The underlying theme of this cycle is that people around the world are challenging preconceived notions of how they use Bitcoin. New behaviors are emerging and other cultures are using the asset in ways that break previously established molds.
A major trend emerging from this chaotic environment is the resurgence of the seedless security model, which takes a fundamentally different approach to protecting Bitcoin private keys. Proponents argue that established security practices are not meeting growing user expectations. As custodial alternatives mature, the emergence of ETF products has raised concerns that future users may adopt more complex self-custodial solutions.
This isn’t the first time that security experts have pointed to the seed phrase when asked about the difficulty of Bitcoin’s self-custody traversal. Industry veteran Jameson Lopp said: It has been debated for a long time He has been challenging the security model and remaining outspoken about its pitfalls. His company, multi-signature wallet provider Casa, was founded to address the issues presented by traditional backup methods.
In a conversation with Bitcoin Magazine, Casa CEO Nick Newman echoed his colleague’s concerns.
“we As an industry we need to think more carefully about how we use it because the user experience of being shown a seed phrase when setting up a wallet for the first time is extremely difficult..”
The dangers of seed phrases
Despite the vast improvement in the quality of Bitcoin products and applications, the self-managed situation remains precarious for those whose only technological familiarity is with an iPhone. Every day reports emerge of various successful phishing attacks aimed at stealing wallet seed phrases and stealing victim funds.
Earlier this January, popular hardware wallet provider Trezor announced that it had reason to believe sensitive customer information had been exposed following a breach of a third-party service provider’s systems. In the months that followed, X users reported seeing a new wave of phishing attacks flooding their inboxes.
A security exploit that affected popular password manager LastPass in 2022 was a fresh reminder of the weak state of the average person’s security posture.
Following a series of bizarre wallet leaks affecting both mobile and hardware wallet users, The researchers ultimately The seed phrase stored on the service’s servers was reported to have been compromised. months agothe loss is Estimation It is said to have reached over $250 million in various cryptocurrencies.
Bitcoin figures have been pushing for stronger security systems, including hardware wallets, but many market participants are still not on board with the practice. Shezan Maredia, founder of a bitcoin financial services company lavabelieves there is a large gap between security product developers and the majority of the Bitcoin market.
“We’ve noticed that when it comes to hardware wallets and seed phrases, most people start to question their ability to govern themselves. Half of them won’t follow instructions very well, and the other half would simply prefer to use a custodian,” he said.
While security experts strongly advocate that private key material should remain offline at all times, Maledia suggests that the secure enclaves found in modern phones are sufficient to thwart the majority of attacks affecting users today.
“When we look at the common reasons why users lose funds, we rarely see examples of mobile keys being compromised.” Rather, he argues, it’s more likely that users don’t properly secure backups of their seed phrases or leak them during phishing attacks.
Seedless challenges and opportunities
Bitcoin products have undergone many improvements since Casa pioneered the seedless wallet approach several years ago, but so far few have followed in the company’s footsteps. Self-custodial applications are more robust than ever, but some changes have added extra steps to an already large learning curve. It’s worth wondering whether a nihilistic attitude toward security has reduced the practice to an unpalatable ritual for the general public.
Neumann is optimistic, suggesting that while he believes bitcoin products are lagging behind, it’s clear the industry is moving toward a more pragmatic approach.
“There are still quite a few wallets out there that force you to pre-save[your seed phrase]. I think this is a form of risk management for them, but it actually works against the goal of allowing users to hold their own keys with confidence.”
Either way, this trend suggests that the industry as a whole is beginning to recognize the risks of users handling sensitive information.Smart Wallet“” offers an interesting alternative to this new generation of products. Passkey is a new standard driven by internet giants such as Apple and Google that aims to replace traditional passwords with cryptographic keys that are tied to a user’s device and identity.
According to our research,estimate from Early Adopters This suggests the technology has yet to overcome key standardization issues, and Lava’s Maredia agrees there’s room for improvement. He recently announced a seedless solution that he believes offers the best security trade-off you can hope for on a mobile device.
Lava Vault is heavily inspired by old contributions from former Spiral developer Tankred Hase. Photon SDKPhoton implements seedless cloud backup similar to Casa’s initial implementation of a mobile key wallet, but it is fully open source, but has not been maintained for some time. Maredia is confident that the 2-of-2 solution it adopts from existing designs in the ecosystem will withstand most known attacks.
“We’ve looked at things like Passkey, but we don’t think it’s designed to protect critical key material like Bitcoin. Passkeys essentially exchange a secret for another secret, and are typically stored in a password manager. In practice, most password managers don’t handle passkeys well, and they can be easily deleted, even on iCloud.”
Lava protects users’ seed phrases with a high-entropy key stored on a separate server. Once encrypted, the seed is stored in a special directory on the user’s cloud, helping to prevent accidental deletion or malicious access. Users authenticate with a key server that enforces rate limits using a four-digit PIN of their choosing. Lava does not require the creation of an account, protecting users’ privacy from the service and its servers. In day-to-day operation, the wallet uses a separate key stored in the device’s Secure Enclave.
“Even if someone does gain access to encrypted information, they need to know the encryption key, so there’s no single point of failure. Forgetful users can set up a PIN recovery method that allows them to change their PIN after 30 days.”
Maredia expects security protocols to evolve in response to user needs and different risk profiles. Wallet policies such as 2FA, withdrawal and spending limits, and whitelisted addresses are already in the works. “Lava Smart Key is a very flexible solution, allowing users to easily upgrade their self-managed settings, and we also cater to users with specific requirements,” he explains.
Seedless backups have been criticized for exposing individuals to excessive third-party risk, but open source implementations such as the Photon SDK and Lava’s vault model suggest that more vendors and service providers could implement similar standards to mitigate this issue.
While seed phrases remain a critical element of your security stack, both entrepreneurs consulted for this article believe it’s essential to abstract seed phrases from most future users.
“We find seed phrases in general to be a very useful tool, both to make it easier to carry your keys between wallets and to provide an exit option if something goes wrong with the wallet software you’re using,” said Nick Newman, CEO of Casa.
To eliminate single points of failure, Casa is pushing for a combination of multisig plans that include hardware devices, but insists on adhering to seedless principles wherever possible.
“Wallet software is made to manage private keys. Humans are not made to manage private keys, so leave that job to the wallet.”
