Original Author: Chen Li, Ivy Zeng, Ivo Entchev
Original source: Youbi Capital
For Web2 users who are new to Web3, the first-time experience is (to put it mildly) less than pleasant. The traditional EOA wallet needs to go through a series of complex and cumbersome processes such as wallet generation, private key management, and storage of mnemonic words. The next-generation wallet without mnemonic words tries to solve this friction point by abstracting private keys and mnemonic words. It only takes a few clicks to log in with commonly used Web2 social accounts to achieve a more familiar login process. Therefore, the mnemonic wallet is an important step forward for the popularization of Web3.
One way for wallet providers to implement mnemonic word-less wallets is a fully centralized account custody solution. However, this runs counter to the original intent of Web3 applications. The right solution should not come at the expense of users losing ownership of their accounts and self-custody in order to achieve the convenience of abstraction. Rather, an appropriate balance should be struck between the two based on the needs of the user.
We are at the inflection point of bringing Web2 consumers to Web3. The login process will be critical in the next phase of growth. Therefore, it is critical to create a login and account management experience that is in line with the decentralized ethos of Web3, but also has the convenience and interoperability of Web2.
first level title
Trade-off: Key management without mnemonic key VS self-custodial
All recent iterations of wallet products can be analyzed by their pursuit of two main but intertwined features: mnemonic-less key management and self-custodial. Mnemonic key management is the foundation for seamless onboarding of new users to Web3. This means that users do not need a seed phrase or private key to log into their account in the new environment. Therefore, their entry process and account management are abstracted, similar to Web2.
Technically, this abstraction is achieved by the wallet provider delegating the permissions of the client account to a server or third party. For example, Magic Link requires users to be (officially) authorized to access encryption keys and decrypt them using a master key (protected by a centralized escrow service HSM on AWS). Other approaches allow greater decentralization by reducing the risk of exposing the entire key by splitting the private key into multiple pieces and storing them in different locations. Clearly, users need to make a trade-off between no private keys and self-custodial features, which is important (if not entirely sacrosanct) to many cryptocurrency users, and for good reason. When wallet services rely on third parties, those third parties have the power to censor transactions and even take over assets. They may be subject to government regulation and intervention. Wallet services that rely heavily on service providers are also more likely to be interrupted in the event of malicious attacks or accidents.
first level title
Finding the right balance: A comparison of existing mnemonic wallets
Based on the above framework, we investigated some representative wallets without mnemonic words, and analyzed them according to their degree of self-custody and other relevant factors. These wallets are:
MagicLink,Web3Auth,Particle Network,Sequence,UniPass
image description
Figure 1: Application of cloud computing, MPC and smart contracts in wallet design
EOA wallets such as Metamask, Imtoken, and Phantom are the most localized and independent wallets, and of course the most cumbersome to use. Users need to learn how to keep their seed phrases or private keys safe and how to use them to import accounts to new devices. The account address is derived from the private key. If the private key is lost or stolen, the account address will be permanently locked or inaccessible.
The most immediate alternative is to use a hosted service. Such as Magic Link. Custodians can grant account access via email or social login only. However, the convenience of escrow services often comes with key security risks and centralization risks.
More sophisticated approaches usually involve MPC (SSS, TSS), such as Web3Auth and Particle Network. By splitting the key into several parts, logins must be authenticated by multiple key holders, decentralizing administration and reducing the risk of centralization.
In addition, there are also successful people who combine smart contracts with MPC, introduce account management logic, allow users to reconstruct or reset the master key managed by MPC, and further reduce the risk of centralization. The core of the account management logic is the selection of so-called guardians to achieve deep customization and eliminate dependence on wallet service providers or specific guardians.
In addition to dealing with the trade-offs between phraseless key management and self-custody, these phraseless wallets can also be evaluated across six dimensions of user experience.
Gas fee:The gas fee generated on the chain to create a smart contract account (the gas fee for regular use is close to the EOA wallet)
Latency: the time it takes for the creation and import process (e.g. smart contract wallets usually take longer due to the on-chain process)
Ease of changing equipment:Smoothly switch to a new environment or device
safety:The existence of a single point of failure, including whether any single party, such as a service provider or an integrated front end, has the ability to expose, reconstruct, or reset complete keys or credentials to gain full control of the account
hosting:Service availability and censorship resistance (i.e. the service's dependence on the service provider and whether the custodian is able to access or freeze the customer's account)
Feature:Ability to implement additional account management logic (e.g. funding gas fees, multi-signatures, delegated signatures)
first level title
Magic Link (hosted EOA wallet)
Magic Link is a seed word-less wallet that supports email and social login. After being authorized by Magic Link, customers can download a copy of their private key from the custodian when they log in to their account on a new device, thus avoiding saving and using the mnemonic phrase. Magic Link outsources the encrypted version of the private key to AWS HSM to serve clients directly so that Magic Link does not store the private key in plain text.
image description
Figure 2: Magic Link (AWS Key Management Service)
image description
Figure 3: Our evaluation of Magic Link
Gas fee:Low because it's an EOA wallet
Delay:Low, same as Metamask
Replacement device:Easy, the private key is transferred to the new device with the access token (Email/OAuth).
safety:Low. single point of failure. The full private key is exposed on the front end
Unmanaged:Low. High reliance on authentication servers, resulting in poor service availability and weak anti-censorship capabilities
Feature:first level title
Web3Auth (Decentralized Hosted EOA Wallet)
Web3Auth, a popular wallet service provider, also supports social login, allowing users to connect through social accounts to authenticate themselves in various applications. There are already various Web2 and Web3 applications integrating Web3Auth, such as Chess.com, Opensea and Skyweaver. There is no doubt that social login is an attractive, if not the most seamless, form of authentication for any C-end user-facing application.
However, just like Magic Link, the social login workflow requires a server to generate a login request and sign it with an application key, so it must be centralized. Although smart contracts can verify signatures using the public key disclosed to the authorization server, this is not an end-user friendly process.
In order to reduce the risk, Web3Auth adds other keys to the OAuth key, and then requires multiple keys to sign together to reconstruct the complete key. When users log in to their social accounts (such as Gmail/Twitter) for the first time, first, in a decentralized manner, three key shards are generated through Shamir Secreting Sharing (SSS), and then stored separately. Here's how these shards are stored:
Device Sharding: Generated and stored on the user's device, regenerated every time they log in on a new device
OAuth login shards: generated on the OAuth server, then further divided and stored in the node network, and will only be obtained once when the OAuth code is verified
image description
Figure 4: Web3Auth (Shamir Secret Sharing, social login)
Currently, both the OAuth shard and the alternate shard are controlled by Web3Auth via the Auth network, and these two shards are used to reconstruct the full private key. In services that integrate Web3Auth, such as Opensea and Sequence, users can directly authenticate their identity and log in to the application through social accounts without any other requirements, which makes Web3Auth the only account custodian.
image description
Figure 5: Our assessment of Web3Auth
Gas fee:Low. Not a smart contract wallet
Delay:Low. log in immediately
Replacement device:Simple. Social logins and passwords, or just social logins
safety:Low. single custodian. The private key is completely exposed to the front end
Unmanaged:Low. The service is highly dependent on Web3Auth and has no ability to resist censorship
Feature:Low. Not a smart contract wallet
first level title
Particle Network (distributed custody EOA wallet)
Particle Network is another wallet service that features email or social logins and uses an algorithm based on 2/2 MPC-TSS. There are two parties in the key generation process, the client and the official, who jointly calculate the public key and each hold a private key. Only the customer side can initiate the signing process.
image description
Figure 6: Particle Network (MPC-TSS, social login)
TSS multi-signature algorithm is more secure than SSS, because it will not expose the complete private key during the whole process. However, in the 2/2 TSS scheme, the loss of any of the two pieces of the key cannot be recovered, which puts the account at a higher risk of being permanently locked.
image description
Figure 7: Our evaluation of Particle Network
Gas fee:Low, not a smart contract wallet.
Delay:Low, 2/2 MPC is very efficient.
Replacement device:Simple, email OTP or social login
safety:Medium, the full private key does not exist, nor is it ever exposed. Verification for social logins is still centralized
Unmanaged:Low. The server side can suspend services or censor transactions.
Feature:Low. Not a smart contract wallet
Our testing of the Particle Network wallet was athttps://wallet.particle.networkfirst level title
Sequence (distributed escrow smart contract wallet)
Sequence is a multi-signature smart contract wallet that supports both email or social logins by delegating one of three keys to Web3Auth. It allows developers more flexibility in managing account security. In addition, as a smart contract wallet, Sequence supports setting additional logic in different use cases to improve user experience. At present, some games and Web3 applications have adopted Sequence.
The Sequence wallet is currently secured with three private keys that are sufficient to create a majority weight to gain full control of the account: the session key, a gardian key, and a Torus key.
Session keys are stored in the browser's IndexedDB.
Guardian keys are kept on Horizon (Sequence Server).
image description
Figure 8: Sequence (smart contract, SSS)
Compared to Web3Auth, Sequence adds the option of further decentralized hosting for developers or clients. Currently, Sequence allows users to call Torus keys and guardian keys directly with their social accounts when logging in to a new device to reduce friction and improve user experience.
image description
Figure 9: Our evaluation of Sequence
Gas fee:low-medium
On Ethereum: 270k gwei is about $5-12 (Gas price is 15-30 gwei, ETH is $1500) for creating an account.
On Polygon: $0.0068-0.015 (Gas price 47 gwei, MATIC is $0.9) to create an account
Delay:Medium, usually takes 15 seconds for first login, 10 - 20 seconds for social login
Replacement device:Simple. social login
safety:Low. single point of failure. In the current implementation, only the Torus key is sufficient to log in
Unmanaged:Low. In the current implementation, only the Torus key is sufficient to log in
Feature:first level title
UniPass (Distributed Passive Custodian Smart Contract Wallet)
UniPass is also a smart contract wallet built on MPC key management. It inherits all the excellent functions of smart contracts and MPC wallets. Compared to Sequence, it uses domain key (DKIM) of gardian email to authenticate reset request instead of using gardian key and social key. Users can simply send an email from their pre-set email account to reset the master key.
The DKIM-based reset mechanism is: the user sends an email in a certain format, the content containing the email address is hashed and signed by DomainKeys, and then any RPC service is used to broadcast the signed hash value to call the smart contract reset function. Verify the domain key signature of guardian emails on the chain, as shown in Figure 10.
image description
Figure 10: UniPass DKIM recovery
In this design, it can still be considered that the guardian email (gardian email) plays the role of the custodian, but this is passive, because there is no specific service provider in the whole process, and there is no risk of review. This method greatly reduces the risk of service providers being attacked by internal or external malicious attacks, and reduces the possibility of hosting service providers being censored. The access to the account is not only protected by the security environment of the email service, but also invisible to the outside world (the association between the email address and the account is encrypted by zk technology, and no one knows what the mailbox corresponding to your wallet is).
image description
Figure 11: UniPass 2/2 MPC-TSS login process
image description
Figure 12: Our assessment of Unipass
Gas fee:low to medium. The cost of creating an account is on Polygon: 80k-130k wei is $0.0033-$0.005 (Gas price is 15-30 gwei, MATIC price is $0.9)
Delay:medium
Replacement device:medium. Email OTP + Password. Users cannot simply import accounts through social logins
safety:high. Hackers need to crack two emails (the relationship between address and email is hidden by zk-tech) to enter the customer's account, which is almost impossible.
Unmanaged:medium. High service availability, even if UniPass officially ceases service, customers can still access their wallets; no escrows observed.
Feature:Summarize
Summarize
image description
Original link
IOS
Android