Summary Of "Crypto Security & New Web3 Mindsets For Users"

I received feedback that reading through threads on Twitter was not the best was to consume a summary. So let's try an article that lists the tweets sequentially on a single page and do let me know if this works better.

Summary ??: https://twitter.com/sumofpod/status/1500139038657097732?s=20&t=Xpq_8H0p5pR9MD1-w5GKwg

Podcast link: https://podcasts.apple.com/sg/podcast/crypto-security-and-the-new-web3-mindsets-for-users/id842818711?i=1000538727845

All assets need layers of safety & control by their owners. Crypto is a relatively new class & security awareness needs to catch up quickly. Summary ?? of Eddy Lazarin & Zoran Basich demystifying crypto security.

@eddylazzarin & @ZoranBasich

1/n In a relationship with a bank/Web2 app, they’re the ones who control the terms of engagement. They can unilaterally reset passwords or change the rules for it. In crypto security, you can remove the intermediary & interact directly with the protocol. https://podcasts.apple.com/sg/podcast/crypto-security-and-the-new-web3-mindsets-for-users/id842818711?i=1000538727845

2/n That’s simultaneously incredible & terrifying. No one can interfere with your relationship with the assets. Terrifying because you’re now in-charge of controlling the secrets that guard access. It’s a mindset shift. #Bitcoin & #Ethereum have themselves never been hacked.

3/n It’s like a bank never being robbed but customers being duped into revealing info that then results in a bad outcome. A way for a so-called crypto hack to occur is when a customer is seeking support for the wallet & the bad actors insert themselves into the support channel.

4/n Offers to debug, asks for the seed phrase & that’s the version of handing over your password. For #NFTs drops, you might need to sign a transaction but actually end up granting sweeping access to your funds. This is a more subtle hack.

5/n A #Crypto key is 512 characters long & people used to store these in Notepad when the economic value of #cryptocurrencies wasn’t clear. We’ve now moved to mnemonic phrases of 12 or 24 words to make seed phrases easier to remember.

6/n People don’t realise that seed phrase is a password & not something related to the login. It is the representation of your pvt key. It's portable & can be copy/pasted to different wallets. You don’t hv to create new accounts & logins every time you sign up for a new wallet.

7/n This alone is a huge UX improvement. In Web2, you need a new login & password creation process for every new bank account you create anywhere. So, the #cryptocurrency wallet is a view into what you have & not what actually holds the asset.

8/n The asset itself is in the #blockchain . Seed phrases today are mostly stored in user unfriendly ways… metal, paper etc. The future is probably multi-party computation. Like storing the key with different parties after splitting it into pieces.

9/n Most people don’t want to think so much about security. They want a bank-like experience. In crypto, you could use an exchange. But this limits your ability to use those assets. Holding crypto in an exchange means you can’t do DeFi, trade NFT’s or use Web3 authentication.

10/n But it is more familiar to most people with help lines and support. But what should a person do if they don’t want to be locked in to an exchange? Not because they want to get involved with the cutting edge of crypto but because they like controlling the asset completely.

11/n The important question is where are the pvt keys held? Eg. You could install #MetaMask in Chrome, use paper, steel… to store the seed phrase which will reconstruct your pvt key. Now you could allow MetaMask to hold a copy of the pvt key.

12/n The pvt key is as secure as you believe your Chrome browsers memory is. You could move the pvt key off the browser & into a hardware wallet. Instead of having a browser with an online version you now hv it off your computer. The attack surface has been reduced.

13/n But the hardware wallet is offline & it has to be connected to the computer to authorise the transaction. Beyond this, you could generate a seed phrase or pvt key, calculate the public key for that phrase & never hv it touch a computer ever.

14/n You could receive funds to the public key with it never having been online. How is this possible? When someone sends you a token on a blockchain, there’s no sense in which you actually receive it. The #cryptocurrency is sent to a specific address.

15/n When you want to access the token, you just hv to prove that you control the pet key behind the public key. In theory, you could create the pvt key, figure out the public key without ever touching the blockchain & the public key becomes the recipient.

16/n You hv total control over the public key without it ever having being online. This is secure but there’s always a tradeoff between friction & security. There are a few things you can do to manage this. Hardware wallets are high-quality & dependable now.

17/n Never share your seed phrase. Rely more on your phone than the browser. Interfaces will hv to become more accessible for more people to adopt crypto. This is counter to the philosophy of ultimate control of an individual over crypto assets.

18/n Even if the interface is controlled by a 3rd party, it doesn't control the underlying assets & info. They’re only delivery mechanisms for UX. Because crypto interfaces will hv to be interoperable, the openness will make them better than the ones in Web2 where...

19/n ... these are a mechanism to lock in users. Web3 will enable people to use a single interface for everything as opposed to using a new interface for individual activities, each with it’s own varying, implementation of security.

20/n This works because the single system would have been open for everyone to inspect & received massive public scrutiny. This is not possible with closed networks of today.

21/n An individuals pvt key will always be recognised & they’ll always be connected to that seed phrase via multiple wallets. A problem arises when people want to recycle keys for purposes of freshness or security. But every pvt key maps to an individual public key.

22/n The way to solve this is with a decentralised identifier. This is 1 step removed & underneath it you hv a public key or a set of public keys. That identifier could refer to a group of people or a public key. The latter could change but the identifier would be a constant.

23/n An anology is how your Twitter username can change but you still control the account. People can lose keys but keep the assets & relationships & network they’ve built.

n/n Recovery systems will be built for when people lose pvt keys. Most people will generally trust certain institutions but you will hv there option to opt out.