Ledger's new Ledger Recover, why is it being reviled?

5 月 16 日，硬件钱包制造商 Ledger 发布了其版本更新，本次更新引入了一项名为「Ledger Recover」的服务。据悉，Ledger Recover 是一种基于 ID 的「可订阅式」密钥恢复服务，可为用户的私钥恢复助记词提供备份。目前 Ledger Recover 与 Ledger Nano X 兼容，可在运行最新 Ledger Live 版本的 Android 和 iOS 上使用。现可订阅该服务的用户需持有包括持有欧盟、英国、加拿大或美国签发的护照/ID。未来一段时间，该用户订阅范围将覆盖更多国家。

Ledger explained how the service, which splits wallet mnemonics (keys) into three parts (cryptographic sharding technology), will be distributed to three custodians: Ledger, cryptocurrency custodian Coincover, and code custodian EscrowTech. If someone loses the key, two of the three shards can be combined -- pending identity checks -- to regain access to the locked funds. Subscriptions to the service cost $9.99 a month.

The Ledger's move completely breaks our understanding of traditional hardware wallets, which usually store private keys in secure hardware devices, isolated from network computers and other environments.

User objection

After the release of information about the service, a large number of users objected and boycotted, BlockBeats summarizes some of the views of users against the service:

- As a hardware wallet, the keys do not leave the wallet is the foundation, and Ledger's new service is obviously unacceptable to many users who can keep their own keys, and subscribe to the service, you need to trust your keys, personal identity to other institutions, in case of problems (hacking, information theft), hosted information will probably not be intact;

- Subscription to the service requires the country's passport and ID authentication, anything protected by "authentication" is inherently insecure, identity is too easy to fake, and requires authentication to confirm the user key reconstruction request, authentication fraud, theft is too common today, so this is not a secure way;

- The service splits the key into three parts, which is fine, but the problem is that the service sends three parts of the user's encryption key to three physical companies, which can completely reconstruct the user key. Mathematically speaking, the more third-party institutions in custody, the probability of problems increases exponentially;

- Most Ledger users use Ledger Live, an application that synchronizes all wallets using Ledger nodes, revealing every detail of a user's encrypted activity. Your assets and transaction details are exposed to third parties, plus your keys and identity are also hosted by third parties after you subscribe to the service. Is your cryptocurrency still your own?

- We can't be sure Ledger has built-in security measures to prevent someone from sending all three parts of the key to one entity, or in what way they distributed it to all three entities, so it's even less clear how the decryption process in the recovery actually works;

- In theory, I know you used Ledger Recover and obtained your identity, it is not difficult to authenticate with today's technology, your crypto assets can also belong to someone else;

- On a macro level, there are regulatory conditions to consider. EscrowTech and Ledger are US companies and Coincover is UK. These institutions fall under US and UK jurisdiction, and the regulation of encryption in the US and UK has been a problem.

Deeper reflections after Ledger Recover

Interestingly, one of the entries was deleted just after Ledger posted information about the service. This content means "Ledger and third parties we trust cannot access the user key". Although Ledger later explained that the wording of the article was inaccurate, this explanation was somewhat far-fetched.

Photo from Twitter

Combined with user feedback, a compelling question emerges as to whether Ledger is behind the service's pursuit of monetising its subscribers, or whether some regulatory body forced Ledger to do this. If it was a regulatory request, it would have made it very easy for them to obtain user KYC and data and recover user assets.

One more thing is that the use and recovery of all three parts of the key will be verified on the Ledger website (Email, ID, Onfido KYC). When the company Onfido handles the KYC process and requires a user to upload/verify their identity, They also keep the user ID, the picture/video/sound from the selfie video, and the overall picture of the device and current activity. Onfido knows everything about the identity of the user and the fact that you're a Ledger user, so when you're holding a fairly large amount of cryptocurrency, they also know everything about the device you're using for authentication. As mentioned above, the sound/picture/video stuff isn't imitable.

Is it really safe?

Other hardware wallets on the market

So Ledger completely breaks the traditional hardware wallet mechanism, and indirectly appears a lot of vulnerabilities, in fact, hardware wallet problems are not prominent, previously hardware wallet giant Trezor appeared a few minutes through the physical decrypting of the key. So what other hardware wallets are available? BlockBeats has compiled some of today's best reviewed hardware wallets:

OneKey

OneKey is a completely open source hardware wallet, and its internal system source code is available on GitHub. There are no backdoors. And OneKey hardware wallet use experience is very good, the shape of a bank card the same size, the price is not particularly expensive, can easily put into the wallet.

Keystone

Keystone is a hardware wallet that transmits data based on two-dimensional code and can realize mnemonic words and private keys that never touch the network. For hardware wallets, it is very vulnerable to attack. But Keystone has designed a multi-layer self-destruct mechanism to prevent the device from being attacked, that is, when the device detects that someone is dismantling it, The self-destruct mechanism will wipe out your private key information and other sensitive information immediately, so an attacker can't access sensitive user information. Keystone integrates with MetaMask (Extended and Mobile) and other top software wallets like Solflare, Sender, Fewcha, etc.

conclusion

Of course, there are some positives. The service isn't mandatory, users are optional, so you can keep using your Ledger. There are also arguments that theft of cryptoassets is so common that the probability of losing a key far exceeds the probability of having it stolen, and it only costs $9.99 a month. It's up to you to stick with it or switch to another hardware wallet.

Welcome to the official community of BlockBeats

Telegram subscription group:https://t.me/theblockbeats

Telegram communication group:https://t.me/theblockbeatsApp

Official Twitter account:https://twitter.com/BlockBeatsAsia

Reference link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia