Ask this question to anyone worth their salt in the bitcoin world and you’re likely to get a stern talking to if not worse. It flies in the face of everything that bitcoin, cryptocurrencies and blockchain in general stand for; a decentralized world where the consumer is in total control of their data. No more centralized servers just waiting to be hacked and spewing forth sensitive information.
The concept is a noble cause and in a time of facebook scandals, social security data breaches and stolen credit cards it’s an ideal we should be striving for. But can the scales tip too far in favor of security?
“Can the scales tip too far in favor of security”
At the heart of blockchain is the use of public-key cryptography and the two are inexorably intertwined. I’m not going to cover how public-key cryptography works or go into great detail on how its used in the blockchain but you can find out more about that here. In short, your private key is the most important piece of information you have as without it you can no longer access your account or the funds in it. What’s more, for all intents and purposes, it is practically impossible to guess it, derive it, or somehow crack it to regain access without the key. Ironically, this level of security is also a security weakness because if anyone gets access to your key…. well, now your account belongs to them.
“if anyone gets access to your key…. well, now your account belongs to them”
There are various techniques to make this more secure like using “multi-sig” wallets that require 2 or more private keys to be used to execute any important change and while these techniques reduce the risk that someone might make off with your funds if they happen upon your key, it does less to resolve the issue of losing access to your own account.
The usual approach by the large majority of platforms is upon account creation, to generate the private key for the user and then ask the user to save a 12 word mnemonic which can be later used to regenerate the same private key if lost. I’ll admit that this is a little more friendly than asking the user to write down a long string of hexadecimal characters but we’re really just putting a band-aid over the underlying problem. Just one letter of one word left out or misspelled or a year later when the user forgets where they wrote down or saved the mnemonic means irreversible lock-out.
example of a 12 word mnemonic. (image courtesy of https://bit.ly/2SLpiTa)
And we’re back to the question in the title of this article: Should consumers be trusted with their private keys?
When we look at the question from a security and information privacy perspective the answer is most likely going to be yes. By having the user own and be responsible for their own key there is zero chance that a system level hack can result in the breach of sensitive information of thousands of users. There is zero chance that the service provider, who you have your account with, can access or use your sensitive data in misguided ways. However, when we look at this question from a product development or a user experience standpoint the answer is not quite as clear.
Imagine for a second that you’re a loyal customer of Chase bank. Your paycheck gets deposited into your account, you’ve got your savings there for an upcoming family vacation and of course all of your credit cards for your day to day spending. You recently had a prompt that asked you to update your password and so you did. You even saved the new password in your password manager….or at least you thought you did. You go to log into your online account — ‘Incorrect username or password’. You check your password manager only to realize that you never hit save and it still has your old password. Unfortunately there’s no link for forgotten passwords so you call up Chase and tell customer support that you forgot your password and need to reset it to get access to your account again.
The customer support agent calmly proceeds to tell you that unfortunately without your password you won’t be able to access your account and surprisingly there’s no way they can access it either. And just like that, it’s gone: the paychecks, the family holiday, your credit cards. I certainly wouldn’t settle for this, would you?
Now this might sound a little far fetched but the fact is users will forget things, users’ won’t always follow instructions carefully, and it’s almost certain that they’re going to come to you for help. And when they find out that you can’t help them to get their money back…well let’s just say I don’t envy you. I worry that type of situation may be a ticking time bomb just waiting to happen. Perhaps we’re still early enough that most of the users are sufficiently technically savvy to understand fully the risks of losing your private key but as more and more people get introduced to blockchain based assets this problem is just going to grow.
So when we think about security it’s important to take a step back and question how much security do we really need. You could install metal detectors at each entrance of your home and 6 different locks with retinal scans and thumb print id to access your front door because these things would make your home more secure but of course you don’t because clearly it isn’t practical.
It’s important to take a step back and question how much security do we really need.
Would we be willing to sacrifice a little security for a better experience? How much security should we sacrifice? Can we actually measure the added risk that we’re introducing?
The amount of time required to crack a 12 word mnemonic
I’m happy to see that some platforms are already starting to take steps in this direction. The StellarX decentralized exchange has a fairly elegant way of handling private keys because they have the unique use case of needing to execute actions on behalf of the users’ accounts. The approach used allows the service to work across any device without any action required by the user (this might sound like a given because in fact it is for almost every cloud based service we use today, except sadly it’s not for the majority of blockchain Apps and dApps). StellarX allows the user to choose how much security they want and the decision is made clear that there is a trade off between convenience and security. The important point here is that the decision is left to the user. The default setting caters to the mainstream user, allowing more advanced users to increase their level of security if they wish. Even with the base level security, StellarX has ensured that the chance of anyone gaining access to a user’s account through a data breach of their server is incredibly small. If they did somehow gain access to one account they don’t immediately have access to all accounts. However, even with StellarX, and their multiple layers of security levels, at the base level it’s still left up to the user to be solely responsible for their private key. While it is still possible to reset your account password, without the 12 word mnemonic the user will never be able to gain access to their funds.
Clearly the right answer to the question of whether the consumer should be trusted with their private keys is: ‘It depends’. If the private key is protecting an account holding the customer’s personal funds, well then we should really assess whether the risk of loss of funds through a system level hack is greater than the risk of loss of funds through user error. On the other hand, if the private key is protecting personal information such as social security number that is otherwise known to the user, then perhaps the damage of losing access to the information is less than the damage from a public breach of that information.
Please don’t make the same mistake of GDPR and put your blinders on to the downstream ramifications of trying to solve one individual aspect of the problem without looking at the greater picture. Blockchain can be a revolution but it doesn’t need to come at the cost of customer experience.
“Blockchain can be a revolution but it doesn’t need to come at the cost of customer experience.”