We recently shared a post covering features we're including in the hardware component of the wallet we're building – and we wanted to share important context about the product we're building and who we're building it for. Developing a product like this in the open is a new journey for us, and we still have a lot to learn.
And, we are designing for people who will have a lot to learn – about bitcoin, wallets, and the technology they need to use for both. We're building a wallet for people around the world who likely haven’t yet used bitcoin as a savings tool or for its payments capabilities yet. Our goal is economic empowerment – starting with building an easy-to-use, reliable wallet that helps people around the world safely own and manage their bitcoin, rather than having to rely on a number of tools and services that don’t work well together and are challenging to use for a wider global audience.
With broad adoption in mind, the wallet we’re building has 3 valuable elements that together provide flexibility, security, and peace of mind. The 3 parts of the customer’s wallet have different permissions and optionality built-in to allow the customer to use these self-serve tools in a way that fits with their needs, which we realize will vary greatly for different people in different geographic settings. The wallet is composed of 3 things:
- A mobile app that’s easy to use and allows customers to safely own and manage their bitcoin, while finding partners where they can buy/sell/convert between fiat and bitcoin
- A hardware device that adds additional layers of security when moving money and acts as a self-serve recovery kit when a customer loses their mobile wallet
- Recovery tools that help customers recover from losing part or all of their wallets, and that have a clear, defined set of rules to provide customers with reasonable support and peace of mind
We think most customers will want to prove ownership of their hardware using a fingerprint sensor – authentication of one’s identity is required before the hardware interacts with the mobile phone’s NFC field in order to sign a transaction with the key in the mobile app. However, we realize that some customers may not be able to, or may not feel comfortable, using the fingerprint sensor on the hardware component of the wallet. That’s why we’ll offer PIN as an alternative way to access the hardware.
We’re including an FAQ below that covers in more detail how the wallet we’re building works. We're still working on a number of important areas of the wallet design that are related to what we're covering in this post, including assessing fingerprint sensor performance and designing the recovery process customers will use to regain access to their funds when they lose part - or all - of their wallet. We're looking at the many tradeoffs between protecting against accidental loss and protecting against attackers, all while focusing on making it easier for a broad audience to actually own and manage their money. Completing this work will take time, and we'll share more as we continue to build. We're open to feedback along the way - reach us on Twitter or at firstname.lastname@example.org. We look forward to sharing more about how we can ensure the wallet we’re building is both secure and easy to use.
How does my wallet secure funds?
Your wallet is protected by three keys.
Two out of three keys must be used together to move your money – we cannot move your money for you, and you can move your money at any time without us. This is enforced by the bitcoin network and does not depend on any policy or implementation by us.
Your wallet keys are each protected by an access mechanism:
How do I move money?
You can always move money without interacting with our servers by using the mobile key stored in the mobile app on your phone and the key stored in your hardware device – but we don’t expect you to do this for every transaction as you might want some more flexibility while still maintaining a high level of security.
For smaller transactions, you only need your mobile key stored in your phone, and we will provide the second key in response to you when you move your money with your mobile app. This lets you keep your hardware device tucked away somewhere safe and reserved for larger-sized transactions - or for the recovery capabilities it holds, which we discuss in a few questions below. We don’t expect you to bring the hardware device with you for daily usage - in fact, it’s safer to keep your mobile phone separate from the hardware device on a regular basis as both of those things (the mobile app and the hardware device) are needed together to move larger amounts of money.
Where should I store my hardware device?
Remember that your hardware device, which is protected by either your fingerprint or a PIN you create, is just one part of your wallet. The other part of your wallet is the mobile app. Both the mobile app and the hardware device work together in physical proximity (via NFC) to move larger amounts of money. We expect you’ll be taking your phone with you, but we recommend you leave the hardware somewhere safe. That way, you have an extra layer of protection for higher-stakes transactions.
What are ‘large’ and ‘small’ transactions? Who decides?
You decide how large of a transaction you want to be able to make using only your mobile app. For any transactions above the limit you set, you'll need to use your hardware device in addition to your mobile app - two layers of protection. You'll set the limit in the mobile app, and you'll need to use both your mobile app and hardware device to make any changes to the limit. With your mobile app communicating directly with the bitcoin network, this approach means the two keys you hold are used for large transactions, and you’ll only ever need to call on our key to help recover your wallet if one of your two devices that each hold a key is lost. You can also configure your wallet to require both the mobile app and the hardware device to be needed for every transaction, regardless of size, if you prefer that level of security for each transaction.
On the flip side, you can also set up your wallet to never require the hardware for a transaction - just the mobile app only. Even if you decide to allow your mobile app to move money on its own without the hardware device, the hardware device (protected by your fingerprint or private PIN) becomes very helpful if you lose your mobile phone. If you choose to never require the use of your hardware device to move money, this comes with a tradeoff: anyone who can get possession of your phone and provide the correct PIN or biometric to access your mobile app could move your money, so we recommend using the hardware device for an extra layer of protection for larger transactions.
Does the company that makes this wallet have control over my funds?
No, we do not have control over your funds. You have true ownership: we cannot move your money for you, and you can move your money at any time without us. You have two of the three keys in your possession - on your mobile phone and on your hardware device. We only have one key, and because two keys are required to make a transaction, we cannot access, move, or take your money, or grant anyone else access to your money. Our key only serves two purposes: (1) only with your explicit permission, cooperate in recovering your wallet in case you’ve lost your phone or hardware, and (2) sign, in response to you moving your money with the mobile key for transactions you’ve allowed that do not additionally require your hardware device.
What happens if I lose my phone?
If you lose your phone, you’ll be able to recover your wallet using the mobile app on your new phone and your secure hardware device. You’ll need to unlock your hardware device in the process, using your fingerprint - or using your PIN if you chose that option instead.
What happens if I lose my hardware device, or both my phone and hardware device?
If you lose your hardware device, or lose both your phone and your hardware device, there will be ways for you to recover your wallet based on the security settings you’ve defined when you set up your wallet. We’ll provide more detail on what this process looks like for customers and how it works in a future update. And as part of defining what tools we provide to customers in order to recover their wallet in different scenarios, we'll also be thinking through inheritance, as that is an important part of managing your financial future.
What if I don’t want to use the fingerprint sensor to unlock the hardware?
We think most customers will want to prove ownership of their hardware device using a fingerprint sensor given that biometrics have become an increasingly prevalent way to prove identity and protect things of value. However, we realize that while biometrics are a common form of authentication on mobile phones, some customers may not be physically able, or comfortable in some environments, to use the fingerprint sensor on the hardware component of the wallet. If you prefer not to use your fingerprint to unlock your hardware device, you don’t have to – we’ll provide an option for you to use a PIN to unlock the hardware instead. If you choose this option, whenever you want to unlock the hardware device, you’ll need to enter the PIN into the mobile application, which communicates with the hardware device via NFC when in close proximity.
Where does my fingerprint data end up?
Your fingerprint data will never leave the secure hardware device, which doesn’t have a persistent internet connection and will never transmit fingerprint data over its only communication interface (NFC). Independent experts will be able to confirm this in the open source code that powers the hardware device that we’ll share in the future. Additionally, wallet owners who don’t want to use their fingerprint to unlock their hardware device will be able to choose a PIN option instead.
What if the sensor won’t recognize my fingerprint anymore?
Remember that your hardware device is just one part of your wallet. If you’re unable to unlock your hardware device using your fingerprint and don’t have a PIN alternative set up, you’ll be able to use your mobile app to recover your wallet.
When will we use the server key to sign transactions?
We cannot move your money for you, and you can move your money at any time without us. We hold 1 key, out of a total of 3 keys - 2 of which are held by you as the customer. The only two purposes for the 1 key that we hold are:
- Only with your permission, cooperate in recovering your wallet if you’ve lost your mobile phone or hardware device
- Support you in response to you moving your money with the mobile key for smaller transactions as defined by the limit you set