Last week, there was a small uproar in the Web 3 world when a new protocol, DeSo, announced an update to its user login flow. Previously, the decentralized media service had asked users to enter their “seed phrase” into the project’s web interface, defying all generally accepted best security practices and drawing criticism across the industry.
“Chrome extensions like MetaMask are more secure, but most mainstream users will never install them. Instead of yelling at our users about security best practices, we did something radical: We met them where they are today,” explained DeSo’s founder, Nader Al-Naji. The team found, however, that they had not actually met users where they were given that “10% of people lost their seed immediately.”
Jill Gunter, a CoinDesk columnist, is a venture partner with Slow Ventures, where she invests in early-stage crypto and Web 3 projects. She is also a co-founder of the Open Money Initiative, a non-profit research organization working to guarantee the right to a free and open financial system.
To address this issue, DeSo now offers users the ability to automatically back up their seed phrases to Google Drive from within the application. If anything, this is even worse from a security perspective than their original login flow.
When it comes to seed phrases, the generally accepted best practice is never to store them on any device that is connected to (or has been connected to) the internet. These 12-, 18- or 24-word phrases are what enable users to recover the assets stored in a given digital wallet should they lose or replace the device they used to access their funds. Seed phrases are so sensitive because they allow anybody who knows their magic words to gain access to the associated assets.
Most crypto and Web 3 applications encourage users to write down their seed phrases and store them somewhere secure, such as a bunker or a physical safe deposit box. Do not tell anyone. Do not store the phrase in an online password manager, the wisdom goes, let alone in your Google Drive. And do not ever enter your seed phrase into a website form, lest you become the victim of a phishing attack.
And yet, my experience of interacting with all kinds of crypto and Web 3 users suggests that few take this wisdom on board. It is easy to empathize with DeSo’s predicament.
I have fielded many messages from friends who only lightly dabble in crypto asking me for help in remembering “what 12-word sentence” they might have used to back up the bitcoin wallet they set up in 2017. (As a note: unlike a password, users do not decide what their seed phrase should be; it is instead generated for them. Which is yet another point of friction and confusion for users to overcome.)
I have seen seed phrases scribbled in notebooks left in backpacks under the counters at bars during crypto conferences. I have acted as customer support on crypto projects and had users message me with their private keys (despite my admonitions not to) asking for help. I have seen users post their private keys in Discord channels. I, myself, only a couple of weeks ago came across 24 words scribbled down on a Post-It note in the bottom of a purse I frequently used a few years ago. I doubt that I will ever know what wallet it is associated with.
In light of these observations and experiences, it is tempting to shrug and say that maybe DeSo has it right. For the average user just dabbling in Web 3 for the first time, maybe it is the most sensible approach to store seed phrases somewhere like Google Drive. Better there than in a sock drawer, right?
Problem is, even if today the stakes for the average user would be low in keeping their keys in Google Drive, down the line the consequences may become financially significant. It seems that every year, the media becomes fixated on some other poor sap who bought bitcoin in 2011, made hundreds of millions of dollars, but lost their seed phrase and can no longer access the funds (the guy who lost half a billion in a dump in Wales comes to mind).
While DeSo users who store their seed phrases in Google Drive will not have to worry about losing track of the seed phrase, they will have to worry about their Google account becoming a target for hackers. If lots of early adopters of the protocol do become millionaires off of the assets they have stored within the DeSo system, then suddenly Google Drive will become an enormous honeypot for all of them. This is dangerous for users – and presumably a situation that DeSo would like to avoid.
For the industry, there is an even bigger problem with DeSo’s approach. It is teaching users to do things that are dangerous without adequately explaining to them what the risks are. DeSo is neither educating users nor mitigating the risks they are asking users to take on. DeSo is merely cutting corners and creating problematic habits that users will take with them when they go to use other Web 3 applications.
The user experience of accessing and engaging with crypto remains an unsolved problem. Web 3 and crypto almost definitionally ask users to take on more responsibility when engaging with the internet. The responsibilities and challenges arise well beyond the problem of seed phrase storage. Many hardcore crypto proponents advocate for users to run their own nodes for the protocols they interact with. Users regularly have to navigate block explorers to view transaction details, wrap and unwrap assets into different token standards, and, of course, deal with expensive, opaque and unpredictable fees.
Much of crypto reverses what Web 2 has trained users to expect and feel comfortable with. With the trusted, free, seamless applications of Web 2, users can port across devices that open and unfold with a mere glance or a buzz on a wristwatch, often without so much as entering a password. That stands in stark contrast to Web 3 and its device-siloed, security-intensive experience that asks users to navigate inscrutable flows, often with little education or instruction embedded in the product.
And therein lies a key part of the user experience solution: education. We should not think so little of users that we have to cut corners for them, as DeSo does. After all, a core principle of crypto lies in the empowerment of the individual. Teach users about their options and the associated risks (including, indeed, the options of storing a seed phrase in Google Drive), and let them choose.
When I think about the user experience of Web 3 today, I am often brought back to my earliest experiences using a computer and the internet. I recall, as a 5- or 6-year-old, looking on as my uncle set up a Gateway computer for my parents in our family room and hooked us up, for the first time, to dial-up internet. He was using all kinds of jargon that would become native to us all over the next 10 years, but to my parents was clearly foreign and uncomfortable.
The “operating system,” the “modem,” the “IP address.” I can still remember the aura of skepticism and exhaustion my parents seemed to share once my uncle had left that afternoon. As if they were thinking: “There’s no way we are ever going to figure out how to use this.”
But we all figured it out! The average computer user may not be able to give you the precise, technically accurate explanation of the role an operating system plays on their computer, or why a modem is needed or how an IP address is derived. But billions of us have figured out how to upgrade an operating system, plug in a modem and connect to Wi-Fi networks. Some of this has come down to innovation in user experience, but much of it has simply resulted from user education combined, importantly, with strong incentives for users to get up to speed. Once I caught a glimpse of what that old desktop computer connected to the internet could offer me, I made it my business to understand what I needed to be able to use it. Neopets and America Online were enough to motivate me to figure it out in all of its complexity.
The same is, and will continue to be, true of crypto and Web 3. With a strong enough value proposition, concerns about users balking and churning at the prospect of downloading a Chrome plugin or having to securely store a 12-word phrase will diminish for product builders. That is not to say that we should not still work to improve these experiences. It is only to say that we should not assume that we have to go to the extreme measures of cutting corners to onboard users. We ought to give them more credit than that. And if cutting corners is what it takes to users to pick up your product, then perhaps you should re-examine whether your product is actually providing sufficient value.