My take on all of this – the good, the bad and the ugly.
Last week, Ledger, the company behind the eponymous hardware wallets — the market leader behind this popular selection of non-custodial (“self-custody”) crypto wallets, made a major announcement about an optional subscription service called Ledger Recover (referred to as “Recover” throughout this piece).
My thoughts? As always, there are pros and cons, and I will provide a balanced here argument, much to the dismay of people with strong views on this matter, particularly non-custodial fans.
Before proceeding, let’s see what Recover will entail.
How does Ledger Recover work?
This is Ledger’s official wording about what it entails, at least one of the steps involved:
“Once approved, your Ledger Nano X will duplicate, encrypt and fragment your private key into three pieces within the Secure Element chip. These fragments become the backup of your Secret Recovery Phrase.”
If you commit to this scheme, I recommend looking into the track record of all three companies you would rely on to hold a backup of your recovery phrase.
Whenever you want to access your wallet via this service, two of the three encrypted pieces will be returned to your Ledger device to reassemble your private key.
A fragment by itself has no use, as mentioned by Ledger. It only works when at least two of the three are provided. This follows the model of Shamir backup, which Trezor incorporated into its Model T hardware wallet (see ‘Shamir’s secret sharing’ for a detailed explanation).
To participate in this subscription-based service, you must provide a valid form of ID to verify your identity.
Finally, this service is only active as long as you remain subscribed.
To clarify, I am going off the company’s posts and general information publicly available. One is a Twitter thread provided by Charles Guillemet, CTO @ Ledger.
Good intentions but an ill-conceived idea
OK, my take on all of this.
Firstly, it’s uncharted territory for many involved in the crypto space. I would say that this decision has blindsided several people, particularly those with strong opinions surrounding non-custodial wallets (NCWs), i.e., not your keys, not your crypto.
I agree with having convenient NCW options available and strongly believe that everyone should have at least 45% (an arbitrary number, I know) of their crypto portfolio secured by these wallets, ideally more, but a significant chunk nonetheless.
This Recover option has its reported benefits, particularly for anyone who:
– incorrectly wrote down their recovery seed (a.k.a., seed phrase);
– has lost both their device and phrase;
– wants the idea of self-custody but prefers the peace of mind of a backup, and so on.
However, how Ledger announced the rollout of this service was done poorly; a bold move to make for a product that, from my understanding, no other reputable player is yet to offer (for better or worse).
Put simply, they f&$ked up and have lost many customers, most likely for good. I’ll expand on this later.
My thoughts about things they should have done before launching this.
1) They should have consulted the crypto community via surveys, official Twitter polls, feedback, etc. One could argue that they did not want another company stealing the idea. But come on, if it were publicly documented and the foundations of new partnerships (Coincover and EscrowTech) were already established, how is this an issue?
The lack of community consultation (which would be expected as part of an asset class/sector that emphasises the need for decentralisation and transparency) leads me to my next point.
2) They could have offered this service for an entirely different wallet, e.g., a hypothetical Ledger Recover Wallet (LRW). This would have avoided a major headache I will touch on shortly (see point 5).
I realise that this is an opt-in service and that you will not be automatically enrolled into it. However, I feel as though this option should have been explored, especially as there is the
3) For those who insist on using this, there could have been an extra subscription level whereby a Ledger device’s private key is split between four or six providers (requiring at least three or five fragments, respectively), thus making it more distributed.
Yes, this would increase the cost, and this may be overkill. However, considering how much money is flowing through the space is forecast to grow and the balance on some hardware wallets, there would still be a market for it.
4) Users would have security concerns about needing a photo ID to be eligible for Recover. With the number of high-profile data leaks, and yes, sorry, Ledger, but you’re guilty of this too, I am not surprised about the public’s reaction to this move.
In the ‘Data & Privacy’ section of Recover’s FAQs, this is what you need to know:
Does Ledger Recover store my personal data?
This begs the question: Once verified, why is it necessary to hold onto the “encrypted excerpt” of your photo ID? Surely, after x number of days, you can securely destroy the information, as Trezor does with customer data from its sales.
This is the main one:
“This is being put into the firmware whether or not you sign up for this service. So, the capability to export….your private key is being embedded in the firmware of every Ledger device the next time you update your firmware.”
As a result, and as I mentioned earlier, Ledger could have avoided this headache by simply allowing people to purchase a specific hardware wallet exclusively designed for this new service.
A PR mess of epic proportions
To say it has been a terrible week for Ledger is an understatement.
One post stood out for me among all the noise and plethora of comments across the interwebs.
Éric Larchevêque, Ledger co-founder and CEO (2014-19), expressed his thoughts about this whole situation in a Reddit post, “My personal view on the PR disaster, from a Ledger co-founder and ex CEO”, under the moniker ‘murkiza’.
“Ledger is still safe, there is no backdoor, the Ledger Recover is not a conspiracy, no one will ever force anyone to use Recover.
The Recover code in the firmware is not a malicious code nor does it open a way to arbitrary (sic) extract the seed.”
Adding fuel to the fire, another Reddit asked Larchevêque whether any parties involved in safeguarding the encrypted fragments would be forced to hand over data to a government in the event of a subpoena, even without the client knowing about it?
The former CEO’s response says it all.
“If you are a Recover user and have your shard into safeguarded by third parties, then yes, a government could subpoeana them and get access to your funds.
Using Recover gives you an easy recovery option and mitigates backup loss, but your assets could get frozen by the government (in theory, I’m not a lawyer and I didn’t see any legal opinon (sic) on the subject).”
The impression many are getting from this is that if you choose not to participate in Ledger Recover and continue following the status quo of full control and responsibility of your recovery seed and device security, this does not apply to you.
HOWEVER, some beg to differ and remain unconvinced that this won’t have ramifications on all Ledger users.
One example of this criticism came from a crypto dev, writer and auditor on Twitter, foobar (@0xfoobar). He has been one of the biggest critics of Recover.
In a thread shortly after the its announcement, foobar let loose in a Twitter thread exposing multiple shortcomings/existing issues and listing his alternate hardware-wallet preferences.
One of the common issues raised here is the concern about a potential backdoor, but Ledger has turned around and refuted this, as shown below.
You need to approve the service on your Ledger, otherwise the backup is never created. This is why we have secure hardware and a secure screen – trust your device.
There's no backdoor to a backup.
— Ledger (@Ledger) May 16, 2023
In brief, the main issue with Ledger Recover boils down to this:
The seed phrase should NEVER leave your hardware wallet.
The absence of community consultation or surveying existing customers BEFORE announcing Ledger Recover still baffles me.
The fact that shards (albeit encrypted) are being broadcast from your device over the Internet with some form of identifier linked to them so that Ledger can ensure that the private key belongs to a said person is a big no-no for self-custody believers, even if there is the peace-of-mind aspect to it.
For balance, I wouldn’t be surprised if Ledger gets some new customers (to, let’s face it, replace some of the disgruntled and infuriated ones to have left) because of this reassurance to back up your lost funds.
As bizarre as this sounds, many would not bat an eyelid at the idea of Ledger Recover and happily participate and disseminate whatever personal information they want.
As always, each to their own.
Having said this, at that point, why not use a regulated, centralised exchange such as Coinbase, Kraken or even Gemini?
This is a sensible suggestion and has a lot of truth to it, IMO. However, Ledger aims to assure its clients with insurance of up to $50,000 cover “pending an investigation”, i.e., there’s no guarantee.
I would not be surprised if (I’ll give it by the end of this decade) most regulated centralised exchanges were to offer insurance. I know that Independent Reserve, an Australian exchange, has provided this (and still does), but crypto insurance is still in its infancy for various reasons.
Whenever this occurs, Ledger, if they were to proceed with Recover despite the fury across the crypto community, will lose this ostensible advantage.
Will I still use Ledger devices? Yes, though, in a reduced capacity. I was on the cusp of pre-ordering the company’s latest model, the Ledger Stax — which I think would have been a unique experience, particularly for NFT enthusiasts — but I’ve changed my mind.
To clarify, for multiple reasons, I have always used a different (non-Ledger) hardware wallet concurrently with a Nano X. Its propriety software (unlike Trezor, BitBox and some others, which are open-source) and the above-mentioned data leak have led to me becoming even less reliant on what I believe has been the most user-friendly hardware wallet to date.
Ultimately, I think Ledger Recover will define this company’s fate, as we are at a pivotal moment in the crypto space with regulatory clarity forthcoming and are (IMO) on the cusp of mainstream adoption.
I know this is a bold and dramatic claim, but let’s not forget there is a growing number of reputable alternatives (Trezor being a popular one) in the cold-storage/non-custodial subset of crypto wallets.
Above all, many of us do not forget or forgive, particularly when data leaks are involved.
I feel your frustration for those who are absolutely livid, but don’t be foolish and start burning/destroying your Ledger devices and making rash decisions. Then again, if you have your recovery seed, your crypto assets can still be accessed.
Consider this Ledger announcement a good time to re-evaluate where your crypto is held.
For context, this won’t impact me as much as I have always adopted the mentality of never putting all your eggs in one basket. As a reminder:
Make. Sure. Your. Funds. Are. Distributed…and with “reputable” services.
Why the air quotes? This space is very dynamic, and circumstances change over time. So, adapt accordingly.
Never fully entrust one service to manage your crypto, even if it is a hardware (or any non-custodial) wallet. The same applies to crypto exchanges; use more than just one if you insist on keeping funds on them.
I take this idea of distribution to the next level, much to the dismay of BTC, ETH, ADA… (insert crypto) maximalists or anyone who insists on holding just one crypto asset. Despite focusing on these three, I still diversify, and I think you should too…but don’t spread yourself too thin, either.
For perspective, there are other asset classes to invest in, so I would refrain from throwing everything into crypto. Anyhow, I digress, but you get my point.
In the coming weeks and months, Ledger will provide answers to these questions, whether of their own volition, out of obligation, or both. The story is evolving, and more details and updates to this proposed service are coming out.
Then again, it could be a case of too little, too late.
To be honest, the way things are panning out, I would not be surprised if Ledger halts this initiative and offers to exclusively run it on a standalone device as a form of damage control. Then again, no one knows, except for the folks at their HQ.
^ Denotes images that are only available for use as ‘Editorial content’, subject to Shutterstock’s terms and conditions.
I will add to this list in the coming days (and putting in more embed links throughout this post):
– A 29-tweet Twitter thread from Guillemet:
– Ledger CTO Addresses Criticism of New Wallet Recovery Service:
– Coin Bureau’s YouTube Short on this matter
N.B. None of this is financial or legal advice, and I am neither a financial advisor nor a lawyer. You are solely responsible for crypto investments and how you interpret the information provided in this piece.
The opinions expressed within this piece are my own and might not reflect those behind any company, organisation or person listed here.
This is not paid advertising, though I know people will conveniently ignore this line and still accuse me of defending Ledger.
Please do your research before investing in any crypto assets (including stablecoins), hardware wallets, NFTs and other products affiliated with this space.
To reiterate, I received no incentive from any person or entity listed throughout this article to discuss their product.
If you enjoyed this article, I recommend following my Medium page for regular reports about crypto assets, blockchain technology, and more. Feel free to check out my publication as well, Crypto Insights AU.
Thanks for your support.
Affiliate link: BitBox02 is a increasingly popular alternative to Ledger and Trezor. This is not paid advertising. However, if you were to buy one of their products via my affiliate link, I receive a small commission at no extra cost to you. Their website also has an excellent side-by-side comparison with the above-mentioned alternatives.