Crypto hardware maker's recovery feature draws ire
The leading hardware wallet maker, Ledger, announced a new feature on Tuesday that has crypto diehards in an uproar.
Driving the news: Ledger Recover is an opt-in system enabled on the Ledger Nano that will allow a user to recover a private key in a relatively safe way — in theory.
Be smart: Ledger is a hardware wallet designed for self-custody of cryptocurrency assets. Self-custody means that the user is responsible for stewarding their passwords — with no fallback.
- There is a certain logic here. It's one thing to use classic password reset for something like a social media app. If the digital service you're using is effectively a closet full of gold, however, users should expect higher hurdles to restore access.
The intrigue: Crypto's faithful hate everything about this concept, particularly because Ledger has faced security problems with data it stores in the past.
Quick take: It also looks something like a poorly thought out release. Including it in a firmware update for devices people already owned was unsettling.
- People in crypto are also very conspiracy minded and have a tendency to overreact.
- And more, the system relies on personal identification, which is never well received in this industry.
What they're saying: "A lot of the negative responses are coming from false assumptions or misconceptions around how the product works," Phillip Costigan, a Ledger spokesperson, told Axios.
- Costigan emphasized that Recover is an opt-in service and Ledgers have always updated.
- "Your Ledger is as safe as it has always been," he said.
How it works: Those who opt-in to Recover theoretically won't have to trust any one company to completely secure their private key. In order to steal someone's assets, two companies would have to collude.
- Ledger and two other companies will have three pieces of a user's private key. (One of them appears to be Coincover, which provides crypto protection and recovery products.)
- Using cryptography, any two of those pieces can be combined to make the full key.
- The upshot: Cybercriminals would need to hack two places in order to steal people's keys.
Catch up fast: In 2020, Ledger data on over 270,000 customers was lost via e-commerce partners.
- Cybercriminals then took advantage of this data and the known hack to create a very sophisticated phishing campaign that targeted Ledger users.
Zoom out: Multi-signature wallets have been a solution for these sorts of issues for a while, though developers and designers are still working on how to implement them in a way that works for users accustomed to centralized password resets.
The bottom line: Longtime cryptopian and VC, Haseeb Qureshi, wrote a thread on Twitter about how — at first — the change freaked him out, but then he wrote: "Now I'm in the 'nvm it's fine' camp."
Editor's note: This story was updated with comment from Ledger.