On Tuesday, Ledger’s Chief Security Officer, Charles Guillemet, announced a new feature for the popular lineup of hardware wallets. For users who are not confident enough to safeguard their recovery phrase, Ledger will provide an alternative.

Specifically, an optional subscription called Ledger Recover. As the name suggests, it will enable users to recover their access to the blockchain network, i.e., their funds. The service is device-agnostic so that the recovery process can be accessed anytime. However, the firm came under fire from the community over the move.

Ledger’s New Feature is Optional

According to Guillemet, the subscription is not automatically enabled. If activated, the user would first have to go through a KYC-like procedure by verifying their identity via selfie recording. Then, the Ledger device, such as Ledger Nano X, would copy the user’s recovery phrase.

This duplicate would be encrypted and linked to the verified identity. In addition to encryption, the recovery phrase backup would be fragmented into three shards. Ledger, Coincover, and an unnamed third party would secure each.

On their own, these three fragments are purportedly useless. When the user activates the Ledger Recover procedure, two parties return the fragments to the device. They are then recombined into a functioning recovery phrase following identity verification.

“Decryption can only happen on Ledger after identity verification.”

Third parties, Onfido and Electronic IDentifications will be in charge of verifying users’ identities. Thus made whole from fragments and multiple third parties, the backup is restored on the Ledger device.

Ledger Faces Backlash from Users

A recovery phrase, typically 12 – 24 words, is the master key that unlocks blockchain access from any device. This is useful in some cases; for example, a user loses 100% of their belongings in a house fire, including the smartphone/computer with the installed wallet app.

If those were regular digital files, such as videos, they would be permanently lost if no backup existed. But a crypto wallet is not a file container per se. The user would regenerate the wallet app (blockchain access) on a new device with a remembered recovery phrase or retrieved from another location.

More precisely, the recovery phrase would generate the wallet’s private keys, also called a seed phrase. Therefore, private keys themselves are less important. Private keys authorize transactions while they are derived from the seed phrase.

In this light, Ledger Recover is controversial in several ways:

• By tying multiple third parties to self-custody, Ledger could erode the very concept.
• User ID becomes tied to the recovery phrase, i.e., the digital assets.
• If the device has this firmware capability, is there a backdoor in the cards?

These are potential vulnerability vectors that could be exploited down the line. Preemptively, Guillemet assured Ledger customers that such potential exploits were not possible.

“Self-custody is at the core of our offering and your secret recovery phrase is created on your device. We have no access to it. This will never change.”

However, even Binance CEO expressed some doubts about the new Ledger feature.

Is Ledger’s Optional Convenience Worth It?

In the first decade of Bitcoin adoption, there was no shortage of headlines on thousands of bitcoins lost. For instance, Gabriel Abed lost 800 BTC in 2011 when his colleague formatted a laptop hard drive containing the wallet’s private keys. These funds are forever locked on the Bitcoin network without a recovery phrase.

It could also be said that the human brain is unreliable. What if someone suffers a concussion, and the seed phrase is scrambled? In this light, Ledger Recovery is an enticing option.

However, as software engineers know, complexity breeds points of failure. In 2020, Ledger’s customers received emails from fake Ledger support asking them to download the latest Ledger Live version. These classic phishing attacks exploit the erected bridges between users and third parties.

In that instance, an unauthorized third party accessed Ledger’s e-commerce database via the API key. This time, Ledger will use multiple third parties and fragment the seed phrase. Yet, all this bridging and connectivity signifies a departure from what users understand as a “self-custodial hardware wallet.”

This article originally appeared on The Tokenist