What happened to Ledger?
Last week, Ledger announced Ledger Recover, a new subscription-based service that allows you to access your wallet if you lose your seed and device. How does it work? The Ledger device splits your private key into three encoded pieces, then sent to three different third-party custodians so that no one can access your keys except you. If you lost your keys, you can retrieve these three pieces and decode them on your Ledger.
For some, this may sound like a dream; for others, like a nightmare. With the internet’s heated discussion on the topic, let’s dive deeper into it.
Firstly, for many users, the primary appeal of a hardware wallet is that your private keys NEVER leave the device. So, if a firmware update suddenly allows your device to share keys with third parties on the Internet - even if split and encoded - it’s worrisome at least.
To make things worse, unlike Trezor, Coldcard, Bitbox, or Jade, Ledger does NOT open-source its firmware. The company tried to calm people down, reminding them that they always trusted Ledger that the firmware was not malicious. However, that only raised concerns about the closed-source code.
The second issue is that if you lose your keys, you can only regain access to your crypto if you provide your identification details (KYC), which harms the privacy aspect of crypto.
Then I watched this great video by Andreas Antonopolous and Jameson Lopp, and learned that actually, your device is not even necessary to decode your keys, so you really fully trust Ledger with that.
Why are they doing this?
Ledger has raised a total of $577M in funding. They want to dominate the market and have concluded that self-custody is too niche. To attract more users, they need to take care of those who may not be able to adequately secure their keys. While this does make sense from a business perspective, from a personal standpoint, I don’t like it, and I don’t trust it.
So, what’s the next step?
Ledger still provides the best support for many coins and tokens and is an industry-standard. Furthermore, Ledger Recover is an optional service, which could be beneficial for many. So, if you require one or both of these, you may want to stick with Ledger.
However, to store bitcoins, which I consider to be a long-term personal store of value, I will continue using and recommending other devices: Trezor, Bitbox, and for Bitcoin-only people, also Coldcard and Jade. I will also update my recently published recommendations to reflect this change better.
If you’re seeking an alternative to Ledger Recover, consider Casa. For the same subscription price, you get a 2-of-3 multisig vault. Casa holds one key, and you retain the other two. To sign a transaction, you need two signatures. This setup creates a much more trustless environment. With Casa, you can store Bitcoin and Ethereum (soon).
Is everything else open-source?
As I previously mentioned, Ledger is the only significant player in this space that does not open-source its firmware. Digging deeper, we need to mention that the Ledger hardware is also closed-source. However, despite other companies opensourcing their hardware, there’s the issue of the secure element, which currently is always proprietary. That presents yet another set of security questions. Other wallets have adopted different approaches to the issue:
- Trezor chose not to use a secure element to stay 100% open-source. This decision makes the hardware easier to hack if it falls into the wrong hands. However, you can stay safe using a long passphrase (not just a PIN!).
- Bitbox uses a secure element, but opensources everything else.
- Coldcard employs two different secure elements from different manufacturers to further mitigate the risk.
- Jade is also 100% open-source and utilizes the fanciest solution - a virtual secure element based on their “blind oracle” server. The risk with this model is that the server must always be online.
On the horizon is TropicSquare — the first open-source secure element that will be featured in the next generation of Trezor devices. I have always admired Satoshi Labs, which is responsible for both projects. The first batch is already in testing, so I hope this will be a win for the whole industry.