What Are Seed Phrases and Are They Necessary?
Seed phrases are the crypto industry standard for recovering broken or lost wallets — but they have become a major pain point for users
Graphic by Crystal Le
Estimates suggest that over a third of the current supply of bitcoin is made up of potentially lost or dormant coins. This statistic and the horror stories of people digging through landfills for a lost seed phrase continue to keep skeptics on the sidelines.
Industry experts have long debated how to solve this problem without losing the self-custody of the BIP39 seed phrase standard. For example, wallet manufacturers such as ZenGo and Argent launched seedless alternatives, but their critics argue that they sacrifice a degree of autonomy and censorship resistance for convenience.
And as the application layer of the crypto ecosystem grows, wallet manufacturers are competing to own the layer of user experience in Web3. The simple offline paper wallets of the early days in crypto can’t support this new demand for smart contract functionality and security.
Watch: The Wallet Wars: Rise of the SuperApp | Qiao Wang
But these developments also come with new risks. A recent report published by CertiK exposed malware that can steal the private keys of mobile wallets.
Noisy debate and increased complexity makes it even more difficult for average users to navigate the different ways to safely store their assets.
This explainer series on crypto wallets will attempt to make this journey a little less mind numbing. In this article, we will start with explaining the seed phrase debate and will follow up with a hot vs. cold wallets breakdown and then a full wallet security guide.
What is a seed phrase?
A seed phrase is a series of 12 or 24 random words that provides the data needed to recover a lost or broken crypto wallet. It is also known as a mnemonic phrase and is best understood as a security measure for self-custodied digital assets.
Both hot wallets and cold wallets can use a seed phrase for recovery. For example, MetaMask (hot browser extension wallet), Exodus (hot mobile wallet), and Ledger (cold hardware wallet) all use seed phrases for recovery.
The difference between seed phrases and private keys
Seed phrases and private keys are often used interchangeably, but they are different. The private key is a string of numbers and letters used to approve a transaction from an owner’s public address.
They are safely stored in wallets so that users don’t have to manually enter them everytime they want to approve a transaction. The wallet seed phrase provides the users with a way to recover that wallet if it is ever lost or broken. If for whatever reason someone gets access to a private key though, they can move the funds without using the mnemonic seed phrase. As in the case of the BombFlower Backdoor, hackers used wallet imitation malware to steal the private keys directly from users’ phones.
What’s the point?
A general driving force behind crypto and the push to self-custody is a distrust of the banking system and more specifically, ‘centralized entities.’ Many who have been burnt by custodial crypto platforms and are concerned with their country’s monetary policy want to take full ownership of their assets. We can save the merits of their reasons for another article, but the point self custody activists make is, if users want an alternative that is truly permissionless, they also need to take security into their own hands.
So don’t think of a seed phrase as a username or password. Because unlike online banking, there isn’t tech support available to verify identity and restore access. A better analogy is a fire-resistant safety box. Its effectiveness is completely contingent on how the owner uses it.
How seed phrase recovery works
One of the most widely-used standards for seed phrases is BIP39 (Bitcoin Improvement Proposal 39). And while it was initially proposed for bitcoin wallets, it became a popular standard across the board. It outlines how crypto wallets generate the phrase and reinterprets each word for wallet recovery.
The sequence of events is essential to understanding how this works. Before a user’s new public and private keys exist, a wallet automatically generates a seed phrase or asks the user to provide one. It is a mnemonic phrase that is made up of 12, 18 or 24 words.
The wallet software then converts the string of words into a binary seed (ones and zeros) and uses it to produce a set of private keys and public address pairings. BIP39 is not the only standard wallet manufacturers use in account creation and recovery.
They can also use BIP44 and BIP32. These standards work together with BIP39 and specify a tree structure for organizing addresses derived from a seed phrase. This method is often called a hierarchical deterministic structure and allows for the creation of multiple private/public key pairings and child pairings. This structure is important because it adds a layer of privacy and security protection by using a different address for every transaction.
Once users set up their wallet address and child public and private pairings, they don’t need to use the recovery seed phrase for access. Instead, they login to their hardware wallet (cold) or software wallet (hot) with a passcode or pin to automatically sign transactions. This keeps the private keys out of view from the public.
The backup seed phrase comes back into play if the user loses the device. In that event, the user should ideally have stored that seed phrase in a location separate from the cryptocurrency wallet. They would then use it to restore access on another compatible device.
Argument for seed phrase recovery
The seed phrase recovery system offers full control over the security and accessibility of crypto assets. By using standards such as BIP39, manufacturers can provide clear instructions for recovering private keys from other compatible wallets.
For example if two manufacturers use the popular combination of BIP32, BIP39 and BIP44 to create hierarchical deterministic wallets, then seed phrase recovery is compatible on both devices. This system can give users more control over their assets and also provides a safety net in case the wallet manufacturer is no longer in operation.
The seed phrase is protected from hackers if it is secured properly offline (on an air-gapped machine or device) and out of view from anyone else. But it is important to consider that depending on the wallet type, there are other security vulnerabilities outside of hackers accessing the keyphrase. We will cover these differences in greater detail in our full guide on crypto wallet security.
Argument against
The seed phrase creates a single point of failure. And its protection is not an easy endeavor, as it requires extensive knowledge on best practices. For example, users commonly store the seed phrase on paper. While this protects the phrase from online threats, it can easily become unreadable over time through natural wear and tear. For this reason, some use a prefabricated metal plate, also called a seedplate, with an etched version of the seed. But if they are stored in the same location of the wallet, they become subject to the same risks such as fire, natural disasters and theft.
If a seed phrase is stored on a computer or any device that can connect to the internet, then it is vulnerable to hackers. Even computers that are disconnected from bluetooth and wifi are prone to various malware that can expose the seed phrase.
These extra security measures add burdens to an already clunky user experience that average consumers are not accustomed to in Web2. And even if a user takes every precaution to protect the seed phrase, their wallet can still be hacked if it is not entirely offline and air gapped from any bluetooth connections.
What about seedless wallets?
A seedless wallet is a type of crypto wallet that does not rely on a single seed phrase for account creation and recovery. Instead, it uses multi-party computation (MPC) or smart contract technology to distribute key generation and signing processes among multiple parties or devices.
It is important to remember that the seed phrase was never a necessary component for wallet functionality. In the early days of bitcoin, users relied entirely on the private key for sending BTC. So seedless wallets are really just an alternative way to secure those private keys.
The main purpose of seedless wallets is to help users lighten that security burden. Like the seed phrase, these options still require more responsibility than traditional banking, but they use innovations aimed at removing the central point of failure in conventional seed phrase wallets.
Many institutions and decentralized autonomous organizations (DAO) are beholden to security compliance that requires these types of security solutions. And if implemented correctly, they can offer a secure alternative for people not wanting the burden of protecting their seed phrase. But they still have security risks and trade offs that some argue run counter to the spirit of decentralization.
Multi-party computation (MPC) protocols
MPC wallets use a technique called Threshold Signature Scheme (TSS) to remove the central point of failure in conventional wallets. Two examples include ZenGo (mobile) and Cypherock (hardware). TSS is a cryptographic method that allows a group of people or machines to generate and store a private key in such a way that no single person or device controls the entire key.
But unlike the popular multi-signature (multisig) wallets, MPC wallets don’t require multiple individual private keys to sign a signature. Instead, it divides one private key into separate shards. This distinction may sound semantical, but it unlocks more features and protections that multisig wallets can’t offer.
For example, many DAOs use multisig wallets to manage their treasury. If they wanted to add or move a participant, they would need to move their funds into another multisig wallet. Every time an organization is forced to move all funds to a different location, it opens them to a new set of unnecessary risks.
With MPC wallets, organizations can use something called a ‘private key rotation’ to recreate private key shards without moving funds.
Why does splitting the key help with security?
Mobile wallets can benefit from this approach because it prevents the entire private key from being stored on the device (a central point of failure). For example MPC wallets like ZenGo store the second key share on their servers. So, theoretically, if a hacker was only able to acquire one half of the key, they would be unable to approve any transactions without ZenGo’s permission.
According to a recent Twitter Space conversation with CertiK’s chief security expert, Kang Li, multiparty computation (MPC) is a safer method for transactions in general, as it requires multiple parties to sign. However, he warns that the level of security can vary depending on the implementation. In some cases, an attacker may only need one half of the key and a token from another signer to predict and sign a transaction, bypassing the need for the other half of the key. Li emphasizes that while MPC is generally a better scheme, it is important to pay attention to the details of the implementation to ensure the best level of security.
In the event that a MPC device is hacked or broken, the user still needs a way to recover the wallet. Mobile wallets such as ZenGo offer a crypto recovery service that would enable users to reinstate their wallet without using a crypto seed phrase. Upon downloading their wallet app, they provide instructions on setting up a recovery kit.
The recovery kit consists of two parts: a face scan and a recovery file. The face scan is performed locally and privately on the user’s phone. And the unique recovery file is stored in the user’s default personal cloud storage system.
As long as these two items are accessible on the user’s cloud, they can use it to authenticate ownership when redownloading the app.
Early concerns that hackers would be able to use a 2D image of a face to hack scans have proven to be false. However, a black hat hacker conference in 2019 proved that it was possible to trick the liveness detection of an Apple face scan using spectacles and black tape.
What if the wallet servers shut down?
This recovery system though is contingent on ZenGo’s servers authenticating ownership and the cloud service storing the recovery file.
In response to concerns of users being unable to access funds in the event that ZenGo shut down, ZenGo’s Chief Technology Officer Tal Be’eri told Blockworks that “recovery is indeed mandatory.”
“In the case of ZenGo going out of business, we have a trustee that would effectively release ZenGo remote share, and the app will be able to unite its personal share with the remote share and create a private key that can be mounted by many non-custodial wallets.”
This type of key recreation is very similar to the private key rotation made possible by the MPC protocol. If this wallet was a multisig wallet, the contingency plan would not be possible. Yet, while this does offer another layer of protection, it still requires the participation and permission of the trustee — a fact that self-custody maxis like to point out.
Final considerations
At the end of the day, this explainer only begins to scratch the surface of new alternatives to seed phrase wallets. There are still smart account wallets that unlock a whole new set of functionality in the Web3 world. The challenge with these new innovations is in understanding the complexity. But in the Web3 culture of ‘trust, don’t verify’, this increased complexity means that the vast majority of users will still end up trusting the company behind the decentralized and transparent systems.
This can present a problem because, according to Li, not all claims of decentralization are created equal. Upon investigation of certain wallets, Li and his team at CertiK discovered that these wallets were actually centralized, with key management and transaction signing taking place at a centralized location. Despite these centralized practices, the wallets continue to advertise themselves as decentralized.
Opponents of both sides of the seed phrase debate can agree that better education is needed. Without it, the technical transparency holds no real value to users.
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.