All wallets have differing levels of security. With so many ways to access a wallet, it can be difficult to figure out what makes some of them more secure. There are things you absolutely shouldn’t do, regardless of the type of wallet used – like enter your private information directly online. Some wallet creation methods leave the user vulnerable to phishing. Other access methods, like hardware wallets, are more difficult to mess up.
Secure by design
While it’s ultimately up to the user to keep themselves safe, wallets can build security measures into their design to help users along. Direct access with software methods like private key or mnemonic phrase is the least secure option – it leaves the 'naked' keys exposed to phishing. Encryption of the private key with a keystore file is slightly more secure, but in truth, mnemonic phrases and private keys should only be used for recovery purposes, rather than as the main method of access.
Hardware wallets are seen as the pinnacle of wallet security because they offer cold storage in a physical device that keeps your keys encrypted in the device itself, off the internet, and in your own hands. Most hardware wallets still need to be used with another form of wallet service, such as a web-based interface or desktop app (covered in the first part of this series!) to offer full functionality.
Hardware devices are Hierarchical Deterministic (HD) wallets, meaning they offer multiple public addresses to choose from when deciding where to store your funds. Each wallet has a root private key and public address pairing, but these split off into thousands of other pairings that are unique to the wallet. The benefit of this lies in creating options, giving some wiggle room for temporary investments or organizing assets. However, this can also get confusing if actions aren’t taken to map it all out from the start.
Each of the hardware wallet addresses comes from a 'derivation path', which is a fancy way of saying the addresses branch off in different ways. If you use one path for your address, you’ll need to continue using that path for all future access. For example, the derivation path for Ethereum is m’/44’/60’/0’/0, but the path for Ethereum Classic is m’/44’/61’/0’/0. Both of these paths result in a different list of public Ethereum addresses, so it’s important to keep track of which path you’re using. Most wallets will tell you when you connect, but if they don’t, they’re likely defaulting to the Ethereum path above.
Hardware wallets are considered cold storage, because they keep your sensitive information separate from online servers. In this way, it’s impossible for your wallet access keys to get phished or stolen. Each hardware wallet uses a different approach to this, but cold storage is the standard for this category of wallets.
Ledger hardware wallets are a little different than the rest, as they have their own desktop wallet called Ledger Live, and they use a different default derivation path than most other Ethereum wallets (m’/44’/60’/0’, taking a ‘0’ off the end). The Ledger comes in multiple models, the newest being the Ledger Nano X, which can connect through USB or Bluetooth.
Trezor is another popular hardware wallet and the biggest contender with Ledger. They also sport multiple models to choose from, with the most popular arguably being the Trezor One. Trezor and all the other hardware wallets follow the standard derivation path for Ethereum. Among the other hardware wallets are CoolWallet, KeepKey, Digital BitBox, and more. It’s worth doing your own research to discover which one is right for you.
Hardware-like Mobile Wallets
There are many mobile wallets out there, and we will cover them in depth in another part of this series, but only a few phone applications can work as a hardware wallet alternative. One such example is MEWconnect, a MEW signing app meant to allow secure wallet access comparable to that of hardware wallets. Although this is not a separate piece of physical hardware, it still offers an encrypted access method that keeps your keys away from online servers and stored in a secure, local location on the phone itself.
In MEWconnect’s specific example, the wallet is secured with a mnemonic phrase for recovery purposes should the phone become lost, stolen, or broken. Just like other hardware wallets, MEWconnect functions as a HD wallet with multiple addresses. However, it defaults to the first address of the list and keeps the rest hidden. If you restore this wallet in a different provider, you’ll likely see multiple addresses along with your familiar one at the top.
MEWconnect protocol is also used in MEW wallet app, MEW's full-fledged mobile wallet. MEW wallet offers the convenience of a mobile app, allowing you to transact directly from your smartphone, while maintaining the security of a signing app if you choose to use it with MEW web. Other examples of smartphone wallets with hardware-like functionality include the Finney, supported by the MEW web interface, and Samsung’s Blockchain devices, which list MEW wallet as a DApp.
In Part 3, we’ll take a look at mobile wallets and the differences between custodial and noncustodial wallets. We’ll also explore the benefits and detriments of centralization, and how it can have an effect on user experience.