NEW YORK (InsideBitcoins) — Ledger has become one of the most well-known brands in the bitcoin hardware space due to their affordable hardware wallet offering known as the Ledger Wallet Nano. While some have questioned the level of security offered by the Nano’s original setup, the company behind the hardware wallet has been diligently working on a variety of security enhancements. Ledger will be introducing a new authentication process for sending bitcoin payments in the coming weeks, and they’ll also be releasing a completely new version of their product by the end of the year.
From security card to mobile app
The main criticism that seems to be thrown at the Ledger Wallet Nano is that the security card used to authenticate newly-generated bitcoin transactions may not offer the highest-possible level of security. Whenever a new bitcoin transaction is created with the Ledger Wallet Nano, a code must be entered into the computer that corresponds to a static security card. It has sometimes been compared to a secret decoder ring. Technically speaking, malware could figure out the secret code on the security card after a few dozen transactions, which means a hacker would potentially be able to generate their own malicious transactions and essentially steal a user’s bitcoin stash.
Due to this perceived security issue, Ledger has developed a mobile app that works with the hardware wallet. This new mobile application will become the Ledger Wallet Nano’s new form of two-factor authentication. A user will now be able to confirm the details of a transaction via the mobile app before it is signed. As long as the computer and smartphone are not both compromised with rather specialized malware, a user should be able to trust that the details displayed by the mobile app are related to the transaction that will actually be signed by the Ledger Wallet Nano.
More secure than a multisig wallet?
One question that comes up when hearing about how the mobile app interacts with the Ledger Wallet Nano is whether or not this offers much of an improvement over other forms of two-factor authentication, such as Copay’s multisig solution. I was able to ask Ledger CTO Nicolas Bacca about this point directly via Reddit, and he claimed that there are still some advantages to using the Ledger over a 2-of-2 multisig solution:
“A malware has to be designed in a subtle way on both devices to make the second one display what the first one has supposedly done, and the attacker is stopped once one compromised device is detected because the key never left the Ledger Wallet in the first place. On a multisignature solution, a malware can break through both devices’ protections in a non subtle way, fetch both seeds, and compromise the accounts forever.”
In other words, Bacca was pointing out that malware would have to be created to specifically target the Ledger Wallet Chrome and mobile apps at the same time on two separate devices in order to steal funds from a user. In the case of a 2-of-2 multisig solution, simpler malware that scoops up private keys is all that would be needed on both devices. Bacca expanded on the difficulties of compromising two devices at the same time:
“It’s more difficult to attack both devices at the same time (maintain a communication channel between both) to make sure that the displayed information is correct. This could be made even more difficult by making sure the host and the smartphone don’t communicate (the message to verify could be scanned from a QR code from the phone in airplane mode, producing a confirmation code that the user would validate).”
Ledger CEO Eric Larchevêque has also pointed out a few usability advantages of the Ledger Wallet Nano in the comments section of a past review of the hardware wallet. For example, it’s much easier to backup the single seed provided by the Ledger Wallet Nano rather than multiple keys for the two devices used in a 2-of-2 multisig address.
More secure than Electrum’s 2FA?
The final question I had for Bacca was in relation to Electrum’s new two-factor authentication offering. Bacca was able point out some disadvantages of using Electrum when compared to the Ledger Wallet Nano:
“You don’t get to validate the transaction on your phone, you just blindly approve it. Ledger second factor [allows] you [to] validate on your phone the data that came through the Ledger Wallet. [Also], you pay a fee per transaction [with Electrum’s 2FA solution.]”
Ledger recently received €1.3 million in funding via a seed round led by XAnge Capital, which should allow them to continue to innovate with new secure and convenient bitcoin storage solutions in the near future. A beta version of the mobile app is expected to be released this week, and a video demonstration of it can be viewed below:
You can follow @kyletorpey on Twitter.