Ready for Web3 crypto security?
Everyone is talking and working on Web3. Jack Dorsey is going even further, talking about Web5 powered by Bitcoin.
Web3 is the new evolution of the web that’s powered by crypto. On Web2 platforms like Facebook and Twitter, users can only “read and write.” On Web3 platforms, users can “read, write and own” — meaning users can own the digital assets they create as well as be part of the network infrastructure.
Web3 is a powerful narrative that is capturing the attention of entrepreneurs and investors who are looking for the next big thing. But managing keys has been a long-standing problem for crypto. Users have lost billions of dollars of crypto because of the inefficient management of their private keys.
There is a major roadblock when it comes to Web3 and crypto going mainstream: the user experience is difficult and not straightforward. For those new to crypto to perform even the most essential thing is hard — to have custody over their digital assets.
When you have you use a bank or a Web2 application, they control all of your interactions with them. They have absolute power – they can reset your password or even change the rules for passwords on the fly.
With crypto security, users can remove the intermediary and have a direct relationship with the protocol.
This is an awesome power that is both incredible and frightening at the same time.
It’s incredible because you own your crypto and no one can revoke the ownership of your tokens, NFTs, or digital assets. It’s frightening because you’re in charge of controlling the secrets that control your digital access. This is a critical responsibility and while there are tools to make it easier and less daunting, we are still in the early days.
But more importantly, it requires a new way of thinking.
Web3 companies cannot expect users to immediately leap from familiar centralized experiences into the deep end of decentralization in one step.
When people think about crypto they think about hacks. Hackers have already nabbed $1.22 billion worth of crypto in 2022. But the truth is that the Bitcoin and the Ethereum network have never been hacked. The cryptographic infrastructure of these blockchains is so strong and so well-thought-out that it’s virtually impossible to hack them.
Yet we’ve heard of crypto hacks. So what are people talking about when they talk about crypto hacks?
When someone on Twitter pretends to be Elon Musk and says send me your bitcoin, that’s a Bitcoin hack. But no one can go to the Bitcoin or the Ethereum network and impersonate me to trick the network and take my ETH. That can’t happen.
To make an analogy with our present reality, no one can break into the bank vault, but people have tricked bank customers to give them their information, and then used it to steal their funds. Vaults have always been secure, but the bank’s customers have been tricked.
A prominent method attackers use is to look for people who need support for a specific dApp or wallet and jump in and offer to help, by misrepresenting themselves as someone with authority. In the process, the attacker will ask for the seed phrase as part of the debugging process. You should never give anyone your seed phrase under any circumstances. There is no reason you would ever need to do that.
Also with everyone getting into NFTs, sophisticated attackers are exploiting NFT drops. You go to a site to mint or buy an NFT, but it’s not a trusted site, and you need to sign a transaction but you may not know exactly what you’re signing. You may be approving something nefarious, like transferring funds you didn’t intend to send or granting permission to your funds. When Metamask or your wallet pops up to approve a transaction, you may need to inspect the nature of that transaction to understand what it is exactly that you’re approving. If you’re signing a transaction on OpenSea you’re on a trusted venue. But if you’re signing it on some brand new NFT drop, that just appeared a few hours ago and is going to disappear in a few hours and you need to buy now as the time is running out, you should probably think twice and inspect the transaction details before you sign the transaction. We are still in the wild west.
Generally speaking the enclave on smartphones is very secure. If you install a non-custodial wallet on your smartphone, you can trust that the crypto wallet is going to remain secure and keep your private key safe. But then the risk is how to back up the private key if that phone is destroyed or if you lose that smartphone.
There are tons of stories that we’re heard and read about with people losing their keys, saving them on hard drives that burnt out or forgetting the password to their hardware wallet.
In Forbes, Jameson Lopp discusses his Bitcoin custody tips. The article provides an excellent explanation of the various alternative and trade-offs.
According to Jameson, the most serious threat is accidental loss. Usually, wallets have a seed phrase that can be backed up. You can back it up digitally, on paper, on steel, or even in your mind. But what happens if you lose both your wallet and your seed phrase? That’s where things like social recovery come into play or facial biometrics that let users encrypt and upload their private keys to their cloud.
The second-biggest security threat is digital theft. The future of storing private keys has to do with Multi-Party Computation (MPC) or Shamir’s Secret Sharing, which are methods that split the private key among a few trusted private parties. MPC wallets and Multi-signature wallets do not have the structural problem that exists with other wallets — they do not rely on a single secret to access and spend your funds.
The third biggest security threat is government seizure. This is far more likely if the coins are on an exchange because government regulators can compromise them, and let’s not forget that hackers can steal them (always remember “not your keys, not your crypto”). Today, most crypto users depend entirely on exchanges for the custody of their cryptocurrencies. Exchanges allow users to recover their passwords in a familiar traditional way. But I would not recommend that you rely on exchanges to store your crypto. Holding assets on an exchange will limit your ability to use those assets. If for example, you hold ETH on an exchange you won’t be able to do different DeFi stuff, you won’t be able to buy and trade NFTs, and you won’t be able to use Web3 authentication.
Accessing Web3 is largely inaccessible through a custodian, like an exchange. The Web3 experience requires sending crypto to a non-custodial wallet, in which no one but the user holds the private keys.
Most Web3 users will not be crypto-native, and asking them to obtain hardware wallets and create security systems is asking too much of them.
The wallet user experience is suboptimal. You need to create a wallet, store (or remember) an incredibly long seed phrase or risk being locked out, and then transfer in funds. Once you’ve done that, you have to pay gas fees before you’re able to buy anything. So the whole system is not quite ready for mass-market adoption yet.
The good news is that there’s a huge market opportunity.
The future of mass-market crypto experiences lies within wallet apps that provide familiar, custodial experiences with the ability to graduate users to simple and secure non-custodial experiences.
by Ilias Louis Hatzis is the founder and CEO of Kryptonio Wallet.
Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research.