Conventional cash is a tangible asset. If a person drops some cash on the street, any fortunate onlooker can pick it up and purchase goods of equal value: one person’s loss is another’s gain. Losing a crypto wallet’s private key, on the other hand, is dire and can render the funds permanently inaccessible. Unlike cash, which governments can controllably print based on economic needs, bitcoin’s supply is limited — it’s algorithmically capped at 21 million coins – which makes each coin valuable. In an early 2010 forum, Bitcoin founder Satoshi Nakamoto pitilessly discarded users’ concerns about irretrievable bitcoins, “lost coins only make everyone else’s coins worth slightly more. Think of it as a donation to everyone.” One person’s loss is everyone’s gain.
In this article, we explore some of the recovery methods that mitigate the risk of loss in self-custodial wallets, ranging from early methods around mnemonic phrases, to newer and more innovative methods which leverage Multi-Party Computation (MPC) and smart contract based Guardians.
Early Recovery Methods
The early wallets, which were created for bitcoin aficionados, had limited recovery methods and relied on the user’s technical expertise to safely back up the private key. Hierarchical Deterministic (HD) wallets, introduced in 2012, offered the first practical recovery method: an initial seed value is used to generate subsequent private key values pseudorandomly. If the user loses their private key, the seed value can be used to recover the keys. The seed value can be transformed into a mnemonic phrase containing twelve common English words to improve storability. Users safeguard these words using offline storage methods like paper but are fully responsible for their safekeeping.
As the cryptocurrency’s potential caught the attention of a larger and less technical population, custodial wallets emerged to meet user needs. Their solution was straightforward: users should give up control of their private keys to the platform entirely for a more straightforward and intuitive wallet recovery method. Users on custodial wallet platforms like Coinbase access their funds through the traditional username and password. If users forget their login credentials, they can reset their information through email or a phone OTP.
The downside for crypto natives was that the user technically does not own the funds they deposit on custodial wallets. As the crypto adage goes, “not your keys, not your coins”. Since the platform holds the user’s private keys, they have authority over their coins.
Newer Recovery Methods
In recent years, users have turned to self-custodial wallets that allow complete control over their funds. But this comes at the price of users having to secure their own private keys. This has proved to be challenging. In response to stockbroker Peter Schiff tweeting that he lost access to all his bitcoin due to a corrupted wallet file, Vitalik Buterin commented on the need for better recovery methods:
“Disappointed at people replying to this with “crypto is what it is, it’s your job to be super-careful and write down backup seeds in three places.” We can and should create better wallet tech to make security easier.”
Newer wallet providers understand the user demand for improved account recovery methods.
Backup to iCloud
One way wallet providers improve account recovery is by building tools to export private keys onto established cloud services. Self-custodial wallet Rainbow Wallet has built-in functionality that allows users to generate a backup password and export their private keys onto iCloud. To recover the wallet in the future, users can reconnect to iCloud, and the application will extract the seed phrase automatically.
But using cloud services as a fallback for account recovery comes with risks – if the cloud service is compromised, hackers have a highway onto a user’s crypto wallet. In April, scammers phished $650,000 worth of crypto assets from a trader’s MetaMask wallet after posing as Apple employees and obtaining his iCloud credentials.
These incidents underscore that while seed phrases and automatic backups simplify wallet recovery, they remain a single point of failure.
Multi-party Computation (and Social Login)
Modern wallet providers have created platforms that abstract away the private key entirely by utilizing technology that was developed in the 1980s called Multi-Party Computation (MPC). ZenGo, a self-custodial wallet launched in 2019, uses this new technology to provide users with keyless wallets. This mechanism divides the private key into two or more and stores one part on its servers and the other on the client's phone or cloud storage; both the shares must interact to unlock the wallet. ZenGo increases security by ensuring that the key shares are separated but requires both parties to be available during wallet access (multi-sig wallets can be accessed asynchronously).
If users lose their private key share, they can recover their key share by verifying their profile using a biometric facial scan or using a recovery file ZenGo creates on the user’s default cloud storage system. That said, storing recovery information on cloud storage systems can also be precarious as the file can be accidentally deleted or corrupted.
Alternative MPC solutions have expanded to storing shares of the key behind social login (Google, Facebook etc) or on devices or networks. With the recent introduction of the Coinbase MPC solution for their cefi users, and with enterprise infrastructure providers such as Fireblocks providing an MPC solution, the popularity of MPC wallets has vastly increased, accelerating the adoption of the architecture as a potential long term solution.
In parallel to MPC solutions, social-based recovery methods started to appear, mostly within smart contract wallets such as Argent.
The social recovery system requires three guarantees to supersede the existing methods: it must be distributed, allow frictionless transactions, and not diverge from existing behavioral patterns.
In 2018 self-custodial smart contract wallets Argent and Loopring pioneered social recovery wallets, a new class of recovery method advocated by Vitalik Buterin. Users receive a “signing key” on sign up which they can use to perform transactions. They also elect at least three ‘guardians’ — individuals, hardware wallets, or other parties that do not have access to the user’s assets but can perform pre-selected security measures. Guardians can never perceive the existence of the other guardians, reducing their ability to sabotage your account. Only users can add and delete guardians using their Ethereum address at any time based on trust, a process that takes 36 hours, so unwelcome changes can be interrupted.
Guardians have a broad purview that protects wallet owners from theft on multiple fronts. Users can configure a security profile so that untrusted high-value transactions out of the wallet are under the aegis of guardians. This protection can extend to decentralized applications (dapps), where the wallet owner can configure a guardian-approved dapps trust list for more secure interactions. Suppose the user wants to perform a quick sequence of actions without multiple guardian approvals. In that case, they can open a trusted session — for an hour, three hours, or a year — that provides them with a temporary key for its duration. Alternatively, guardians can lock and unlock a wallet to prevent transactions — a powerful safeguard if the wallet owner’s phone is lost or stolen.
Guardians also make wallet recovery straightforward and safe. If the wallet owner misplaces their signing key, a majority of the Guardians can elect to replace the key for them. The old signing key is discarded, and the user can perform transactions using the replaced one. This uncomplicated workflow excels as no individual needs to learn strange habits. This recovery method also safeguards wallets whose owners die, as family members can retrieve the wallet contents through guardians. However, wallet recovery is performed by guardians as an Ethereum L1 on-chain transaction — the gas fees for interacting with the blockchain can be expensive. If the Ethereum network is congested, it can cost up to $100.
Argent wallet introduced a free off-chain wallet recovery method that utilizes cloud storage providers like iCloud but adds a layer of meta-security. On set up, Argent will generate a random “key-encryption-key” (KEK) that encrypts the user’s private keys. The encrypted private keys are uploaded to iCloud, and the KEK — which is required for decryption — is sent to the Argent servers. On wallet recovery, the app will find the encrypted private keys located on your cloud provider and verify the wallet owner’s identity using two-factor authentication. Once verified, the KEK is transferred to the wallet following 48 hours and reestablishes wallet access. If a third party seized control of the user’s iCloud, the 2FA and two-day delay would prevent further access. While this method sidesteps guardians, it provides users with alternate recovery options.
Vitalik endorses social recovery wallets because it manifests the “crypto values” — interacting with the blockchain is not an individual endeavor but a communal one. In his blog post, he likens social recovery to the neurological wiring of humans, as brains are more suited to forging relationships than recalling words.
Adding guardians to your wallet can be cumbersome — you may have to find people you can bestow sufficient trust and should know how crypto wallets work. Trusting a human guardian for the lifetime of the wallet can get tricky, as money has the potential to disrupt even the strongest partnerships. A user's social circle morphs over time, and periodically evaluating whether a relationship remains trustworthy can be inconvenient. Additionally, the wallet makes no guarantees for preventing collusion among guardians if they identify each other. Guardians, whether individually or as a group, can lock your wallet and extort the user in a maneuver known as a “griefing attack.” Social recovery wallets allow users to be their own guardians by electing their hardware MetaMask wallets, but this circumvents the communal experience Vitalik championed.
Where we go from here
Recovery is a key hurdle for self-custodial wallets to overcome in order to appeal to a broader non-crypto native audience. While there is massive power in public/private key based architecture, it seems that abstracting the private key away from the user via methods like MPC, or introducing social based recovery, will be key.