Coinbase, a cryptocurrency exchange center based in San Francisco, announced that users of its Coinbase Wallet (wallet) can now back up their private keys in the cloud storage, specifically in Google Drive and iCloud.
The measure has received a mixed reaction from crypto communities and experts in cybersecurity, some of whom seem skeptical about the idea of storing private keys on centralized servers. Others rely on the new feature, highlighting that it entails encryption.
A brief introduction to Coinbase Wallet, formerly known as Toshi
Coinbase Wallet differs from the main application, Coinbase (or Coinbase.com). With the latter, the cryptocurrencies purchased by the customer and their private keys are stored by Coinbase. With Coinbase Wallet, in turn, users store their own cryptocurrency protected by their unique private keys. These keys are supposedly protected with Secure Enclave and biometric authentication technology.
Back to basics
Initially, Coinbase developed Toshi, a decentralized application (DApp) of open source navigation focused on mobile devices and the Ethereum (ETH) wallet that was launched in April 2017. The project was inspired by the Chinese mobile payment application WeChat and had a built-in messaging support and reputation system, which allowed users to rate other users and applications within the platform. According to its developers, Toshi intended to provide financial services to people in developing countries, especially the unbanked population. It was also supposedly the first wallet to throw collectible cryptos.
A year later, in April 2018, Coinbase merged Toshi with its recently acquired Cipher Browser, a decentralized similar navigation application and a wallet for the ETH block chain. The creator and sole developer of Cipher, Pete Kim, became Toshi’s chief engineer, joining Sid Coelho-Prabhu, the product leader of Coinbase for the DApp project.
In August of 2018, Toshi was rechristened to become Coinbase Wallet. The official announcement said:
“This is not just a new name, but part of a greater effort to invest in products that will define the future of the decentralized website and make that future accessible to all. […] With Coinbase Wallet, your private keys are protected with the Secure Enclave and the biometric authentication technology of your device. ”
Therefore, at that time, Coinbase Wallet supported the management of ETH and ERC-20 tokens, airdrops, trade and storage of crypto-collectables, as well as access to DApps and decentralized exchanges, among other things. According to the post of Medium of the firm published at that time, Coinbase Wallet would begin to be compatible with Bitcoin (BTC), Bitcoin Cash (BCH) and Litecoin (LTC) “very soon”.
In November 2018, Coinbase Wallet added support for Ethereum Classic (ETC). In February 2019, the exchange purse began to house BTC. The company repeated that it was considering adding BCH, LTC as well as other major cryptocurrencies.
Then, on February 12, Coinbase Wallet stated that its users at that time could back up their private keys in Google Drive and iCloud.
In the attached statement, Coinbase explained that allowing users to upload their keys to a cloud provides protection against lost passwords and will help them avoid losing funds in case the passwords are lost:
“The private keys generated and stored on your mobile device are the only way to access your funds in the block chain. Owners of “user-controlled wallets” like Coinbase Wallet sometimes lose their devices or can not back their 12-word recovery phrase in a safe place, thus losing their funds forever”.
Now, Coinbase Wallet users can store an encrypted copy of the recovery phrase in their cloud accounts. Coinbase says that neither they nor the services in the cloud will have access to users’ funds, since the key of the recovery phrase is unlocked by a password that only the user knows. It is reported that the backup copy is encrypted with the AES-256-GCM encryption, which can only be accessed through the Wallet mobile application.
Coinbase points out that, in addition to Google Drive and iCloud, they will expand support for other clouds in the future. The feature is an opt-in service that does not replace or replace the original recovery option.
Interestingly, the feature was launched in the context of the QuadrigaCX case. Earlier this month, the Canadian cryptocurrency exchange sought protection from creditors after the sudden death of its founder, who was reportedly the only executive responsible for the keys and the cold (or physical) wallets of the exchange. After his death, the exchange has not been able to access USD 145 million in digital assets that supposedly must remain payable.
The new feature had a mixed reaction among the crypto community, as some criticized the idea of storing private keys in centralized servers. “You may want to rethink this,” says one of the most popular responses to the Coinbase ad on Twitter. “I do not understand, how do you misinterpret your target audience so badly?” Says the other.
The reaction among Reddit users seems more serene, as many users stressed that the new feature involves encryption. For example, u / CryptoNoob-17 wrote:
“At least they are not private keys without encryption like what blockchain.info did some time ago when sending private keys as simple text through http.If this prevents some noobs from losing their coins and telling all their friends how stupid they are. It’s the cryptocurrency because they lost everything, I do not see any problem”.
So, is the new feature safe enough? The experts intervene
Specialists in cybersecurity also seem to be undecided about the new feature. Taylor Monahan, the founder and CEO of MyCrypto, a non-custodial wallet, told Cointelegraph that trusting users to create sufficiently complicated passwords is not a good idea:
“Regardless of the strength of the encryption, the weak link will always be the password selected by the user (both in your wallet and in your cloud storage account). People simply are not able to generate a password with sufficient entropy, nor do they always use unique passwords for each service”.
Monahan adds that if hackers realize that an influx of people start using servers in the cloud to store their cryptocurrency, “we will certainly see an increase in attacks against these cloud storage providers.” He added:
“Players like Coinbase should not encourage this type of unsafe behavior, I understand the desire for a better user experience, but the worst user experience is one in which people lose all their cryptoactives due to theft”.
Hartej Sawhney, co-founder and president of Hosho, a start-up that protects investments and provides multiple services for intelligent contracts, including auditing, does not agree that hackers will target individual users as a result of the new update.
What is the deal with hackers?
“Hackers tend to want maximum information with minimal effort. This means that they will probably attack the heart of a cloud storage service instead of their individual users. Google Drive and iCloud have historically been safe”, he said, adding that, for him, Coinbase still looks much safer compared to other platforms:
“In any case, cryptocurrency exchanges should take some notes from Coinbase on how to strengthen security. In addition, Coinbase follows robust security features such as multi-factor authentication, e-mail confirmation and an active error rewards program, which makes it much more robust than any other cryptocurrency exchange. ”
Josh Datko and Thomas Roth, members of a team of security researchers who study hardware and software vulnerabilities under the title “Wallet.fail”, also told Cointelegraph that the new feature is safe enough, given that they take certain precautions:
“In our opinion, a cloud backup encrypted by the user does not significantly increase the risk of compromising, since the password is sufficiently complex, the key derivation of the password to the AES-256-GCM key is sufficient and there are no implementation errors”.
Datko and Roth warned that implementation also matters:
“Unfortunately, while this sounds like a simple feature, many organizations have made mistakes here, so as far as we know, we do not know if this new feature is open source or if Coinbase reviewed it independently”.
Also published on Medium.