The foundation of the Web3 ecosystem is the wallet, an app or browser extension that lets users verify their web identities and authorize transactions. But using a wallet has always involved a steep learning curve. New users must learn to copy down their seed words and store them in a safe place, create a strong password to encrypt their keystore file, copy addresses accurately when sending funds, and other things they may never have to learn when using a Web2 app.
If a new user wants to make onboarding more accessible, one option is to use a custodial wallet provider, such as a centralized exchange. But experienced crypto users will almost always caution them against this for a good reason. The world has witnessed centralized exchanges like Mt. Gox, QuadrigaX and FTX go bankrupt from hacks or outright fraud, causing some customers to lose all their funds due to using a custodial wallet.
Because of this risk, many crypto users still see a noncustodial wallet backed up by a set of seed words as the only secure way for a user to protect their Web3 identity.
But do users always have to choose between security and convenience? Or is there a way to combine a noncustodial wallet’s security with an exchange’s convenience?
A few Web3 companies are trying to create wallets that are easy to use but also don’t require the user to place all their trust in a centralized custodian. Companies like Magic, Dfns, Kresus, Web3Auth, Immutable and others believe that a wallet can be just as easy to use as an email account, and secure enough to be trusted to protect the user’s identity and funds. These companies are using different types of new wallet infrastructure to make this idea a reality.
Here is a rundown of a few of the solutions used by wallet developers:
Magic
One new system is the Magic software developer kit (SDK), produced by Magic Labs. It is a developer kit and wallet infrastructure that allows developers to create seedless wallets for users.
Instead of storing the private key on the user’s device, an encrypted copy is kept on an Amazon Web Services Hardware Security Module (HSM). The encryption is performed using a Master Key that cannot leave the HSM. All signing is done within the HSM, preventing the user’s key from being broadcast to the internet.
Magic wallets do not use passwords. Instead, when users first sign up for a magic wallet, they submit their email address to the Magic relayer. The relayer then sends a one-time use token to the user through their email. This token will only work if used by the device that sent the request and only for a limited time.
The token is used to authenticate with Amazon Web Services when the user clicks a link within the email. The blockchain wallet account’s private and public keys are then generated on the user’s device and sent to the HSM. Magic Labs says they cannot see the generated private key, as it never goes to their servers.
When users stop using their wallets and close their browsers, they can reopen their wallets by repeating the process. They submit their email address to Magic again and receive a new, one-time-use token. This time, after authenticating, they regain access to their wallet.
Magic Labs has created a demo showing how the system works. It appears to allow anyone to create a wallet without downloading a browser extension or copying down seed words. It also allows users to close out their browsers and return to their wallets later, logging into the same Web3 account again.
The demo currently only works on testnets such as Goerli, Sepolia and Mumbai.
Wallets based on Magic
A few different wallets have been released or are currently in development that use Magic. One notable example is the Kresus wallet, a mobile app that allows users to store and hold Bitcoin (BTC), Ether (ETH), Solana (SOL), Polygon (MATIC) and tokens from these networks. It also allows users to send crypto using .kresus domain names instead of crypto addresses.
Kresus was released in the Apple App Store on May 11. The team told Cointelegraph that an Android version would come later in 2023.
Immutable Passport is another example. It’s an application programming interface (API) built by Web3 game developer Immutable. When participating games integrate their websites with Passport, it allows players to create wallets directly through the game’s site.
Related: What is Immutable, explained
Immutable told Cointelegraph that Passport wallets connect to the Immutable X network, a layer-2 Ethereum protocol, which allows players to store all of their Immutable gaming collectibles in one account, regardless of which game they initially signed up with.
Immutable recently implemented Passport as the default login method for its developer portal, and they plan to use it for at least one game’s login page by summer 2023, the team said.
Security concerns with Magic
The Magic SDK does contain one known security flaw, which developers have taken steps to mitigate. Because it relies on email…
cointelegraph.com