Why it is time for seedphrases to go away now and forever

Web3Auth
6 min readNov 6, 2023

--

A seedphrase, or a recovery phrase is a sequence of 12 to 24 words, typically, generated by a cryptocurrency wallet, that serves as a master password to users’ associated accounts that can be used to trade, sell and buy cryptocurrencies.

By generating a seedphrase, users can recover their wallet and access their funds even if their original wallet is lost, stolen, or corrupted. It goes without saying that it is crucial to keep the seedphrase secure and not share it with anyone else. The seedphrase is used as a starting point to generate a hierarchical structure of private keys. These private keys, in turn, generate the corresponding key-pairs associated with different cryptocurrency addresses.

In cryptography and blockchain, a key-pair consists of two mathematically related keys — a public key and a private key. These keys are generated together and are used for asymmetric encryption and digital signatures. The public key is often used as the receiving address, while the private key provides control and access to the associated funds.

Seedphrases are used for backup and recovery, as a way to restore and generate all key pairs while key pairs are used for cryptographic operations and everyday transactions within a crypto wallet.

Given the fact that seedphrases are right at the entry point for any new user trying to get into Crypto or a Web3 application, they are bound to be popular. With popularity, it is expected that they would be simple enough to use and implement.

“But strangely, like Schrodinger’s paradox, they are not.”

The adoption barriers that seedphrases bring

Web3 is still evolving. It is nascent and mass adoption is impending. Mass adoption is established only when web3 reaches critical mass, say at least a billion users. But for a technology that is as complex as blockchain, it is bound to have equally complex barriers to entry.

“The most significant one which also happens to be most talked about, is the fact that users are bound to keep losing their seedphrases over and over again.”

With seedphrases, users are also bound to bear the responsibility of securely storing and protecting their backup phrase. This introduces a higher level of personal responsibility and security awareness.

For users unfamiliar with the concepts of private keys and seedphrases, there is a risk of losing or compromising the phrase, leading to the loss of funds. This added responsibility can deter less tech-savvy users from fully embracing Web3 platforms.

“But more importantly, and much to the chagrin of Web3 natives, seedphrases invoke an overwhelming sense of fear and anxiety in new users, and it subsequently induces a culture of avoidance and lack of safety. And nobody wants that.”

In a nutshell, seedphrases are the weird players that nobody likes to use, in Web3.

Seedphrases can be considered a hindrance in the mass adoption from Web2 to Web3 due to a few other reasons —

  • User experience — Seedphrases introduce an additional layer of complexity for users who are accustomed to traditional and centralized platforms. The need to securely store and manage a seedphrase may be unfamiliar and cumbersome to users. This extra step in the user experience is a barrier for mainstream adoption.
  • Recovery process — In the event of losing access to a wallet or forgetting the seedphrase, the recovery process can be complex and intimidating for average users. Unlike traditional centralized platforms where password resets are common, recovering a Web3 wallet often involves a meticulous restoration process using the seed phrase.
  • Scalability and convenience — Seedphrases are primarily designed for individual wallet management, which can be inconvenient for users who interact with multiple platforms and wallets across various devices. Managing and securing multiple seedphrases across different platforms can be time-consuming, potentially hindering the seamless user experience required for mass adoption.

While this is at one end of the spectrum, the other end of it bears some of the largest concerns for mainstream adoption of web3 and crypto adoption — the risk of security and financial fraud.

  • A Forbes report from last year suggests that scammers stole a mammoth $14 billion worth of cryptocurrencies in 2021 alone, which is almost twice the amount from 2020.
  • According to Chainalysis, illicit addresses in 2021 received $14 billion in crypto money, an all-time high throughout the same year.
  • By early 2022, illicit addresses held at least $10 billion of crypto, with a vast majority of this held by wallets associated with cryptocurrency theft.

How do we solve this?

In the web2 world, logging into any digital account requires a few highly familiar authentication flows or social logins such as

  • via Gmail
  • via Facebook/Twitter
  • via one-time password

The one thing that stands out in Web2 authentication is that — it is intuitive, simple, stress-free. People need not have to think twice about what happens underneath the web screen. A gmail user has no need whatsoever to understand how gmail works, to be able to use the services.

Recovering a password in Web2 is straightforward. All you need is a backup option like a mobile number to reset the password via Two-Factor Authentication (2FA). Besides, Web2 authentication is ubiquitous, it is widely accepted and recognized.

The internet has been habituated to these flows among other known ones. But web3 is ‘all-alien’ written all over it for any first-time user. But it need not be, or rather, should not be, the same for the end-user.

In the world of user interfaces and user experiences (UI and UX), there is alway one thumb-rule — layman’s language always, over technical jargon because it is imperative to treat your end-users as 5 year olds.

In Web2, users leverage the same login details across numerous services and web applications due to protocols like OAuth. It should similarly be as easy and accessible for Web3 users to use identical keys or alternative authentication measures across various dApps and wallets.

Read more: How Keplr pioneered social logins for Web3 wallets way before it was cool

The road ahead

This dichotomy is bound to remind us all of the early days of the internet, a throwback to the late 90s or early 2000s. Users were losing their usernames, passwords and the subsequent accounts regularly. But then again, there came about an improvisation in the same. We graduated into Two-Factor Authentication, one-time passwords (OTPs), biometric authentication like Face ID and fingerprints.

At this point in time, it may be fair to establish that Web3 now demands the same philosophy.

Overall, while seedphrases are a critical security measure in Web3 environments, their complexity and responsibility can present barriers to mass adoption. Simplifying the user experience, enhancing security measures, and developing alternative key management solutions are important considerations for achieving broader acceptance and transitioning from Web2 to Web3.

The time has come for Web3 to similarly evolve into far more secure, seamless and reliable forms of authentication and key management, and further away from single-factor seedphrases.

If you are building a Wallet or a dApp and you are looking to onboard the next billion users on to Web3, sign up here to try out our SDKs.

Read more: Announcing our partnership with Trust Wallet to offer the simplest Web3 onboarding ever

Frequently asked questions (FAQs)

  • What is a seedphrase?

A seedphrase, or a recovery phrase is a sequence of 12 to 24 words, typically, generated by a cryptocurrency wallet, that serves as a master password to users’ associated accounts that can be used to trade, sell and buy cryptocurrencies.

  • What is self-custody?

No parties or subsets of parties can access the user’s public and private key pair. The user has full access over their public and private key pair. Self-custody represents that a user has full control over their key and their assets and custodial means that a third party handles a user’s key and assets on their behalf.

--

--

Web3Auth
Web3Auth

No responses yet