RawBTC on Nostr: I thought Jack had reposted their article from yesterday about seed phrases ...
I thought Jack had reposted their article from yesterday about seed phrases (https://bitkey.build/seed-phrases-are-sharp-edges/) and responded before I saw it was a new article about hardware device screens.
I don’t agree with all the reasoning in that seed phrase article. Ultimately, someone has to control the seed. If the user doesn’t keep a copy themselves, then they’re deferring trust somewhere else.
“Seedless” custody generally puts a lot of trust in the device securing that seed. Without a seed backup, hardware failures are catastrophic for singlesig setups. I would never do seedless unless it were multisig. But even with seedless multisig, losing a device means you have to deal with a more complicated key rotation process, rather than just recovering the same seed into a new device.
In Block’s Bitkey setup, it sounds like it’s seedless multisig “until you need to export the seed”. It’s yet to be seen how sovereign that recovery can be or if you’ll have to ultimately get permission to access a seed or move to a different multisig coordinator. It sounds prone to lock-in, but I’d need to read more about the technical details to know.
There are trade offs to various approaches, and I don’t think their seed phrase article properly highlights those trade offs.
—
But like I said, the article Jack linked in the OP is a different topic - hardware device screens. It seems pretty well reasoned, but I only skimmed it. I don’t know if I agree with all the listed attack vectors and risks associated with over-reliance on device screens. I prefer a screen on the device, but screenless might work well enough in their setup, since it’ll have a server-side component to help verify data.
Regardless, it’s a unique approach, and I’m interested to see how it develops. Will probably be a good onboarding option for less technical people.
I don’t agree with all the reasoning in that seed phrase article. Ultimately, someone has to control the seed. If the user doesn’t keep a copy themselves, then they’re deferring trust somewhere else.
“Seedless” custody generally puts a lot of trust in the device securing that seed. Without a seed backup, hardware failures are catastrophic for singlesig setups. I would never do seedless unless it were multisig. But even with seedless multisig, losing a device means you have to deal with a more complicated key rotation process, rather than just recovering the same seed into a new device.
In Block’s Bitkey setup, it sounds like it’s seedless multisig “until you need to export the seed”. It’s yet to be seen how sovereign that recovery can be or if you’ll have to ultimately get permission to access a seed or move to a different multisig coordinator. It sounds prone to lock-in, but I’d need to read more about the technical details to know.
There are trade offs to various approaches, and I don’t think their seed phrase article properly highlights those trade offs.
—
But like I said, the article Jack linked in the OP is a different topic - hardware device screens. It seems pretty well reasoned, but I only skimmed it. I don’t know if I agree with all the listed attack vectors and risks associated with over-reliance on device screens. I prefer a screen on the device, but screenless might work well enough in their setup, since it’ll have a server-side component to help verify data.
Regardless, it’s a unique approach, and I’m interested to see how it develops. Will probably be a good onboarding option for less technical people.