Connecting your crypto seed phrase to your passport. What could go wrong?
Hardware wallet provider Ledger has caused a stir online after releasing its latest Ledger Recover service in their latest firmware update.
In a nutshell, it’s an ID-based key recovery service that backs up users’ seed phrases. To use the service, users must provide a passport or national identity card to confirm their identity.
Three encrypted fragments will be trusted with custodians— Ledger, Coincover, and a third provider—some users are worried they now have to rely on the security of these companies.
"Each fragment is stored by the parties on hardware security modules (HSMs) which are essentially super-powered Ledgers," a Ledger spokesperson told Decrypt via email. "It's what we use for Ledger Enterprise. Each fragment is useless on its own, and can only be decrypted on a Ledger. They are completely safe."
While this service requires users to opt-in and pay a $9.99 monthly fee, some are concerned that this could even pose a security risk for those who don't opt in.
However, a Ledger spokesperson confirmed that for your seed phrase to be initiated into this process you must approve it directly on your Ledger—just like any other transaction.
Ledger suffered a data leak back in 2020 which exposed the phone numbers and physical addresses of nearly 300,000 customers as well as over 1 million email addresses.
"This is a disaster waiting to happen," said one Reddit user. "I can't actually believe what I'm reading, this seems absolutely crazy for a hardware wallet provider to encourage you to back up your seed phrase online AND give them your Passport/ID—especially one that has previously suffered a data breach!"
If this were to happen to Ledger Recover users, for example, the hacker could possibly use the service to "recover" the seed phrase.
"Exposing your seed phrase and then allowing anyone with your ID or Passport to regain access to the locked funds is a bad security posture," Adrian Hetman, tech lead triager at Web3 bug bounty platform ImmuneFi, told Decrypt. "ID theft is common and that would expose crypto users to a new form of attack."
Ledger has, however, rejected that this is a security risk as your government ID is only one part of the process.
"We also have full liveness detection, where you use your camera and it gives you randomized prompts that can't be faked or pre-recorded," a Ledger spokesperson told Decrypt. "This is reviewed by technology and also by humans to ensure a match before the recovery process is initiated. So, someone stealing your ID will not be able to recover your [Secret Recovery Phrase] SRP."
Seed phrase recovery
While Ledger Recover is catching heat, seed phrase recovery as a concept isn't entirely doomed.
Social recovery, used by Vitalik Buterin, allows you to delegate a number of wallets you trust—these are called guardians—that can approve the recovery of your wallet. Your guardians could be other wallets you control or friends and family members that you trust.
"Generally, I feel like Social Recovery, as proposed in EIP-4337 is a really great idea and I love it, as it brings the user experience to a more standard model of how the current banking system UX works while still being secure," Hetman said. "You’re still in control and you can choose any party of your liking you can trust."
The key difference here is that the user is able to choose their guardians as well as remove the potential security risk associated with providing their passport and identity card.
Editor's note: This article was updated on May 16, 2023, at 11:30 am ET to include comment from Ledger.