We entrust our information to third-party services, who do everything in their power to protect it from cyber-attacks. While this is very convenient, the truth is that we only have their word and a combination of legal, administrative, and technical safeguards. Lately, our trust in third party custodians to keep our information has been slowly declining as it was the case with the people who woke up one day to find out that their Cyprus bank accounts have been raided by another country’s government or the Canadian truckers who lost their rights to transact.
In this article we dive deeper into the reasons behind the security issues and offer ways how users can ensure the safety of their private keys.
Why is data ownership an issue?
The main advantage of decentralized technology, the fact that we have the ownership of our information, is also its biggest weakness and one of the reasons why massive adoption did not gain that much traction. We heard a lot of stories about people losing value kept on decentralized networks, like this guy who threw out his hard drive to later rummage through a garbage dump to be rich, or a developer who forgot his password for his crypto wallet and had only 2 more chances to type in the right password before it’s lost forever.
Another interesting case is the attack that happened in 2016, when a hacker made away with more than 119,000 Bitcoin, where, consequently, Bitfinex allocated losses of more than 30 percent to all customer accounts. There are many victims who still have not reclaimed their assets which, in the meantime, have surged in value.
In essence, when creating a wallet, you are assigned a stream of random numbers which are used in the algorithms for transaction signing and proving ownership. This unique stream of numbers is called a Private Key and is used in Private-Public Key encryption. Only this number can identify the user on the decentralized network and authenticate actions on it. The likelihood of someone else generating the same number is infinitesimally small. You guessed it right — when this key is lost, there is no one who can authenticate with the network to unlock the value attached to that key.
*(Hash Function is a mathematical algorithm that maps data of an arbitrary size (often called the “message”) to a bit array of a fixed size (the “hash value”, “hash”, or “message digest”))
There are a few ways the misplacement or the loss of this key (which then locks the value into the blockchain) can be minimized. However, we need to keep in mind that the ability to fully secure digital wallets is mission-critical. Here are some of them:
Custodial wallets
The easiest way to keep your assets is to entrust security to a third party, custodian, who will keep them, lowering the chances of its loss. This, however, diminishes the purpose and the value of decentralized networks, where the user has the ownership over their data. In other words, malicious entities can gain access to the third-party service — it becomes more enticing target as the number of users grow, or the third-party service might go rogue.
Non-custodial wallets
Non-custodial wallet allows users to keep the Private key in one place only they can access. It can be additionally protected with a PIN or passphrase. They provide security and utility when interacting with blockchains. A wallet can work with multiple blockchains simultaneously including Ethereum & Alt. Coins, Bitcoin, Solana, and more, all on the same device.
Non-custodial wallets can be:
- Software solutions
- Complete hardware solutions (where the key never leaves the device)
The hardware solution has the highest security, after paper wallets. Should a thief take possession of your hardware wallet, it’s nearly impossible for them to extract your keys. The keys are never exposed to the host machine and therefore to the internet, so they can’t be stolen.
The users can also create their own hardware wallet by air-gaping a device from the network and using another device to interact with the network, while communication between the two uses QR code.
While hardware wallets seem to be quite an effective method, it might be a bit cumbersome because users always need two devices to interact with the network. Imagine making personal interaction through the devices to send your friend an NFT or pay for a coffee at a bar.
On the other hand, software solutions are easier to use, but the private key is on a device that is connected to the internet, and therefore can be more easily compromised.
*(Complete hardware solutions (where the key never leaves the device) — example of a hardware wallet — Ledger Nano S)
How to back up private keys
Many of non-custodial solutions provide the user with a mnemonic phrase consisting of 12 or 24 words (usually in English), depending on the security preferences of the user. These words are shown and verified to the user at the time of the wallet creation. The same Private key can be recreated using these words by going through an algorithm — it essentially works as a backup phrase. The safekeeping of these backup phrases is trusted upon the user, which means that, if access to the wallet and the phrases are lost at the same time, the valuables also get lost.
Key loss recovery solutions
It is recommended not to keep a digital copy of this mnemonic on some device or on the cloud, as this allows malicious users to gain access to it more easily than to the physical copy of it. The most effective and safe solution is to write it down. There are services that can engrave it in something more permanent, but the most common solution is probably the paper. The mnemonic phrase can be made safer by keeping multiple copies and can also be split up and stored in many places.
The key can also be split up into multiple parts and each part sent to a different cloud service, from where it can be recovered and merged to get the private key. This, though, requires a setup to keep the order of the parts and access to all used cloud solutions.
Distributed backup solutions
Multi-signature technology is another way of keeping valuables more resilient to cyber-attacks or loss. These are advanced algorithms allowing multiple keys to authenticate operations for the same data, which adds another layer of security and backup. Most frequently, crypto exchanges, brokers/OTCs, investment funds and other crypto companies use multi-signature technology to secure their cold storage funds.
For example, a company can have multiple keys needed to sign transactions.
- Small value transaction can be signed by any accountant
- Larger value transactions can be signed with both an accountant’s and a supervisor’s key
- Big company investments that involve a board of directors where 4 of the 12 members need to approve the transaction
There can be many more combinations allowing high customization of the need for security and backup purposes, so people can sleep better knowing their digital values are safe.
Private key safety made simple
One of our clients wanted to make the whole process even safer by allowing the user to use hardware wallet without having to work with the mnemonic phrase. They came up with an idea to offer users two separate cards, hardware wallets, that can generate the same private key inside of them without ever exposing it to the outside world. This would allow users to use one card when they are making transactions and if that card gets stolen, or lost, they will have the backup, the other card which they have previously placed in a safe or some other secure place.
The client approached us to help them develop an application with a user-friendly interface that could perform a variety of advanced functionalities. We developed a complete iOS companion application that allows users to do transactions on Blockchain networks. The solution supports Bitcoin and Ethereum, and the user can, in CLI, use more granular commands, including working with smart contracts and the EOS network. At its core, it is a modern crypto wallet that uses our client’s cards for transaction signing. We wanted to develop the most efficient solution that would allow users to manage these two cards.
Ultimately, this software would provide users with the backup solution that should reduce their effort to keep the key safe, and therefore keep their assets safe regardless of whether their primary card gets stolen or lost.
Security without compromise
There is no one correct way of keeping the private key safe. The key’s safety depends on the risk tolerance of the person holding it. A good strategy is to have multiple different wallets and combine safety with ease of use depending on the situation.
As trends of adopting web3 technology (where the basis is the Private-Public key encryption) are speeding up, institutions will need to focus on implementing better and simple-to-handle solutions, missing links that will give them the assurance they can have an impenetrable and highly secure infrastructure.
Reach out to us to learn how we can help you unlock the potential of web3.
