Ledger Bats Back Criticism of New Wallet Recovery Service

Crypto wallet maker Ledger came under fire this week for its new “Ledger Recover” feature, with some posters on Twitter arguing that the service – which stores encrypted user seed phrases with third-party custodians – undermines Ledger’s stated commitment to privacy and security.

During a Twitter Space session, Ledger CEO Pascal Gauthier defended the offering.

“You’re saying this is not what customers want. Actually, this is what future customers want,” he said. “This is the way that the next hundreds of millions of people will actually onboard to crypto.”

The incident underscores the long-simmering tension between blockchain-focused companies looking to attract new users and ideologically minded segments of the crypto community: It can be difficult to square user experience with core ideals.

Ledger Recover

Ledger is a Paris-based provider of crypto hardware wallets – “cold storage” devices that link a person’s crypto to a USB thumb drive. Compared to browser-based “hot wallets” like MetaMask which stay connected to the internet at all times, or exchanges like Coinbase and Binance which hold crypto on customers’ behalf, hardware wallets are considered the most secure way to hold crypto.

When a person sets up a wallet, they are given a random string of words, called a seed phrase, that serves as a secret wallet recovery key. Users are instructed to write the phrase down and hide it away somewhere safe.

But the seed phrase system has some obvious user experience issues: if a person loses the phrase, they have no options for recovering their funds. And just as the phrase can be used to recover a wallet, it can be used to crack a wallet if it falls into the wrong hands.

On Tuesday, Ledger confirmed speculation that it was introducing an optional, $9.99 per-month seed phrase recovery service for owners of its Nano X wallet. The service, Ledger Recover, offers a way for people to secure their speed phrases without worrying about losing a slip of paper.

“When you subscribe to Ledger Recover, a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments, with each fragment secured by a separate company—Coincover, Ledger and an independent backup service provider,” Ledger explains on its website. “Each of these encrypted fragments is useless on its own. When you want to get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device, reassembling them to build your private key.”

Community backlash

A segment of Crypto Twitter responded to news of the feature with outrage – alleging that splitting the (encrypted) key to third parties could leave it vulnerable – thus undermining the entire purpose of a hardware wallet versus alternative storage options.

Users took particular issue with the requirement that Ledger Recover customers provide a government-issued ID to the company should they wish to use the service. For some in the crypto community, this step violates core crypto tenants around privacy.

“Sure, you *could* use Ledger’s new ‘Recover’ service and give them your private keys controlling your assets as well as a copy of your ID and other personal information,” tweeted Alistair Milne, a bitcoin investor with a large following on Twitter, “but why then bother with a hardware wallet in the first place?”

Some critics used the update as an opportunity to bash Ledger’s security record. In 2020, the company suffered from a data breach that exposed the emails of nearly 10,000 customers. Although no wallets were compromised as a result of the attack, the incident left a bad impression of the firm’s security practices with its tech-minded user base.

“Ledger, the company that has experienced multiple security breaches that exposed the personal information of hundreds of thousands of its customers, now wants you to export your private keys from your hardware wallet and give fragments to them, Coincover, and an unnamed third party, where any two can siphon funds,” tweeted ChainLinkGod.eth, a community ambassador for the crypto infrastructure firm, Chainlink. “To facilitate recovery, they need you to dox yourself and give even more of your personal information, allowing anyone with your identity documents (e.g. from other data breaches) to take your funds. This seems… poorly thought out.”

Ledger responds

On a Twitter Space responding to concerns around the service, Ledger’s leadership defended its security practices, emphasized that the new recovery service was completely optional, and denied allegations that its new service amounted to any sort of a “backdoor.”

“It’s not a backdoor at all. You stay in control. Nothing will happen without your consent on-device,” said Ledger Co-founder Nicolas Bacca, adding that the team plans to open-source its code in the future so that users can see how Ledger’s recovery service safely encrypts user data and operates securely under the hood.

“People have had a lot of fear, which is perhaps unjustified,” said Ian Rogers, Ledger’s chief experience officer. Rogers emphasized that Ledger was making its recovery service fully optional and was transparent about partnerships with third-party custodians. “As a consumer, you have a choice. And you should know who it is that you’re trusting.”

Gauthier reiterated that its recovery feature was a necessary step for attracting new crypto users. “I’m sorry, but the piece of paper is a thing of the past and Ledger Recover is a thing of the future,” he said. “There is no compromise to security.”

Gauthier also responded to critiques of Ledger’s track record.

“I’ve seen a lot of people on Twitter saying like, ‘Oh, I’m sure this will be hacked in the next 12 months.’ OK, let’s see.” Gauthier said. He added that the company has “6 million devices on the market,” and it “hasn’t been hacked, hasn’t been compromised” and has “no backdoors installed.”

If Ledger ever gets hacked, “any sort of credibility or reputation in the company will be at stake,” Gauthier said. “So of course we’re not gonna make those kinds of mistakes.”

DISCLOSURE