Crypto hardware maker's recovery feature draws ire

The leading hardware wallet maker, Ledger, announced a new feature on Tuesday that has crypto diehards in an uproar.

Driving the news: Ledger Recover is an opt-in system enabled on the Ledger Nano that will allow a user to recover a private key in a relatively safe way — in theory.

Be smart: Ledger is a hardware wallet designed for self-custody of cryptocurrency assets. Self-custody means that the user is responsible for stewarding their passwords — with no fallback.

• There is a certain logic here. It's one thing to use classic password reset for something like a social media app. If the digital service you're using is effectively a closet full of gold, however, users should expect higher hurdles to restore access.

The intrigue: Crypto's faithful hate everything about this concept, particularly because Ledger has faced security problems with data it stores in the past.

Quick take: It also looks something like a poorly thought out release. Including it in a firmware update for devices people already owned was unsettling.

• People in crypto are also very conspiracy minded and have a tendency to overreact.
• And more, the system relies on personal identification, which is never well received in this industry.

What they're saying: "A lot of the negative responses are coming from false assumptions or misconceptions around how the product works," Phillip Costigan, a Ledger spokesperson, told Axios.

• Costigan emphasized that Recover is an opt-in service and Ledgers have always updated.
• "Your Ledger is as safe as it has always been," he said.

How it works: Those who opt-in to Recover theoretically won't have to trust any one company to completely secure their private key. In order to steal someone's assets, two companies would have to collude.

• Ledger and two other companies will have three pieces of a user's private key. (One of them appears to be Coincover, which provides crypto protection and recovery products.)

• Using cryptography, any two of those pieces can be combined to make the full key.
• The upshot: Cybercriminals would need to hack two places in order to steal people's keys.

Catch up fast: In 2020, Ledger data on over 270,000 customers was lost via e-commerce partners.

• Cybercriminals then took advantage of this data and the known hack to create a very sophisticated phishing campaign that targeted Ledger users.

Zoom out: Multi-signature wallets have been a solution for these sorts of issues for a while, though developers and designers are still working on how to implement them in a way that works for users accustomed to centralized password resets.

The bottom line: Longtime cryptopian and VC, Haseeb Qureshi, wrote a thread on Twitter about how — at first — the change freaked him out, but then he wrote: "Now I'm in the 'nvm it's fine' camp."

Editor's note: This story was updated with comment from Ledger.