Please describe your proposed solution
Problem 1: The reliance on seed phrase-based wallet recovery is hindering mass adoption.
The widespread adoption of blockchain wallets is significantly hindered by the use of seed phrases for wallet recovery. Seed phrases, also known as recovery or mnemonic phrases, are a list of words required to recover a blockchain wallet. This applies to both crypto wallets for token transactions and identity wallets for managing Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). For security reasons, this phrase must be kept confidential[^1^].
Backgrounds on seed phrases
Since a private key consists of random binaries, it's not human-readable, so it must be stored digitally. However, due to hacking risks, BIP39 was created to allow these keys to be written down on paper[^2^].
However, the seed phrase being a single point of failure poses several challenges. Firstly, users may forget their seed phrases or misplace the physical copy containing it[^3^]. Secondly, if another person acquires the seed phrase, they can access the wallet and its funds[^4^]. Lastly, non-technical users may find the concept of a seed phrase difficult to comprehend and manage[^5^].
These challenges are discussed in several sources. For instance, this Cointelegraph article states that seed phrase recovery is a hindrance to mass adoption: “As the Web3 space looks to onboard its first billion users, intuitive wallet experiences are critical. Seed phrases are a hindrance to that experience.” In addition, this Blockworks article states that seed phrases have become a “major pain point for users”.
Currently, the Atala PRISM Identity Wallet SDK only supports wallet recovery based on seed phrases. This limitation hinders mass adoption.
[^1^]: Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
[^2^]: Bitcoin Improvement Proposals. (2013). BIP39: Mnemonic code for generating deterministic keys.
[^3^]: Lee, T. B. (2018, August 4). I forgot my PIN: My epic tale of losing $30,000 in bitcoin. ARS Technica.
[^4^]: Hern, A. (2016, March 18). What happens to your bitcoin when you die? The Guardian.
[^5^]: Mearian, L. (2014, February 7). Bitcoin's software gets security fixes, new features. Computerworld.
Alternatives to seed phrase-based recovery:
Two primary alternatives to seed phrase-based recovery exist: social recovery and multifactor recovery involving backup files. Social recovery, which has been endorsed by Ethereum co-founder Vitalik Buterin[^1^], utilizes trusted contacts to help users regain access to their accounts. A prominent example of a wallet employing this method is the Argent wallet[^2^].
On the other hand, multifactor recovery involves the use of backup files in addition to other authentication measures. Wallets using this method are rare, especially within the Cardano ecosystem. However, some examples do exist outside of it. For instance, the Dock.io identity wallet uses a recovery system involving a password-protected backup file[^3^]. Our plan includes implementing a similar solution to enhance the security and user experience of our wallet.
[^1^]: Buterin, V. (2018, January 11). A simple and secure wallet.
[^2^]: Argent. (2019, May 13). Introducing Argent V1: A new type of Ethereum wallet.
[^3^]: Dock.io. (2021). Wallet Recovery.
See also:
<https://wirexapp.com/>
<https://www.cypherock.com/features/no-backup>
<https://medium.com/@bitizenwallet/private-keys-single-point-of-failure-a20b5f00a67d>
Solution 1: We improve the Atala identity wallet SDK to allow wallet recovery using a password-protected backup file instead of a seed phrase.
The solution aims to address the vulnerability of seed phrases by enhancing the Atala identity wallet SDK to allow wallet recovery using a password-protected backup file instead of a seed phrase. Essentially, this wallet eliminates a single point of failure through the use of two-factor authentication, i.e., a password and a backup file. Consequently, even if someone acquires your backup file, they can't decrypt it without your password. Similarly, a password alone is useless without access to your backup file. Moreover, you can always change your password. Implementing two-factor authentication for recovery significantly improves both security and user experience.
Wallets with multi-factor authentication are rare, but they do exist outside the Cardano ecosystem. For example, the Dock.io identity wallet uses a recovery system with a password-protected backup file. We plan to implement a similar solution.
Specifically, we will contribute to the Atala PRISM Identity Wallet SDK repository. We aim to add new features without affecting the existing wallet recovery feature which uses seed phrases. The new features include the following:
- Users do not see seed phrases when creating a wallet.
- Users see an alert: "Please secure your wallet by backing up the wallet".
- Users select a secure password to encrypt the backup file.
- Users have the freedom to save the backup file wherever they prefer, including on an external hard drive or cloud.
- Users can restore a wallet by decrypting the backup file with the password.
The technical schema is found below:
This plan has been discussed with IOG's Atala PRISM team. They have confirmed that this improvement is not part of their roadmap and would welcome this additional feature to the SDK.
This solution allows projects in the Cardano ecosystem to create their own wallets using this SDK. They can use a password-protected backup file for wallet recovery. This method is not only user-friendly but also secure. It will contribute to the widespread adoption of identity wallets and Self-Sovereign Identity.
With this enhanced SDK, we'll boost Socious Wallet's security by shifting from seed phrase recovery to multifactor file backup recovery. This will let end-users enjoy the advantages of SSI, DID, and VC without the complexity of managing seed phrases or the risk of a single point of failure. Upon completion of this project, users will have a secure identity wallet on their iOS and Android mobile devices without the need to manage seed phrases.
Socious has been a longstanding contributor to the Atala PRISM community. Socious’s open-source wallet, built using the Wallet SDK, has been shared with the community. Many community members have used the Socious Wallet as a reference in developing their own wallets.
Problem 2: The lack of No-Code Self-Sovereign Identity solutions are hindering mass adoption.
Organizations can issue work and educational certificates as verifiable credentials using Socious Talent Marketplace. Users can then receive these certificates using Socious Wallet. Nevertheless, we have received requests from several organizations seeking to use Self-Sovereign Identity (SSI) solutions for various purposes. For example, one organization wants to use SSI to verify someone's adult status without revealing their identity, utilizing zero-knowledge proofs. Another organization wants to use SSI to confirm membership in a specific community. Currently, there is no no-code platform that allows these organizations to flexibly create verifiable credentials schemas of their choice or create proof presentation requests.
Organizations have the ability to issue both work and educational certificates as verifiable credentials using the Socious Talent Marketplace. This platform serves as a reliable source for these important documents, providing a level of trust and verification. Users can then receive these certificates using Socious Wallet, a secure and user-friendly platform for storing and accessing these credentials.
However, we have noticed a growing trend amongst our clients. We've received numerous requests from several organizations who are interested in using Self-Sovereign Identity (SSI) solutions for a variety of different purposes. The reasons behind this are diverse.
For instance, one particular organization is interested in using SSI to verify someone's adult status without revealing their identity. They want to achieve this by utilizing zero-knowledge proofs. This technique would allow the organization to confirm the individual's age without needing any other personal details, thus ensuring privacy and trust.
Similarly, another organization wants to use SSI to confirm membership in a specific community. This would help them maintain the exclusivity of their community while also providing a verifiable means of confirming membership.
Currently, one of the challenges these organizations face is the lack of a no-code platform that would allow them to create verifiable credentials schemas of their choice or to create proof presentation requests. This lack of flexibility in the current solutions available on the market is a significant hurdle for these organizations, and it's something that needs to be addressed.
Solution 2: We build a no-code Self-Sovereign Identity platform.
Our no-code Self-Sovereign Identity (SSI) platform is designed to be a game-changer in the field of digital identity management. It will allow organizations to create their own verifiable credentials schemas and proof presentation requests, without requiring any coding knowledge. This platform will democratize access to SSI solutions, enabling organizations of all sizes and industries to leverage the power of decentralized identities.
This platform will be user-friendly and intuitive, designed with a clean and simple user interface that makes it easy even for non-technical users to navigate. It will provide a easy-to-use interface for creating verifiable credentials schemas, with a wide range of customizable fields to suit various use cases.
For example, Japan's laws related to online cigarette sales require sellers to verify the buyer's age. This is achieved by asking them to upload scans of their government-issued IDs. Sellers can only deliver to adults at the address listed on the ID. A high demand exists for zero-knowledge proof due to the perceived risk of sharing driver's license scans. If the seller's server is compromised, crucial identity information could be used maliciously. However, due to a lack of technical knowledge, it's challenging for cigarette sellers to integrate Self-Sovereign Identity (SSI) solutions into their websites. With a no-code SSI platform, an organization wanting to verify someone's adult status could create a credential schema with fields for birth date. Another scenario is when an organization wishes to verify community membership. They could create a schema with fields for the membership number and joining date.
In addition to creating verifiable credentials schemas, the platform will also allow organizations to create proof presentation requests. These are requests for a holder of a verifiable credential to present certain pieces of data from their credential, without revealing the entire credential. For example, a bar could request proof that a customer is over the legal drinking age, without needing to see their full ID. This aligns with privacy-enhancing technologies like zero-knowledge proofs, which allow individuals to prove certain facts about themselves without revealing any additional information.
Importantly, this platform will be built on Cardano, leveraging the security and decentralization of the Cardano blockchain and Atala PRISM. The verifiable data registry (VDR) will be anchored on the Cardano blockchain, providing an immutable record that can be independently verified by any party. This will increase trust in the credentials issued through the platform, as they cannot be tampered with or falsified.
Overall, our no-code SSI platform will lower the barriers to entry for organizations wanting to implement SSI solutions, promoting wider adoption of decentralized identities. It will provide organizations with the flexibility to create their own credential schemas and proof requests, enabling a multitude of use cases. And by building on Cardano, it will offer a secure and decentralized solution that respects user privacy.
Technical Resources: For a deeper understanding of our project's technical foundation, please explore the following resources:
- Atala Documentation
- Agent: Hyperledger Labs Open Enterprise Agent
- Wallet SDK: Atala PRISM Wallet SDK
- Mediator: Atala PRISM Mediator
- Socious Wallet Repositories:
- <https://github.com/socious-io/socious-wallet-api>
- <https://github.com/socious-io/socious-wallet>
- <https://github.com/socious-io/open-enterprise-agent>
- <https://github.com/socious-io/prism-agent-setup>
Additional information can be found here: <https://socious.notion.site/Public-Accelerate-Mass-Adoption-Open-Source-Atala-Wallet-SDK-with-No-Seed-Phrase-Vulnerability-and–a9bf8318af95458eb158f512fd4e8585?pvs=4>