiral developer Tankard Haase’s earlier contributions, called Photon SDKPhoton implements a seedless cloud backup similar to Casa's initial implementation of a mobile key wallet, but it is completely open-source, although it has not been maintained for some time. Maredia is confident that the 2-of-2 solution they have adopted from existing designs in the ecosystem can stand up against most known attacks.
“We considered things like passkeys, but we don't think they are designed to protect important key material like Bitcoin. They basically replace one piece of sensitive information with another and are usually stored in a password manager. In practice, most password managers do a poor job of handling them; they can be deleted very easily, even on iCloud.”
Lava secures users' seed phrases using a high entropy key stored on a separate server. Once encrypted, the seed is saved in a special directory on the user's cloud which can help prevent accidental deletion or malicious access. Users authenticate with a key server, which rate limits, using a 4-digit PIN of their choice. Lava does not require the creation of any accounts which keeps users' privacy secure from the service and its servers. For daily operations, the wallet uses another key stored on the device's secure enclave.
“Even if a party accesses encrypted information, there is no single point of failure because they must know the encryption key. Forgetful users can set up a PIN recovery method that allows them to change their PIN after a 30-day delay.”
Maredia expects that their security protocol will evolve according to users’ needs and varying risk profiles. Wallet policies such as 2FA, withdrawal or spending limits, and whitelisted addresses are already underway. “Lava Smart Key is a very flexible solution. Users can easily upgrade their self-custody setup, and we are ready to accommodate users who have specific demands,” he explains.
Although seedless backup has been criticized for exposing individuals to unnecessary third-party risk, open-source implementations like the Photon SDK and Lava's Vault model show that more vendors and service providers can implement similar standards and mitigate this problem.
Seed phrases remain a critical component of the security stack, but both entrepreneurs consulted for this article believe it is essential to keep them separate from the majority of future users.
“In general, I think the seed phrase is a very useful tool that makes your keys more portable between wallets and gives you an exit option in the event that something happens to the wallet software you’re using,” says Nick Newman, CEO of Casa.
To eliminate single points of failure, Casa promotes the combination of multi-signature schemes involving hardware devices, but insists on sticking to its seedless principles as much as possible.
“Wallet software is designed to manage private keys. Humans are not designed to manage private keys. So we should leave this job to the wallet.”
