Connecting your crypto seed phrase to your passport. What could go wrong?
Hardware wallet provider Ledger has caused a stir online after releasing its latest Ledger Recover service in their latest firmware update.
In a nutshell, it’s an ID-based key recovery service that backs up users’ seed phrases. To use the service, users must provide a passport or national identity card to confirm their identity.
While this service requires users to opt-in and pay a $9.99 monthly fee, some are already concerned that Ledger would offer such a service.
“This is a disaster waiting to happen,” said one Reddit user. “I can’t actually believe what I’m reading, this seems absolutely crazy for a hardware wallet provider to encourage you to backup your seed phrase online AND give them your Passport/ID—especially one that has previously suffered a data breach!”
Ledger suffered a data leak back in 2020 which exposed the phone numbers and physical addresses of nearly 300,000 customers as well as over 1 million email addresses.
If this were to happen to Ledger Recover users, for example, the hacker could possibly use the service to “recover” the seed phrase.
“Exposing your seed phrase and then allowing anyone with your ID or Passport to regain access to the locked funds is a bad security posture,” Adrian Hetman, tech lead triager at Web3 bug bounty platform ImmuneFi, told Decrypt. “ID theft is common and that would expose crypto users to a new form of attack.”
The exact recovery process, however, has not been detailed and may be more complex than just showing your passport or identity card. Ledger did not immediately respond to Decrypt’s request for comment.
“The main point here is that you can access the encrypted parts of your seed phrase by just showing and verifying your ID/Passport which could be stolen or acquired through different ways,” Hetman said. “No amount of encryption would help solve this problem and approach.”
Seed phrase recovery
While Ledger Recover is catching heat, seed phrase recovery as a concept isn’t entirely doomed.
Social recovery, used by Vitalik Buterin, allows you to delegate a number of wallets you trust—these are called guardians—that can approve the recovery of your wallet. Your guardians could be other wallets you control or friends and family members that you trust.
“Generally, I feel like Social Recovery, as proposed in EIP-4337 is a really great idea and I love it, as it brings the user experience to a more standard model of how the current banking system UX works while still being secure,” Hetman said. “You’re still in control and you can choose any party of your liking you can trust.”
The key difference here is that the user is able to choose their guardians as well as remove the potential security risk associated with providing their passport and identity card.
Stay on top of crypto news, get daily updates in your inbox.
Source: https://decrypt.co/140317/ledger-crypto-wallet-under-fire-over-seed-phrase-recovery-service