From Security to Usability: The Foundations to Create Smart Wallets

The rise of smart wallets has brought unprecedented opportunities for self-custodial digital accounts, empowering individuals to be the true custodians of their digital identities and assets. Having complete authority over one’s assets, with no banks or intermediaries involved, offers unparalleled freedom. However, this freedom comes with the responsibility of ensuring both security and usability. For developers, creating self-custodial wallets the right way means balancing these aspects to provide users with both control and convenience. In this article, we explore how to achieve true self-custody and create user-friendly interfaces without compromising on either aspect.

Laying the Foundation

To create a self-custodial wallet, five fundamental principles must be established:

1. Controllable: Users should be able to access and control their accounts in a self-custodial and censorship-resistant manner.
2. Recoverable: Essential for situations where users lose their devices or have them stolen.
3. Simple: Users should not be required to have prior knowledge about blockchains or deal with complex fee-pricing mechanisms.
4. Switchable: Users should be able to switch between different interfaces while retaining their public-facing account address.
5. Extendable: A wallet should be designed to accommodate upgrades.

Account Control

Ethereum Externally Owned Accounts (EOAs) rely on specific public key cryptography, necessitating users to back up recovery phrases. This exposes EOA users to risks such as loss, phishing, and targeted attacks. In contrast, Smart Wallets can leverage programmable logic to validate different cryptographic methods that can better prevent key loss or theft, like Passkeys.

Passkeys

Passkeys, utilizing WebAuthn, can secure on-chain Smart Wallets through fingerprint, face recognition, or device PIN codes. This eliminates the need for users to manage complex private keys, making them highly resistant to phishing attacks. Passkeys can be optionally synced across devices through services like Apple’s iCloud Keychain or cross-platform password managers like 1Password and Bitwarden. If a device is lost, keys can still be retrieved with the user’s default authentication option for their password manager. Encryption of Passkeys, managed through Secure Enclave technology linked with biometric data, ensures that even if the cloud is compromised, unauthorized access to private keys is prevented.

By integrating a validation module like Safe Passkeys, the elliptic curve secp256r1 can be validated on-chain, using the same cryptographic algorithm as Passkeys.

One caveat is that Passkeys introduce some censorship risks due to their reliance on a maintained server, which is essential for generating and storing public key credentials to verify challenge integrity. Passkeys are also bound by domain names, limiting their use to a single domain. Adding additional recovery methods to address potential failures in either the backend or web domain provider is essential to avoid unintended or external censorship.

Local Encrypted and Hidden Key

For mobile wallet development, a local hidden encrypted key equally serves as the primary signer of the smart wallet. This key, encrypted with a PIN or an app-specific password, is never revealed to the user, making this system equally resistant to phishing attacks. Wallets that choose a local signer often integrate an account recovery method, such as Social Recovery, that enables ownership transfer in case of device loss.

Account Recovery

Social Recovery is widely accepted as an effective method for users to regain control of their accounts by changing the main access control to a new owner through their trusted contacts. Account Recovery modules allow owners to add recovery addresses, known as Guardians, to facilitate this process in case their signer key is lost or compromised. The Candide Account Recovery Module is flexible enough to accept various types of Ethereum accounts as Guardians, including:

• Family and friends’ contacts
• Hardware wallets
• Institutions
• Custodial services offering cloud-based wallets (Email, SMS, 2FA App)

Normal account operations do not require Guardian approval. Owners can set the number and threshold of Guardians needed for recovery. Having three Guardians with a threshold of two, for example, reduces the risk of a single Guardian overtaking the account. Owners are advised to ask Guardians for fresh addresses to maintain privacy and security.

During a recovery process, the owner has until the end of the delay period to cancel the recovery if initiated maliciously. After the delay period, anyone can finalize the recovery, updating the ownership of the wallet.

We recommend installing the account recovery module for both Passkeys and local encrypted signers.

Blockchain Abstraction

Blockchain concepts like gas fees, public addresses, and multichain support can be complex and intimidating for new users. To improve accessibility and usability, consider implementing abstraction techniques for each.

Gas Fees

Gas abstraction services, such as Candide Paymaster, provide various methods for paying transaction fees. Allowing users to pay gas fees in the same ERC-20 token they are transacting in creates a user experience similar to traditional fintech or bank accounts. Offering promotional gas fee abstraction through third-party sponsors can be an excellent marketing strategy, rewarding loyal users and eliminating the need for them to manage gas fees directly.

Public Addresses

While the widespread use of pub/private key pairs is growing, relying on complex hex formats is not user-friendly. Implement readable usernames through sub-domain names. Using “vitalik.yourwalletname,” for example, enhances both your brand’s value and user accessibility, making transactions more intuitive and approachable for everyday users.

Multichain Support

From an insider’s perspective, supporting multiple chains might seem necessary for accessing more dApps and tokens. However, if the target audience primarily seeks stablecoin transfers and steady interest on their funds, going multichain can undermine usability. Often, the complexity of multichain support outweighs the benefits, leading to a degraded user experience. Successful wallets today often launch with single-chain support, with the ability to deposit from any network.

Multi-step Actions

Smart wallets can bundle actions into a single step, reducing clicks and improving usability. This practice, common in other apps, should be the standard for crypto applications as well.

Different Client Interfaces

Crypto wallets are particularly vulnerable to being taken down by platform providers like Apple and Google due to their inherent nature. This is a significant concern for any wallet company, making it crucial to implement measures that guarantee users can always access their accounts. For wallets relying on novel smart account contracts, providing a simple web interface that allows users to withdraw funds to a different account is the minimal requirement. This strategy avoids both vendor lock-in and out-of-hand censorship in the face of potential platform restrictions.

Building on top of Safe Accounts mitigates this risk, as users can easily migrate to Safe interfaces and any of the hundreds of wallets that support Safe Contracts.

Upgrades

Ethereum is evolving, and wallets must keep pace. Upgradable smart accounts are essential to ensure users have access to the latest security enhancements and new features. It is recommended that on-chain wallet upgrades occur only with user consensus, where the owner approves the upgrade based on the wallet’s recommendations. This approach maintains user trust and control, ensuring that improvements align with their preferences and security needs.