The new Ledger ID-based seed phrase recovery service is under scrutiny over potential security risks and identity theft concerns.
Ledger, a leading provider of cryptocurrency hardware wallets, recently launched its new Ledger Recover service. This fresh feature, included in the latest firmware update, offers an ID-based key recovery service that backs up users’ seed phrases. However, it comes with a catch – to benefit from this service, customers must link their passport or national identity card. This has raised eyebrows in the crypto community, leading to a heated debate about the potential risks involved.
Understanding the New Service
For a $9.99 monthly fee, Ledger Recover allows users to back up their seed phrase in three encrypted fragments. Each fragment is stored on hardware security modules (HSMs), akin to highly secure Ledgers. The fragments are held by three custodians – Ledger, Coincover, and a third party provider. Although each fragment is meaningless by itself, it can only be decrypted on a Ledger. Ledger assures users of the service’s safety, stating that the fragments are entirely secure.
Nevertheless, the requirement to provide an identity document is prompting concerns among users. Some worry that the security of these companies may not be reliable, potentially endangering the safety of their funds. That’s understandable as Ledger previously suffered a data leak in 2020, resulting in the exposure of personal data of nearly 300,000 customers.
The Community Response and Potential Risks
Crypto users have voiced their concerns about the potential security risks of Ledger Recover. Some believe that it is a risky move for a hardware wallet provider to advise users to back up their seed phrase online and provide their passport or ID. The major concern lies in the fact that if Ledger were to experience another breach, hackers might be able to use the recovery service to gain access to users’ seed phrases.
Adrian Hetman, a tech lead triager at the Web3 bug bounty platform ImmuneFi, argues that this approach exposes users to a new form of attack. Identity theft is a common crime, and allowing anyone with the user’s ID or passport to regain access to locked funds seems like a weak security measure.
Ledger’s Stand on Security Concerns
Despite the mounting criticism, Ledger maintains that the new feature does not pose a security risk. It argues that the ID verification is only one part of a more comprehensive process. The company claims that they also incorporate full liveness detection. That involves random prompts that cannot be faked or pre-recorded. This process is scrutinized by both technology and humans to ensure the right match before initiating the recovery process. This, Ledger argues, means that even if someone steals your ID, they wouldn’t be able to recover your Secret Recovery Phrase (SRP).
Exploring Other Recovery Options: Social Recovery
While Ledger’s latest service is drawing criticism, the idea of seed phrase recovery is not inherently flawed. Another approach gaining traction in the crypto space is social recovery. Pioneered by Vitalik Buterin, social recovery allows users to delegate trusted wallets – known as guardians – that can approve wallet recovery.
Adrian Hetman believes that this approach is a more user-friendly model that mirrors current banking systems while maintaining security. It gives users control over the selection of their guardians, which can be other wallets they manage or trusted friends and family. The beauty of this method is that it eliminates the security risk tied to handing over a passport or identity card – a valuable takeaway from the ongoing Ledger controversy.