The Future Is Seedless: Wallets for Transitioning Web2 Consumers to Web3
2022-11-18 19:26
Youbi Capital
2022-11-18 19:26
订阅此专栏
收藏此文章

The article is co-authored by Chen Li, Ivy Zeng and Ivo Entchev in Youbi Capital.

To a Web2 user approaching Web3 for the first time, the onboarding experience is (putting it mildly) unappealing. With conventional EOA wallets, this takes the exotic form of explicitly generating a wallet, managing private keys, and securing seed phrases for account recovery.

Next-generation seedless wallets attempt to address this point of friction by abstracting away from the private keys and seed phrases, thereby permitting a more familiar onboarding process using only a few clicks, and by leveraging social login common to Web2. As such, seedless wallets are a strong step toward mass adoption.

One way wallet providers achieve seedless wallets is through fully centralized account hosting solutions. However, that approach is misguided because it defeats the basic purpose of using a Web3 app. The correct solution should not achieve abstracted convenience at the cost of meaningful ownership and self-custody of user accounts by users themselves. Instead, it should strike the right balance between the two based on the user’s needs.

We are at an inflection point for introducing Web2 consumers into Web3. The onboarding process will play a big role in this next phase of growth. It is, therefore, critical that we create an onboarding and account management experience that combines the decentralization ethos of Web3 with the convenience and intercompatibility of Web2.

Due to its central importance to the growth and success of Web3, we are continually paying close attention to innovation in Web3 account infrastructure. Many app developers have asked us to share our thoughts on recent advances in user onboarding and on wallet selection. Here they are.

The Trade-Off: Seedless Key Management Versus Self-Custody

All recent iterations of wallets can best be analyzed in relation to their pursuit of two main but countervailing features: seedless key management and self-custody.

Seedless key management is the foundation for the seamless onboarding of new users into Web3. The user does not need seed words or private keys to import their accounts into a new environment. As a result, their onboarding and account management are abstracted and can be made to resemble that of Web2.

On a technical level, this abstraction is achieved by wallet providers delegating authority over the client’s account to the server or to third parties. For example, Magic Link requires users to be authorized by them to access their encrypted key as well as to decrypt the with a master key secured by centralized hosting on AWS HSM. Other approaches create greater decentralization by splitting the private key into multiple pieces and storing them at different places to reduce the risk of exposing the entire key.

As should be readily apparent, seedless key management results in a trade-off with complete ownership and self-custody of the user account by the user, which is important (if not outright sacrosanct) to many crypto adopters, and for a good reason. When the wallet service relies on third parties, those third parties are empowered to censor the transactions and even take over the assets. They might be subject to government regulations and enforcement. Wallet services highly dependent on the service provider are also more likely to be disrupted when malicious attacks or accidents happen.

Therefore the best UX for Web3 wallets must find the right tradeoffs between seedless key management and self-custody for the targeted user groups. For Web3 applications, we can assume that the primary goal is to seamlessly convert Web2 consumers, who are used to username/password or social login but do not have a significant amount of assets on-chain right away. Secondarily, the developers should consider upgrading the trade-off as the users’ assets grow, which will generally require more security and greater decentralization.

Finding the Right Balance: Comparison of Existing Seedless Wallets

Based on the above framework, we provide a survey of the representative seedless wallets of which we are aware and analyze them according to the degree of self-custody that they enable and other relevant factors.

MagicLink, Web3Auth, Particle Network, Sequence, UniPass

The latest generation of wallets relies on new technologies such as secured cloud storage, MPC, and smart contracts to enrich the design space and bring users a new set of functions to manage and use their Web3 account. While all of these are an improvement over EOA design, the degree to which they improve the user experience differs (as shown in Figure 1).

Figure 1: Utilization of Cloud, MPC and Smart Contract in Wallet Design

EOA wallets such as Metamask, Imtoken, and Phantom are the most native and self-reliant wallets. They are also the most cumbersome. The users need to learn how to safeguard their seed words or private key and how to use them to import the account to new devices. The account address derives from the private key and will be permanently locked or inaccessible if the key is lost or stolen.

The most straightforward alternative is to use a custody service. The best example is Magic Link. The custodian grants access to the account through email or social login, which is very convenient. But the key is vulnerable to the usual security and other centralization risks.

More complicated methods usually involve MPC (SSS, TSS), such as Web3Auth and Particle Network. By splitting the key into several shares, the login must be authenticated by multiple key shareholders, distributing the custodianship, therefore mitigating the centralization risks.

Finally, several projects have succeeded in wrapping smart contracts on top of MPC, introducing account management logic that allows the users to reconstruct or reset the master key managed by MPC, further reducing centralization risks. The core of the account management logic is the selection of so-called guardians, where profound customization could be implemented to remove the dependency on wallet service providers or certain custodians.

Beyond their handling of the tradeoff between seedless key management and self-custody, these seedless wallets can be evaluated on their improvement of the user experience according to six relevant factors, as described below.

Gas fee: Gas cost incurred on-chain for the creation of the smart contract account (gas fee for regular usage is similar to EOA)

Latency: Time to complete the creation and import process (e.g. smart contract wallets usually take longer due to the on-chain process)

Switch Device: Smoothness in switching to a new environment or device

Security: The existence of a single point of failure, including any individual party, such as the service provider or the integrated front end, that can reveal, reconstruct or reset the complete key or credentials to fully control the account

Custody: Service availability and censorship resistance (i.e. dependency of the service on the service provider and whether the custodian can access or freeze the client’s account)

Functionality: The ability to implement additional account management logic (e.g. sponsor gas fee, multiple signatures, delegated signing)

Among these supplemental factors, users are relatively more sensitive to gas fees, latency, and the availability of additional functionalities. Security and custody are less visible to the users; however, incidental events such as security breaches or service disruptions could be catastrophic to businesses or individuals.

Magic Link (Custodial EOA)

Magic Link is a seedless wallet that supports email and social login. After being authorized by Magic Link, the clients download a copy of their private key from the custodian to login into the account from new devices instead of using seed words. Magic Link outsources the encryption of the private key to AWS HSM to serve the client directly so that Magic Link does not store the private key in plain text.

Technically, Magic Link is equivalent to Metamask but with the added benefit of cloud custody that allows users to switch devices using online authentication. However, to bring the users the best experience, Magic Link operates the sole authentication server to grant access to the decryption key, making it a potential single point of failure in the workflow. Hackers or staff members, once they obtain access to the authentication server, could gain full control of a user’s account. Moreover, the decryption key might not be unique for each user, giving rise to the possibility of circumventing the authentication server using keys from other accounts.

Figure 2: Magic.Link (AWS Key Management Service)

We tested and evaluated Magic Link as integrated by Zerion and present our findings below.

Figure 3: Our evaluation of Magic Link

Gas fee: Low, as it is an EOA wallet

Latency: Low, the same as Metamask

Switch device: Easy, to transfer the private key to a new device with the access token (email/OAuth).

Security: Low. Single point of failure. Complete private key exposed to sever provider and frontend

Non-custodial: Low. Highly dependent on the authentication server, therefore poor service availability and low censorship resistance

Functionality: Low. Not a smart contract wallet

Web3Auth (Distributed Custodial EOA)

Web3Auth is a popular wallet service that also supports social login, allowing users to authenticate themselves on various applications by connecting through a social site. It has been integrated by various Web2 and Web3 applications such as Chess.com, Opensea, and Skyweaver. Needless to say, social login is an attractive, and possibly the most seamless, authentication feature for any consumer-facing use case.

However, just like Magic Link, the social login workflow requires a server to generate the login request and sign it with an app key, and therefore must be centralized. Even though it is possible for a smart contract to verify the signature with the public key exposed to the authorization server, this is not a consumer-friendly process.

To mitigate the risk, Web3Auth added other keys to the OAuth key to collectively reconstruct the complete key for login. The three shares are first generated in a decentralized way using Shamir Secreting Sharing (SSS) when users first log in with their social account e.g. Gmail/Twitter. Then they are stored separately. As depicted in Figure 4, here is how the key slices are stored and used.

  • Device Share: generated and stored on the user’s device, must be recomputed on new devices

  • OAuth login share: generated on the OAuth server, then the share is further split in a network of nodes and retrieved once when the OAuth code is verified

  • Backup/2FA share: An extra share to be kept by the user, possibly kept on a separate device, cloud or email, needed to log in to new devices.

Figure 4: Web3Auth (Shamir Secret Sharing, social login)

Currently, both the OAuth key and backup key are controlled by Web3Auth through the Auth Network, which is used to reconstruct the complete private key. In services that have integrated Web3Auth, like Opensea and Sequence, users can authenticate their login directly through social login, without any other requirement, making Web3Auth the sole account custodian.

Web3Auth could potentially distribute the backup key to a third-party storage provider. In that way, when users are logging in from a new device, the backup key can be invoked to create a new device share in the environment. Delegating the storage of the backup key to a third party reduces the risk of security breaches and censorship. Bitizen.org is a great example of such a distributed custodial that uses ⅔ TSS and the client’s own cloud drive to store the backup key share. The downside is a privacy concern, as it grants the service providers full access to the files in the client’s cloud drive.

Figure 5: Our evaluation of Web3auth

Gas fee: Low. not a smart contract wallet

Latency: Low. Instant login

Switch device: Easy. Social login and password or just social login

Security: Low. Single custodian. OAuth alone is enough to log in. Complete private key exposed to the front end

Non-custodial: Low. Service is highly dependent on Web3Auth, with no censorship resistance

Functionality: Low. not a smart contract wallet

Web3Auth has been tested using Treasure.chess.com and Skyweaver.net

Particle Network (Distributed Custodial EOA)

Particle Network is another wallet service that features email or social login, by using 22 MPC-TSS-based algorithm. There are two parties in the key generation process, the client side, and the official side, jointly computing the public key, each holding a secret share of the private key. Only the client side can start the signing process.

During the signing, proof generated by TSS technology will be uploaded on-chain without showing the private key. When the client switches devices or recovers the account, the client invokes the client key stored on the cloud after authentication through email OTP or social login as shown in Figure 6.

Figure 6: Particle Network(MPC-TSS, social login)

The TSS multisig algorithm is more secure than SSS as it does not generate a complete private key that could be exposed in the process. However, the 22 TSS scheme is not recoverable when one of the two shares is lost, exposing the account to a higher risk of being locked permanently.

Currently, Particle Network supports social login on new devices by allowing clients to download the client’s key stored on the cloud. The key is not protected by a password, leaving the service provider full access to the account.

Figure 7: Our evaluation of Particle Network

Gas fee: Low, not a smart contract wallet.

Latency: Low, 22 MPC is quite efficient.

Switch device: Easy, email OTP or social login

Security: Medium, the complete private key does not exist, and there is no permanent exposure. Authentication for social login is still centralized

Non-custodial: Low. The server side can suspend service or censor transactions.

Functionality: Low. Not a smart contract wallet

Particle network wallet has been tested on their website. https://wallet.particle.network/

Sequence(Distributed Custodial Smart Contract)

Sequence is a multisig smart contract wallet that supports email or social login by delegating one of the three keys to Web3Auth. It allows developers to manage the security of the accounts with more flexibility. In addition, as a smart contract wallet, Sequence enables additional logic to improve UX in different use cases. It has been adopted in games and Web3 applications.

As shown in Figure 8, Sequence Wallets are currently secured using three private keys that are sufficient to create a majority weight to fully control the account: Session keys, a Guard key and a Torus key.

  • Session keys are stored in the browser’s IndexedDB.

  • A Guard key is a key owned by Horizon (Sequence server).

  • A Torus key(SSS) is a key generated by the Torus network, also known as Web3Auth; please refer to the previous section for its features.

Figure 8: Sequence (Smart contract, SSS)

Compared to Web3Auth, Sequence adds options for developers or clients to further distribute the custody. Currently, however, Sequence allows the social login to invoke both the Torus key and Guard key when logging into a new device to minimize friction.

Gas cost is an extra factor for smart contract wallets. Account creation, signing transactions, and reconstructing the keys all happen on-chain and therefore cost gas. The transaction signing cost is negligible but the account creation and key reconstruction cost \(0.005 to \)0.01 on Polygon, and about x1000 more expensive on Ethereum, making smart contract wallet a much more viable solution on the side chain and layer 2s in general.

Figure 9: Our evaluation of Sequence

Gas fee: Low to medium.

on Ethereum: 270k gwei around \(5–12 (gas price at 15–30 gwei, ETH at \)1500) for the creation of the account

on Polygon: \(0.0068–0.015 (gas price at 47 gwei, MATIC at \)0.9) for the creation of the account

Latency: Medium; it usually takes about 15 seconds to sign in the first time; social login takes 10–20 seconds

Switch device: Easy. Social login

Security: Low. Single point of failure. In the current implementation, the Torus key alone is enough to log in

Non-custodial: Low. In the current implementation, the OAuth alone is enough to log in

Functionality: High. A sequence is a smart contract wallet and therefore supports additional account management logic.

UniPass(Distributed Passive Custodial Smart Contract)

UniPass is also a smart contract wallet wrapped on top of MPC key management. It shares all the great features of smart contract and MPC wallets. Compared to Sequence, it uses the domainkeys of the guardian emails (DKIM) to authenticate reset requests instead of the guardian key and social key. The clients can simply send emails from their predefined email accounts to reset the master key.

The mechanism of DKIM-based reset is that the client sends an email in a certain format, and the content that includes the email address gets hashed and signed by the DomainKeys and then the signed hash is broadcasted using any RPC service to invoke the reset function in the smart contract. The signatures of the domainkeys of the guardian emails are verified on the chain, as shown in Figure 10.

Since authentication for DKIM can be done by sending an email, this approach does not involve any server that authenticates the request for the clients, effectively removing the centralization risk. The Unipass server currently does facilitate the reset process by drafting the recovery emails for the clients as well as providing the RPC service. But the client does not rely on the server, and open-sourced front end can be hosted locally to completely skip the server in the reset workflow.

Figure 10: UniPass DKIM recovery

The guardian emails can still be considered playing the custodian roles in this design, however, only passively, because the service providers do not need to be notified or recognized for it. This format significantly reduces the chance of the service provider being targeted by malicious attacks internally or externally or being regulated as a custodian service. The access to the accounts is not only guarded by the security environment of the email services but also hidden in a stealth mode.

Due to the gas fee, the clients usually log into the account using 22 TSS keys without invoking the more costly functions of the smart contract. As depicted in Figure 11, to log into a new device or environment, the client downloads the encrypted key from the cloud using email OTP and decrypts it with the password. The key can then be used locally to initiate transaction signing. Once transactions are signed by the client’s key, the other key held by Unipass will be used to complete the signature. The Unipass key serves as a gatekeeper that automatically monitors the content of the transactions to check for potential frontend attacks.

Figure 11: UniPass 22 MPC-TSS Login Flow

Unipass also supports session keys, which are authorized to sign transactions on their own under predefined conditions, like under a certain transaction amount, within a short period of time, or to whitelisted addresses, thanks to the functionality of smart contracts. The use of session keys could greatly improve user experience in certain scenarios like gaming.

Figure 12: Our evaluation of Unipass

Gas fee: Low to Medium.

on Polygon: 80k-130k gwei for \(0.0033 — \)0.005 (gas price at 15–30 gwei, MATIC at $0.9) for the creation of the account for the creation of the account

Latency: Medium

Switch device: Medium to high. Email OTP + password. Users cannot simply import accounts with social login

Security: High. Hackers need to compromise 2 emails (the relationships between addresses and emails are hidden by zk-tech) to access a client’s account, which is almost impossible.

Non-custodial: Medium to high. High service availability since clients can still access their wallet even if UniPass is out of service; the custodianship is not notified or recognized.

Functionality: High. UniPass is a SCW so it can implement additional account management logic.

Unipass has been tested on https://v1.tryunipass.com/

Summary

As we are smoothing out the bumps in Web3 user conversion, more developers are realizing and attending to the key role of the wallet, and its role as an entry point of user traffic. Particularly after MPC and smart contract solutions expanded the design space, companies are drastically mitigating the severity of the tradeoffs between seedless key management and self-custody. The distributed custodial solutions, especially the passive custodial solution of Unipass, provide the most balanced UX and security features to the users and developers. They are likely to see much broader adoption with the arrival of a batch of Web3 consumer apps in the next 12 months.

Figure 13: Our evaluation of leading seedless wallet solutions across relevant metrics

This content is provided for informational purposes only, and should not be relied upon as investment advice. Youbi Capital is a digital asset venture capital fund and accelerator of Web3 technologies and therefore may hold positions in one or more of the companies and technologies mentioned.

【免责声明】市场有风险,投资需谨慎。本文不构成投资建议,用户应考虑本文中的任何意见、观点或结论是否符合其特定状况。据此投资,责任自负。

相关Wiki
Youbi Capital
数据请求中
查看更多

推荐专栏

数据请求中
在 App 打开