New wallet uses Amazon hardware security modules to eliminate seed words

[_act_]

Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.

Is seed phrase a problem?

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.

Which means only the people that are using the wallet can send to themselves. This is centralization.

The Kresus team stated that because of the way Magic infrastructure works, neither they nor the Magic development team are able to see the user’s private key during account creation or login, so they cannot make unauthorized transactions.

How can we know that?

I can not go beyond using open source seed phrase wallets that will give me the complete control of my coins.

What do you people think about this wallet that I can not recommend?

[Zaguru12]

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

This right doesn’t makes it a bit different from centralized exchanges. One of the easiest scam or attack by hackers is compromising one’s email address, sending a link to email address could just hand ones account over to the hackers should the email be compromised. This is something that the centralized exchanges do currently when resetting passwords that is said to be risky. So it still doesn’t changes anything. Except if one could change Email all the time which will also one way or the other be prone to hacks.

Also storing private key online, no matter how sophisticated the service might be at moment to getting hack is still not a create idea because a this service gets breached then everything on it will just get exposed

[NeuroticFish]

I find this risky for various reasons:
* that company can be hacked (it will become a target an bugs can exist)
* AWS can get hacked
* some Amazon employee may try to look in there (dirrect access, correlations, sniffing)
* that company employees may take a look
* that company may get bankrupt
* mail accounts tend to be more hacked than many other online services
* and .. is this a custodian wallet? what if their hot wallet is hacked directly or they run with the coins?

Plus, yeah I don't believe in magic 

[bitmover]

Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

There is too much trust involved, specially in Kresus team.

Seed words simple work.

They are safe to use, easy to store and easy to recover when necessary.

They are working just fine.

[Doan9269]

Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.

This isn't good enough for those that can understand the influence of a third party andbthe use of a central server online storage apps, they can bebas dangerous as unaware to users and not everything they gave to say you believe, why can't you device a means to secure your seeds yourself than relying on their system for the storage, what is the guarantee that they can't be bridged, track you or got attacked themselves by hackers.

Is seed phrase a problem?

It's not a problem but how you store it is what determines it's a problem or not.

[Coyster]

Eliminating seed phrases, passwords and keys doesn't make ones crypto safer, rather it makes it more susceptible to being stolen. People erroneously think that services like this are doing them a good thing when they take away the responsibily they owe to their funds. Not your keys, not your funds, wherever they say they store it, you can't be sure of its safety, and you should always have your seed phrase to recover your funds yourself, anytime you need to. Keeping your seed phrase, passwords and keys is part of the responsibility of being your own bank, thus do it yourself.

Having said that, this wallet shouldn't even be used becaus we aren't short of better/safer alternatives, but if anyone is considering doing so, it should be for experiment and with a very inconsequential amount of money.

[Hyphen(-)]

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.

Which means only the people that are using the wallet can send to themselves. This is centralization.

Because you must register through the app domain, I can also refer to this as centralization.
What if the app is been hacked, are your Funds safe since you are not in full control over them?

Furthermore, they stated that by clicking on some links provided in the mail, what if the user's email is compromised and the hacker gains access to the wallet by clicking on the link provided in the mail?

[BitDane]

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.[

This is more susceptible to hacking.  Just imagine if the hacker have a grasp on our email accounts, our fund in Kresus will be automatically compromised because hackers don't have to crack our password and passphrase, they just need a link to be generated and sent to our hacked email.  Then voila! Hackers have access to our funds.

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.

Which means only the people that are using the wallet can send to themselves. This is centralization.

Obviously it is centralization. 

What do you people think about this wallet that I can not recommend?

I also can't recommend the wallet due to its possible weak security.  I don't believe in magic btw.

[SquirrelJulietGarden]

Kresus is centralized that is not good. Is it open source? It is close source!

It does not require wallet password but will send you a link in email. I don't like to rely on my email security to use my wallet. It is always bad to connect my wallet to other accounts especially those accounts are connected to Internet a lot like my email.

Whatever word they call the link is, like 'magic link', I consider it as horrible link.

[odolvlobo]

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

I believe there is a misunderstanding here and I'll give you my best guess at how it works. I believe that the Kresus wallet does use a seed, but it stores only an encrypted copy of it and is unable to decrypt it directly.

To get a decrypted copy of the seed, the wallet sends the encrypted copy to the HSM, which decrypts it and returns the decrypted copy back to the wallet. Then the wallet uses the seed normally. When the app is closed, the decrypted copy is destroyed.

[ABCbits]

Is this good?

I checked their website (https://www.kresus.com/), but couldn't find much explanation how their wallet or how it works. So personally i wouldn't use this wallet.

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

--snip--

But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.

[Lucius]

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.
~snip~

I completely agree with this statement, but everyone has their own choice of news sources, and the OP obviously likes them for some reason.

~snip~
But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.

Well said, I personally would never trust them because they don't care about anything other than profit. And as for their connection with governments, I recently watched a documentary about their "contribution" to the monitoring and evaluation of public officials through various AI programs, which turned out to be a complete failure.

If we're going to be honest, I don't even trust some companies that produce HW anymore because they've proven to be incompetent in that business, let alone a company that literally does everything and just wants to expand its business a little more.