Paris-based crypto hardware wallet provider Ledger found itself in hot water on May 16 after revealing plans to introduce Ledger Recover, an optional, paid subscription service for Ledger Nano X wallet holders that provides a seed phrase recovery system involving third-party custodians. Ledger touted the new feature as an innovation that would allow crypto and NFT holders to recover their assets in the event of a lost or forgotten seed phrase.
But the announcement was severely criticized by a portion of the Web3 community, who claimed that the firmware update that enables the service to exist goes against Ledger’s longstanding policy (and main selling point) that guarantees a user’s private key will never leave the device.
As a result, on May 23, Ledger announced that it’s postponing the launch of its key recovery feature. In a letter to Ledger users, CEO Pascal Gauthier apologized for the “unintentional communication mistake” and emphasized that Ledger will work with the community to “do this together, in the right way.” He added that Ledger will publish all of its code before introducing the new feature. Ledger also hosted a community AMA on Twitter on May 23 to directly address comments and concerns from users.
Here’s everything you need to know about Ledger Recover and the ongoing controversy.
The Ledger controversy
Valued at over $1 billion and with an estimated annual revenue of over $53 million, Ledger is one of the world’s most well-known and popular providers of hardware wallets. The company’s hardware wallets, often referred to as “cold storage” devices, are USB thumb-drive-like tools that offer a highly secure way to store cryptocurrency. They are considered superior to their “hot wallet” counterparts, such as MetaMask and WalletConnect, which are generally easier to use but have the downside of storing private keys online, exposing them to far greater risk.
Setting up a Ledger wallet involves creating a unique seed phrase, a collection of randomly generated words that constitute the private keys associated with crypto wallets. This system, while secure, has usability drawbacks. Losing the seed phrase means losing access to the funds, and if it falls into the wrong hands, it could lead to wallet compromise.
For years, Ledger has marketed its wallets on the idea that users’ assets are safe because their private keys never leave their devices. So, it came as a surprise to many in the Web3 community when the company confirmed plans for an optional paid subscription service.
In essence, Ledger Recover encrypts a user’s seed phrase and shards it into three parts, each shared with a different custodian. Ledger is one of those custodians, with Coincover and EscrowTech, (a crypto custody and code escrow company, respectively) being the others.
“If you choose to subscribe, Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) — all of this happens on the Secure Element chip, so your Secret Recovery Phrase is not at risk,” wrote the company in the Twitter thread accompanying the video. If a user loses or forgets their private key, they will go through an identification confirmation service to recover and restore it.
A champion of security advertising a device that houses a completely untouchable and immovable private key and then suddenly announcing that the key actually could be accessed and shared with third parties did not sit well with much of the Web3 community.
Similarly upsetting was the fact that, to take part in the service, users would need to provide a government-issued ID if they wished to subscribe to Ledger Recover.
In the midst of the backlash, Ledger hosted a Twitter space (that was attended by more than 48,000 people) to address the controversy. Guillemet, company co-founder Nicolas Bacca, Chief Experience Officer Ian Rogers, and Gauthier took turns fielding questions from an agitated and curious community.
“Each shard [is stored with] each partner,” Guillemet clarified in the space. “Whenever you want to recover, you go through your account, through those partners as well, and an ID identification process to make sure it’s you. The two partners verify it’s you, if there is any doubt, the process is stopped. There is plenty of different mitigation and measure to make sure you are the one recovering your seed.”
The team also made it clear that they plan to open-source the code for the service in the future, letting users see how it works and even use it to make their own version if they want.
Gauthier leaned into the company’s new development in no uncertain terms. Responding to criticisms that Ledger has been proven untrustworthy in the past and that Ledger Recover goes against the desires of the crypto community, Gauthier said, “People that get upset with these products don’t realize there are hundreds of millions of people who have many ways of backing up their seed in many ways that are very insecure.”
“This is what our future customers want. I’m sorry, but the piece of paper is a thing of the past. There is no compromise in our security. I see people on Twitter saying they are sure this will be hacked in the next six months. Ok, well, let’s see. When you have a track record of excellence, you know you can trust the next move to be very similar.”
Ledger Recover’s risks
The key issue surrounding the controversy is whether or not users who choose not to opt into the service will have a backdoor opened up via a firmware update to their private keys that hackers could potentially leverage. And, while Bacca did admit during the Twitter space that those who opt into the service technically open themselves up to a new attack vector, some in the Web3 community believe that those who don’t subscribe to the service really don’t need to worry.
Those who believe skeptics are overreacting have pointed to the fact that Ledger wallets are inherently upgradable to quell fears about their accessibility and security, as well as to provide clarity on the basics of how wallets work to begin with. Without the capability to be upgraded, hardware wallets would lose their functionality, as blockchains themselves upgrade over time, and any device interacting with the blockchain needs to be able to adapt accordingly.
If a Ledger were an un-upgradeable box with a private key inside, then it would need every algorithm that every blockchain will ever use already available inside the box. And if they didn't think to include a newer algorithm, you'd have to throw it away and buy a newer model.— Haseeb ＞|＜ (@hosseeb) May 17, 2023
Now, by making the code for the Recover feature open-source, Ledger will allow users to independently assess the security of the proposed custody mechanism. This enables users to conduct their own audits and see for themselves whether they believe in the safety of the feature.
“I’d like to recall first that most of our code is already Open Source. When it comes to firmware, we’ve recently open-sourced our cryptolib, our SDK is OSS for years, and all our apps are already OSS. But we want to go further,” Ledger CTO Charles Guillemet said in the AMA.
However harmless the subscription service may or may not be, it illustrates the challenges of communicating new features in Web3’s rapid-response environment. The Ledger Recover controversy, like many before it, also brings to light the ongoing struggle faced by blockchain-centric organizations; striking a balance between user experience and upholding the core principles of the crypto community is a challenging task.