Let us know what you think nostr:note1sgnpr4hayw20y646tstgc4fhnz40lzngmvskm4j66l2qr229cjyszmudd3
Discussion
Not a fan of the seedless approach myself.
In multisig too?
I thought Jack had reposted their article from yesterday about seed phrases (https://bitkey.build/seed-phrases-are-sharp-edges/) and responded before I saw it was a new article about hardware device screens.
I don’t agree with all the reasoning in that seed phrase article. Ultimately, someone has to control the seed. If the user doesn’t keep a copy themselves, then they’re deferring trust somewhere else.
“Seedless” custody generally puts a lot of trust in the device securing that seed. Without a seed backup, hardware failures are catastrophic for singlesig setups. I would never do seedless unless it were multisig. But even with seedless multisig, losing a device means you have to deal with a more complicated key rotation process, rather than just recovering the same seed into a new device.
In Block’s Bitkey setup, it sounds like it’s seedless multisig “until you need to export the seed”. It’s yet to be seen how sovereign that recovery can be or if you’ll have to ultimately get permission to access a seed or move to a different multisig coordinator. It sounds prone to lock-in, but I’d need to read more about the technical details to know.
There are trade offs to various approaches, and I don’t think their seed phrase article properly highlights those trade offs.
—
But like I said, the article Jack linked in the OP is a different topic - hardware device screens. It seems pretty well reasoned, but I only skimmed it. I don’t know if I agree with all the listed attack vectors and risks associated with over-reliance on device screens. I prefer a screen on the device, but screenless might work well enough in their setup, since it’ll have a server-side component to help verify data.
Regardless, it’s a unique approach, and I’m interested to see how it develops. Will probably be a good onboarding option for less technical people.
Thanks for the feedback! When we share details of the key portability feature I’d love to hear what you think. You’re right that in multisig there are ways to recover from losing a device without needing the seed, and we’re trying to make that easy for the owner to do using the other device in the multisig setup. You can read more about this in another one of our posts: https://bitkey.build/losing-your-keys-without-losing-your-coins/
Everything’s about trade offs, and it sounds like your team is working hard to balance them. I’m sure it’ll check the boxes for quite a few people, and I’m excited to try it out myself!
This is bullish
Is there a way to backup the device?
Love the device, but I’m sorry to say Bitkey is not a very good name.
Clickmoney
Fortress
Pebble
Rock
Dot
.
The “address possibly being compromised at many different points so the screen can’t help you point” is rarely acknowledged, glad to see that was covered. The server approach is pretty cool. Now I’m wondering if you could do it without the server: think signal safety numbers but for hww’s 🤔 not sure if possible but would be cool.
I think trusting a third party server is a joke. It's not hard to verify an address from the source and avoid any clipboard malware.
Don’t think you need a screen on the hardware (or the “server as a screen” option) to check for clipboard malware - you can catch that on the device you’re doing the copying on
I personally like the screen on the HW because I can verify an address there, offline, and sign it before sending it back online to post. Once the correct address is signed there is no way to change it, so I know the transaction is correct. Without the screen I won't be able to check it until it's back on a device with a screen that is probably online.
What do you usually compare it against? Curious both about what type of device you’re using with your hardware wallet and what specifically you’re usually comparing the wallet screen to
I was using a ledger, but I just moved my coins off that to my phone's bluewallet. I compare the address on the screen to the address in the bluewallet app. I have a passport on the way, which actually bypasses the entire clipboard issue by allowing you to scan QR codes.
Not 100% sure I understand your setup, but seems like probably one of these:
If it’s bluewallet on your phone plus Ledger: If your phone is sufficiently compromised, you can’t trust the address shown in bluewallet, or the QR code you’re scanning..
If it’s desktop plus bluewallet on your phone: if your desktop is sufficiently compromised, you can’t trust the address there, or a QR code scanned from there…
I don't think blue wallet itself can become compromised unless blue wallet pushes an update through the app store themselves. If they did and I was given fake addresses in the app then no amount of checking the address, whether server or on a screen, is going to catch it.
I think I'd like to know when I can buy one.
Wouldn’t it be possible to write an identity (i.e. the name of a company or a person) on top of a sat turning the sat into an unique NFT? Each NFT only exists once, secured by Bitcoin network itself. Then, if a sender wants to send Bitcoin, he/she types in the name of the receivers‘ NFT and the transaction automatically is sent to the wallet that holds the receivers’ NFT. If an entity ever sends his/her/its NFT out of the own wallet, it automatically turns into a normal fungible sat again. Also the maximum amount of sats that could be turned into identity NFTs should be defined. Maybe that’s stupid, and I don’t know if that would be possible at all, but I was just thinking as a non-tech guy.
Anything that depends on a 3rd party server that the user directly doesn’t control is a bad design choice for a HWW. For sure the screen doesn’t exactly help in a lot of ways, but relying on a 3rd party server just adds more risk to the users’ security model. My 2 cents.
What do you think about this solution? https://foundationdevices.com/2023/05/announcing-envoy-wallet-bitcoin-simplified/
This is incredibly interesting. I'm curious if BitKey server would be FOSS and self-hostable. I would 100% use a solution like this (perhaps with a multisig wallet between my phone and my BitKey instance) and never squint at a screen again.
i don't think a screen is necessary.
there's a time and a place for 3rd party - pow isn't one of them. it's like deciding a personal relationship shouldn't be 2 souls/2 bodies/2 whole people only.
simple always triumphs.
As a non-technical bitcoiner, I’m pretty impressed with the approach the team has taken to make Bitkey simple yet a secure way to store private keys as well as this open communication about the design. But then again I’m not as experienced as many of the hardcore bitcoiners, probably more in line with the mass market you’re targeting. Very keen to test the real thing once you guys open up for betas!! 🙏 🔑 ⚡️
Rockey!!🪨💜 
