How Braavos’ Wallet Signers Are Elevating The Crypto Experience
Meet Motty Lavie, Braavos’ Founder & CEO, for a series of Q&A that clarify StarkNet tech opportunities, market evolution, and more. The recap was edited for length and clarity.
Questions overview
- What is the Protected Signer?
- Why was the Protected Signer developed?
- How were you able to develop these Signer features?
- Is account abstraction the same as a smart contract wallet?
- How does community feedback help in developing the source product and other features?
- Is my biometric data at risk when the Hardware Signer is activated?
Q: Can you explain the Protected Signer and how it benefits the community?
As the name suggests, the Protected Signer aims to protect your account. We developed this feature because not all mobile devices support the Hardware Signer, which uses an advanced built-in [phone] security chip that isn’t integrated in older smartphone models.
For example, [the chip] has existed in iPhones since 2013, so anyone that has an iPhone today can enable the Hardware Signer. It also exists in the latest Android phone models, such as the Google Pixel and the latest Samsung mobile devices, but the vast majority of Android smartphones do not have this security chip and thus, cannot support the Hardware Signer.
However, these Android phones have a second-best thing which is called the Trusted Execution Environment (TEE). The TEE enables Trusted Applications to run on the mobile application processor in a special security mode, isolating them from regular applications running on the device.
Unlike the secure enclave, this is not a physical separation but it still provides strong security that is much better than using only the seed phrase. It mandates two-factor-authentication, as this security mode, [which] we transferred the chip to, signs the transaction only after it verifies the user biometric identity, and all happens when the device runs in the TEE secure mode.
So, we created the Protected Signer for those who can’t enable the Hardware Signer because we wanted more users to be able to enjoy 2FA, similarly to those iPhone users who use the Secure Enclave-dedicated chip.
Q: So you created an intermediary level of security for those who are not able to activate the Hardware Signer because their device is not recent. Why did you need to create this extra feature instead of waiting for people to buy more recent smartphones?
We believe that there is currently a security and UX problem in the crypto market.
Users need a solution and we think it’s unfair to ask them to upgrade their device and, in the meantime, not provide support for these users.
If we look at the worldwide mobile market, approximately 30% of mobile devices are iPhones, and 70% are Android devices. Out of these 70%, only a small percentage of Android devices support a dedicated security chip like the iPhone has, which means that over 90% of Android users don’t have that.
So this affects the majority of users and we want to cater to them as well.
Q: What makes all these features possible? What makes you able to create these innovative features?
It consists of a few things. One is that we are a team that came relatively late to crypto. We came from web2, so we’re familiar with the apps and the user journeys that we have in web2 and the desire to reduce friction and enable users to do what they want in the easiest way possible.
Web3, on the other hand, is quite different, it puts a very high burden on the user, so it was clear to us that this needed to be solved. The reliance on the seed phrase in order to secure your funds is wrong on so many levels and it was clear to us that we needed to do something different.
For those who missed it, let’s review the three main types of authentication:
- Something you know, like a password or a PIN code or some other pattern.
- Something you have, like a physical device.
- Something you are, which is your biometric identity. This can be your fingerprint, face, or retina.
The seed phrase falls into the “something you know” category, which is the weakest type of authentication. Today, many non-crypto organizations try to switch from text password to “something you have” and “something you are”, which is considered much more secure.
Unfortunately in crypto, until Braavos came along, we were stuck with the seed phrase. We understood that we needed to change that and enable much better security. Adding to that, [with] our experience and understanding of hardware, mobile phones and embedded systems, we knew that this match between the mobile device, with the built-in security chip and the biometric identity verification, should be integrated into crypto.
Luckily for us, StarkNet and account abstraction allow for arbitrary signature verification logic, which allows us to build those features – signing on the secure chip / TEE on your phone and verifying the signature in the account smart contract.
Let’s focus on the account abstraction part and remind people of the fact that the Braavos wallet account is divided into two parts:
- The application part, [which is found on] all other wallets such as MetaMask,
- The account smart contract, which resides on-chain and through which all transactions go before reaching any other contract or protocol.
This account smart contract is extremely powerful because it allows us to run customized verification logic. We utilize this capability to enable the Protected Signer, the Hardware Signer and the Multi Signer.
If we didn’t have this capability, we wouldn’t be able to do that because the signature scheme that is supported in all major blockchains – Ethereum, Bitcoin and even in Starknet itself – is not compatible with the signature scheme that your iPhone or Android phones generate. They cannot talk to each other.
The fact that we can write a customizable account contract logic to verify the signature, means that we can use the signature from mobile phones in order to sign transactions and authenticate your identity. This is the big leap that happened and hopefully we’ll see it spread out all over crypto.
Q: Is account abstraction the same thing as a smart contract wallet?
You can think about a wallet as an application that contains many accounts, and account abstraction is the technical term that we use to describe these two parts of the account that I just explained. So you can use the term “smart contract wallet” or “account abstraction” interchangeably. Frankly, I think that the term “smart contract wallet” or even “smart wallet” is much better than “account abstraction”, which is a very technical term.
Q: How does community feedback help you in developing the product?
Community feedback is very valuable in our product development process.
Take the Hardware Signer, for instance. Although it offers a great combination of security and user experience, transactions cost a bit more than using the regular signature that is supported on Starknet. This is because we need to run the signature verification logic in the account contract to verify the signature produced by the mobile security chips (unlike a regular signature, this is not provided by the network OS itself).
Since we saw that the cost made users uncomfortable, we worked on two main things. First, we optimized the code dramatically, which led to a 60% reduction in the cost of verifying the proof. Second, we worked with the StarkWare team, which develops Starknet, to introduce another 80% drop in price in the upcoming StarkNet version 11.
This means that the gas fee that people will have to pay to use the Hardware Signer will be very low, so the price delta between that and a regular Seed Signers transaction will be negligible.
Another example is that we noticed many people who use the Hardware Signer still want to use the extension to interact with dApps. So we are planning to add the ability to start a transaction in your browser, and sign it with your mobile app. This will enable you to interact with the dApps on the extension while having the Hardware Signer enabled on your account, and only when you come to sign transactions will you open your Braavos app on your mobile device and sign the transaction from it.
That way, you can enjoy the user interface of the big screen in the browser and get the security of your mobile security chip with the Hardware Signer.
We build our product around users’ needs, and feedback is always very valuable to us.
Q: Can my biometric data be leaked when I have the Hardware Signer enabled? How can I be sure that I am safe donating to a country at war or that I won’t be kidnapped because my face is connected with $1,000,000 worth of famous NFTs?
That’s a great question, and to be honest, in security you can never be 100% sure. However, we want to reduce the probability of something bad happening to a minimum.
Let me start with the second part of your question. Let’s suppose that you are kidnapped. In that case, we have the Multi-Signer, meaning that it’s not enough to authenticate you with your mobile and your biometric. The kidnapper would also need to get your other device (something you have) and a passcode (something you know) to be able to steal your funds.
Moreover, in the future we will enable some sort of time delay, so if someone wants to rob you in the street, they won’t be able to because the money will need to be released by another confirmation transaction a week later, for example. This way, unless the Navy Seals kidnap you, you are probably in the best situation possible.
Now for the first part of your question: how can we be sure the Hardware Signer is secure? What I like about the Hardware Signer is that it uses the Secure Enclave of the iPhone or the Titan M2 chip of the Android, which are attacked daily by big governments and cooperation all over the world. And they attack it to steal extremely important data that is much more valuable to them than your funds. And these devices withstand these attacks. As far as we know, since 2018, there has been no breach of the secure enclave.
This doesn’t mean that no one will be able to do that in the future, but it does give us a lot of assurance since these modules and these chips are constantly under attack by huge corporations and big governments all over the world. So I think in terms of security, it’s the very best we can offer today.
Join the many Braavos users who benefit from the Hardware Signer by downloading the Braavos wallet on mobile for Android and iOS, and on multiple browsers: Chrome, Firefox, and more.
To join the Braavos Nation and share your feedback, we encourage you to connect to our Discord, and Twitter to get in touch and catch the latest news.