Ledger Recover: UX Upgrade or Potential Risk

That’s what happened yesterday:

It all kicked off when Ledger announced its most controversial feature yet: Ledger Recover​​. 

This functionality is promoted as a way to recover your private key/seed phrase without compromising safety. One of crypto’s UX problems has always been that if you don’t remember your seed phrase and lose your device, your funds are gone forever. 

Because blockchains give you the freedom to custody your own assets, they also give you the responsibility to handle your own safety: There’s no password reset, security question or customer support. 

Ledger Recover wants to be that password reset system without lowering security. It’s an opt-in system that's integrated into your Ledger Nano, which offers a method to recover your private key with your passport or ID. 

Here’s how it works:

1. You verify your identity to initiate the Recover process
2. The Ledger device duplicates and encrypts your secret recovery phrase.
3. The encrypted duplicate is fragmented into three parts. 
4. Each fragment is stored by Ledger, Coincover and a third party.
5. To restore your seed phrase (and access your funds), two of the parties need to collude to decrypt. 
6. When you lose your seed phrase, you can verify your identity again and will receive your recovery phrase.

Many in web3 got suspicious: Sure, your seed phrase is encrypted… but shouldn’t you never share your seed phrase?

Crypto enthusiasts started calling the program a backdoor and accused Ledger of violating their principles, especially after Ledger said seed phrases could never leave the device:

Until recently, we had an assumption about hardware wallets: Store your coins on a Ledger and your seed phrase will always stay on the device. 

Now, some people are questioning those assumptions:

• Could a malicious software update extract a seed phrase?
• Do I need to ditch my Ledger? 

But on social media, the loudest voices and most extreme opinions always get the most attention. But is Ledger Recover actually a risk? 

First, it’s an opt-in program. You don’t have to use Ledger Recover. Keep it turned off and your hardware wallet works the same as always. You’re not exposed to any risk and your seed phrase stays where it’s always been. 

What is different is that we now know that a Ledger can encrypt seed phrases and send them elsewhere. It’d be exceptionally difficult to exploit this, but bad actors have always been inventive. 

That being said, Ledger probably has good intentions here: To onboard new users, we need to make web3 safer and easier. And something like Ledger Recover certainly gives users a sense of safety, even when they lose their Ledger device. 

That’s why some web3 users are starting to look elsewhere to simplify recovering their keys. One idea is a smart contract multi-signature wallet.

‍

Smart Contract Wallets: Next-Gen Security?

A Safe is a smart contract that only executes transactions when multiple signers agree. If you set it to execute with 2 out of 3, it’s like a physical safe with 3 locks and 3 keys. As long as you have any 2 keys, you can open the lock. 

With the right settings, your signers can also nominate new signers. That means you could lose one signer (e.g. a Ledger) and use 2 others (which could be friends’ wallets or other hardware wallets) to authorize a new hardware wallet. 

This is how Ledger Recover works in the backend, but gives you more control with similar safety. 

While all of these considerations make recovery easier and keep you losing your funds permanently, they don’t keep you from signing malicious contracts. 

Just like a physical safe in your house doesn’t keep you safe from opening it and handing someone all your money, a hardware wallet (or smart contract wallet) doesn’t keep you safe from smart contracts that steal your assets. 

To keep yourself safe from that, download a transaction simulator like Fire. That way, you always know what you’re signing and never give the wrong people access to your assets.