In brief
- Seed phrases typically have to be written down, making them vulnerable to attackers.
- Using a card to sign blockchain transactions can bypass this vulnerability while appealing to new crypto users.
In the leadup to Dr. Karl Kreder's talk at Ethereal Summit on "Killing the Seed Phrase: Crypto's Biggest UX Challenge," the previous speaker made the point for him.
For years, people have been told not to write down their passwords for security reasons, Itamar Lesuisse, CEO of the Ethereum wallet Argent, pointed out. Now, many crypto companies are telling people to write down their seed phrases—a combination of random words that can be used to recover access to funds.
That's kind of bonkers, agreed Kreder, co-founder and VP of Hardware Engineering at GridPlus, a hardware/software company that creates wallets and other products for storing digital assets.
GridPlus got its start as a blockchain-based electric utility with aims to lower costs for its customers by cutting out intermediaries. (It currently has about 3,000 customers in Texas, said Kreder.) Because they're dealing with average customers, they needed an easy way to onboard them to a system that bypasses the bank.
Seed phrases weren't going to cut it. Said Kreder, "It is very difficult for me to explain a seed phrase to my parents: how it is used, why it is used, and how to deal with them."
Cards, however, are already regularly used in digital commerce and most people are familiar with them—there are credit cards, debit cards, and gift cards. Why not use one of those in a novel way?
"A seed phrase is prone to what I like to call a 'sock drawer attack,'" said Kreder, echoing Lesuisse's statement. Users can have the best hardware security in the world, but at the end of the day, hackers can get in if they find the seed phrase in their sock drawer—or, more likely, on their desk.
A SafeCard, however, is like a debit card that can sign blockchain transactions. This enables two layers of security. First, there's a PIN, which, again, is a familiar element that people can remember without writing down. Second, GridPlus has built additional security into the card called PUF—a physically unclonable function. Kreder described it as an "electronic snowflake" that is unique to each card.
The downside, of course, is that such a card—at this point—has to be used with GridPlus' hardware lattice that is paired with both a smartphone and a GridPlus server. That won't cut it on the mobile wallets that Argent is building, although Lesuisse et al have their own workarounds.
But small strides count. "The goal of the ecosystem should be to expand the user base with minimal centralization, thus increasing the utility and therefore the value of the token," said Kreder.
Now, if Ethereum can just solve scalability, we'll be all set to onboard all those new Texas users.