On Feb. 12, San Francisco-based cryptocurrency exchange Coinbase announced that users of its Coinbase Wallet can now back up their private keys on cloud storage, namely on Google Drive and iCloud.
The move has received mixed reaction from crypto community and cybersecurity experts, some of whom seem skeptical about the idea of storing private keys on centralized servers. Others are confident about the new feature, stressing that it entails encryption.
A brief introduction to Coinbase Wallet, formerly known as Toshi
Coinbase Wallet differs from the main app, Coinbase (or Coinbase.com). With the latter, the cryptocurrencies purchased by customer and their private keys are stored by Coinbase. With Coinbase Wallet, in turn, users store their own crypto protected by their unique private keys. Those keys are purportedly secured with Secure Enclave and biometric authentication technology.
Initially, Coinbase developed Toshi, an open-source, mobile-focused decentralized application (DApp) browser and Ethereum (ETH) wallet that launched in April 2017. The project was inspired by Chinese mobile payments app WeChat and had a built-in messaging support and reputation system, enabling users to rate other users and apps within the platform. According to its developers, Toshi aimed to provide financial services to people in developing countries, especially to the unbanked population. It was also allegedly the first wallet to launch crypto collectibles.
A year later, in April 2018, Coinbase merged Toshi with its recently acquired Cipher Browser, a similar decentralized app browser and wallet for the ETH blockchain. Cipher’s creator and only developer, Pete Kim, became the head of engineering at Toshi, joining Sid Coelho-Prabhu, Coinbase’s product lead for the DApp project.
In August 2018, Toshi was rebranded to become Coinbase Wallet. The official announcement read:
“This is not just a new name, but part of a larger effort to invest in products that will define the future of the decentralized web and make that future accessible to anyone. […] With Coinbase Wallet, your private keys are secured using your device’s Secure Enclave and biometric authentication technology.”
Thus, at the time, Coinbase Wallet supported ETH and ERC-20 tokens management, airdrops, crypto collectibles trading and storage, as well as access to DApps and decentralized exchanges, among others things. According to the firm's Medium entry published at the time, Coinbase Wallet would start supporting Bitcoin (BTC), Bitcoin Cash (BCH) and Litecoin (LTC) “very soon.”
In November 2018, Coinbase Wallet added support for Ethereum Classic (ETC). In February 2019, the exchange’s wallet began hosting BTC. The firm repeated that it is considering adding BCH, LTC as well as other major cryptocurrencies.
More about the new feature: support for Google Drive and iCloud, more cloud storage providers in the feature
Thus, on Feb. 12, Coinbase Wallet declared that its users can now back up their private keys on Google Drive and iCloud.
In the accompanying statement, Coinbase explained that allowing users to upload their keys to a cloud provides a safeguard against lost keys and will help them avoid losing funds should the keys be misplaced:
“The private keys generated and stored on your mobile device are the only way to access your funds on the blockchain. Owners of ‘user-controlled wallets’ like Coinbase Wallet sometimes lose their devices or fail to backup their 12 word recovery phrase in a safe place, thus losing their funds forever.”
Now, users of Coinbase Wallet can store an encrypted copy of the recovery phrase on their cloud accounts. Coinbase notes that neither they nor the cloud services will have access to user funds, as the recovery phrase key is unlocked by a password known only to the user. The backup is reportedly encrypted with AES-256-GCM encryption, which is only accessible through the Wallet mobile app.
Coinbase notes that, in addition to Google Drive and iCloud, they will expand support to other clouds in the future. The feature is an opt-in service that does not replace or supersede the original recovery option.
Interestingly, the feature was rolled out against the backdrop of the QuadrigaCX case. Earlier this month, the Canadian cryptocurrency exchange filed for creditor protection after the sudden death of its founder, who was reportedly the sole executive responsible for the exchange’s keys and cold wallets. Following his death, the exchange has been unable to access $145 million in digital assets it allegedly needs to remain payable.
The new feature received mixed reaction among the crypto community, as some criticized the idea of storing private keys on centralized servers. “You might want to rethink this,” one of the most popular replies to Coinbase’s announcement on Twitter reads. “I don't understand, how do you misunderstand your target audience so bad?” the other one says.
The reaction among Reddit users seems more collected, as many users stressed that the new feature entails encryption. For example, u/CryptoNoob-17 wrote:
“At least it's not unencrypted private keys like what blockchain.info did some time ago by sending private keys as plain text over http. If this keeps some noobs from losing their coins and telling all their friends how stupid cryptocurrency is because they lost it all, I don't see a problem.”
So, is the new feature safe enough? Experts weigh in
Cybersecurity specialists also seem on the fence about the new feature. Taylor Monahan, the founder and CEO of MyCrypto, a noncustodial wallet, told Cointelegraph that trusting users to come up with complicated enough passwords is not a good idea:
“Regardless of the strength of the encryption, the weak link will always be the user selected password (on both their wallet AND their cloud storage account). People simply aren't capable of generating a password with enough entropy, nor do they always use unique passwords for every service.”
Monahan adds that, if hackers realize that an influx of people start using cloud servers to store their cryptocurrency, “we will undoubtedly see an increase in attacks against these cloud storage providers.” She added:
“Players like Coinbase should not be encouraging this type of unsafe behavior. I understand the desire for a better user experience, but the worst user experience is one where people lose all their crypto assets due to theft.”
Hartej Sawhney, co-founder and president at Hosho, a startup protecting investments and providing multiple smart contract services including audit, does not agree that individual users will be targeted by hackers as a result of the new upgrade.
“Hackers tend to want maximum information for minimum effort. This means they will likely attack the heart of a cloud storage service rather than its individual users. Google Drive and iCloud have historically been secure,” he told Cointelegraph, adding that, to him, Coinbase still seems much safer compared to other platforms:
“If anything, cryptocurrency exchanges should take some notes from Coinbase on how to bolster security. Additionally, Coinbase follows robust security features such as multi factor authentication, email confirmation, and an active bug bounty program, making it far more robust than any other crypto exchange.”
Josh Datko and Thomas Roth, members of a team of security researchers who study hardware and software vulnerabilities under the title “Wallet.fail,” also told Cointelegraph that the new feature is safe enough, given that certain precautions are made:
“In our opinion, an user encrypted cloud backup does not significantly increase the risk of compromised given that the password is complex enough, the key derivation from the password to the AES-256-GCM key is sufficient, and there are no implementation mistakes.”
Additionally, Datko and Roth warned that the implementation also matters:
“Unfortunately, while this sounds like a straightforward feature, many organisations have made mistakes here. To the best of our knowledge, we are not aware if this new feature is open source or if Coinbase had this independently reviewed.”
Cointelegraph has also reached out to Coinbase for further comment, but the company has not replied as of press time.