The Future of Your Crypto Security
Krystal last edited by
Security is hard. And if you want proof, just try asking the many people who have lost their crypto wallets or keys over the years, or the numerous exchanges that have been hacked.
But as crypto matures, it comes as no surprise to hear that new security solutions for the industry are emerging, from multi-party computation (MPC) and multi-signature authentication to new hardware wallets.
And beyond simply promising to make the storing of crypto and the authentication of transactions more secure, they also promise to streamline the whole process of securely using digital assets.
MPC: what and why?
One of the most prominent companies working in the area of secure multi-party computation is ZenGo. Its CEO, Ouriel Ohayon, explains to Cryptonews.com that the Israel-based company’s technology "replaces the traditional private key used in a non-custodial wallet, with distributed security between your phone and our server in such a way that the funds are not subject to a single point of failure."Put crudely, ZenGo's technology – and MPC more generally – breaks up an address' private key into at least two fragments, which have to be combined in order to authorize transactions, and which can't be accessed by any single party. And because users don't have to record and retain a private key, ZenGo argues that this makes security easier and more convenient for the average crypto holder.
"It enables us to build a seamless onboarding experience, a password-free security architecture and prevent traditional attacks or human errors," says Ohayon."When a user opens an account in ZenGo, no private key is ever generated. There is nothing to write, remember or lose. Instead, ZenGo generates distributed secret shares on the phone and the server randomly rotating that together, without ever 'meeting' even when a transaction is signed. We call that Keyless security."Other companies are moving into MPC, underlining its promise. For instance, Unbound provides its MPC solutions to a range of enterprises and financial institutions, while Fireblocks uses a combination of MPC and hardware-based security, as explained to Cryptonews.com by CEO and co-founder Michael Shaulov."We use MPC with Secure Enclave (which is a new form of hardware security model), where we both don't have a single point of compromise and each one of the key-shares is actually stored in a hardware-isolated Secure Enclave," he says.
What about multi-signature authentication?
Multi-signature authentication is another security solution that's gaining increasing prominence. For instance, the custody startup Casa upgraded its Keymaster app in February to include such authentication, while in the last year companies such as VersaBank and BitGo have been rolling out multi-signature-based services for exchanges and institutional investors.
As the name implies, multisig works by requiring the owner(s) of a wallet to use several private keys in authorizing transactions, making it harder to hack than a wallet that uses only one. However, ZenGo's Ouriel Ohayon argues that it's not always as secure as MPC.
"MPC offers three main advantages compared to MultiSig," he says. "1. It's blockchain agnostic when MultiSig is only proven on BTC and in some way in ETH (with many imperfections). 2. Signatures are private before they reach the blockchain, whereas in MultiSig you need to expose every transaction part of the chain. 3. MPC is cheaper, precisely because of the privacy."
A strong rise in popularity is also being enjoyed by hardware security modules (HSMs), with the Blockchain Lockbox, Sony’s IC card patent, and the Archos Safe-T mini being some of the most recent examples. There are gaining adoption, with at least 1.3 million Ledger wallets being sold to date, but while they keep your private keys offline, they still remain vulnerable to compromise.
"Unfortunately, even the top tier HSMs that are manufactured by Gemalto/Thales can be hacked," says Michael Shaulov, whose argument is reinforced by the recent news that Ledger researchers demonstrated how to remotely gain access to the keys stored on HSMs. (Digital security company Gemalto, that was acquired by tech giant Thales in 2019, is a Ledger partner.)
Added to this, there's also the fact that HSMs have to communicate vulnerable info to and from connected devices and applications, making them only as secure as the computers with which they’re used.
Threats and the future
There is, then, a real sense that MPC is the strongest of the emerging security technologies that can be added onto Bitcoin and other cryptocurrencies. However, even its strongest advocates admit that it isn't 100% foolproof.
"There are of course potential weaknesses at the code level," Ouriel Ohayon admits, "but we took great care to run a couple of security audits (with more to come) and open source all our cryptography – which is not very common in the MPC space."
Secondly, Michael Shaulov explains that MPC users also need to pay attention to how "the wallet is being accessed and what is the policy. For example, if one of your MPC shares is hosted in the browser and the policy is weak, if hackers compromised your machine it's game over as well."
These warnings aside, ZenGo, Fireblocks and other firms are confident that MPC will become standard throughout the crypto industry over the next year or two. That said, Michael Shaulov doesn't believe it represents the “end game” for cryptocurrency security, so more technologies are likely to emerge in the near future.
"We still have two additional areas of vulnerabilities that must be solved, such as how we handle and authenticate deposit addresses and how we protect credentials."