Should HW require user to confirm SEED awareness before firmware updates?

[satscraper]

It is no secret that if something goes wrong during the process of updating hardware wallets, users who have lost their SEED phrases may lose access to their stashes forever. This has happened many times in real life. While wallets typically provide relevant warnings before proceeding with the update, the question remains whether it is this enough.

I strongly believe that hardware wallets should require users to confirm SEED phrase awareness before allowing the firmware update. This may be done through the quiz or re-entry of the phrase ^{ultimately, the method of implementation is up to the developers}.  If users fail, the wallet should not proceed with the update. The key point here is that such feature should become something like standard safety measure for hardware wallets.

I recognize that such idea may face some resistance among experienced users, but 1) even the wisest of us can make fatal mistake 2) if implemented, it would virtually save many lives.

Please vote and share your thoughts.

[PX-Z]

Yes, it's a good way to recall the user if they still have the correct copy of the master seed before updating the firmware.
It should be done on the device itself not on the connected wallet (ledger live, trezor suite, etc) and not with a device that is connected on the internet.

[Polkat]

Once an experienced person gave me some advice: if you want to hide something securely in your house so that it won't be found in case of theft or during a search, you need to hide it in such a way that you yourself can't quickly get to it. That is, for this you would need to disassemble or unscrew something.
Therefore, if I know for sure that my seed is securely hidden in several locations, then it will be unnecessary for me to disassemble or unwind something every time to confirm the presence of the seed before updating the wallet. Therefore, I consider the standard warning that wallets give before updating to be sufficient.

[mocacinno]

It's difficult... On the one side, being your own bank also means taking responsability. On the other side, it's true that many people lost funds because of forgotten seeds.
I would agree with Polkat: for me, the default warning should probably suffice, or maybe an opt-in setting on your hardware wallet? That way people get to chose whether upgrades can only continue upon verifying the seed phrase or if they only want a big, bold warning message?

[tenant48]

And what should users who use shamir backup or seed XOR and store parts of their secret in geographically different locations do, in the author's opinion? I also think that the standard warning is quite sufficient.

[Pmalek]

I voted NO.

I think a warning is enough. The warning should be informative and tell the reader that if the device resets itself, they will need their seed and optional passphrase to recover and regain access to their wallet. I wouldn't want to re-enter these with every firmware upgrade because it will take some time to gather my secrets.

I am all for requiring that each HW user verifies that their backups are correct when initially setting up their wallets and generating new seeds. The device should be configured to instruct people to enter each word. It's for their own safety, but I think doing it once and at that stage only is enough.

[satscraper]

I see that some respondents are worried about those who keep their backups geographically distant.

In my view, the best practice is storage in both ways ^{i.e. geographically distant locations and nearby} because in case of force majeure circumstances, you will not need to jump on a jet to go, say, to Australia when living in Europe. I'm sure that those who really store backups in distant locations, rather than just bloviate about it, also keep their SEED nearby. ^{If someones here want to learn how to do it safely please read this topic}.

I also kinda like respond to those concerned about XORed or SSS-protected SEEDs. If users can't decode them, then those SEEDs are effectively lost to them, and any upgrade could potentially harm such users. Users who can decode their SEEDs should be able to proceed with the upgrade safely.

[Charles-Tim]

I strongly believe that hardware wallets should require users to confirm SEED phrase awareness before allowing the firmware update.

No need for it at all.

People should know that their seed phrase is their money and that they should protect it by all means necessary. Having it in two or three locations should be enough.

I know some hackers will use the privilege to look for some victims also through phishing attack.

[satscraper]

People should know that their seed phrase is their money and that they should protect it by all means necessary. Having it in two or three locations should be enough.

They definitely should, but the reality is that many people are careless. Even those who do care about their seed phrases ^{storing them in two or three locations}can still lose access due to sheer bad luck.

So far, the discussion has been quite interesting. Respondents are split 50/50 on how to handle this issue. I know that some hardware wallet developers occasionally visit our forum  and hope they read our discussions and take the necessary steps.

[PrivacyG]

It's difficult... On the one side, being your own bank also means taking responsability. On the other side, it's true that many people lost funds because of forgotten seeds.
I would agree with Polkat: for me, the default warning should probably suffice, or maybe an opt-in setting on your hardware wallet? That way people get to chose whether upgrades can only continue upon verifying the seed phrase or if they only want a big, bold warning message?

I do not even know what to say here.

On one hand, it would be extremely exhausting to have to re enter the seed every update.  I never use my hardware wallet if it has not received the latest updates yet.  But if I was forced to re enter the seed every update, this means if I take my hardware wallet any where with me I also have to either mentally remember the seed or take it with me which is a HUGE NO to me.

On the other hand I had around 3 to 5 situations where I really truly believed I stored my seed but then found out I did not back it up.  The mind is very interesting, it likes playing really bad games some times.  I would go insane if I thought I backed up my main wallet seed only to find out I had to restore it but have no actual backed seed to restore.

I also had hardware wallets give up on me through updates before.  So there is that.  Anyway.  The forceful re entering of the seed phrase, I tend to refuse that it is a good idea mainly because it means constantly fiddling with your seed.  If stored very well, this means many risks increase.  'Oh, that pot I forgot about is boiling!  I have to go, quick!'  Only to leave your seed on your desk or where ever you put it.  This can be a disaster.

Not to mention how many people would do things like carrying the seed with them just in case.  No, for a paranoid like me this is crazy!

[satscraper]

On one hand, it would be extremely exhausting to have to re enter the seed every update.

Quiz would solve this.

Your 3r^d word?

1) hello   2) ball  3) valve  4) jar

Please enter correct number.

Your 7^th word?

And so on up to four questions.

I think four entries should be enough for the wallet to determine whether the user remembers their seed phrase.

[Wind_FURY]

Yes, it's a good way to recall the user if they still have the correct copy of the master seed before updating the firmware.

It should be done on the device itself not on the connected wallet (ledger live, trezor suite, etc) and not with a device that is connected on the internet.

Although, if you're a user who truly believes in self-custody, then YOU should already have multiple analog back ups of your seed hidden in different locations.

I'll vote for YES, but the user should always confirm that he has a back up, if IT IS the back right back up, and have the back up ready before firmware updates. - A user that can't have responsibility to take these actions SHOULD NOT self-custody a LARGE amount of Bitcoin.

[Lucius]

It wouldn't be bad if there was a warning that any update could result in the device being reset to factory settings, but I'm not one of those who thinks that users should be forced to enter their seed in order to upgrade their device. Anyone who wants to make sure their backup is safe before they start an update can do so by checking it - but that still doesn't guarantee they're safe.

What I want to say that there is probably a percentage of people who think that they have secured themselves with a backup in case something goes wrong, but they do various stupid things with the seed words (change the order and the like), and then forget that they did it and wonder why their balance is 0 after recovery.

People are still the weakest link and always will be no matter what setup and devices we have - now it's just a question of how far manufacturers need to go to somehow force them to always do things the right way.

[m2017]

It is no secret that if something goes wrong during the process of updating hardware wallets, users who have lost their SEED phrases may lose access to their stashes forever. This has happened many times in real life. While wallets typically provide relevant warnings before proceeding with the update, the question remains whether it is this enough.

The question arises, why did these users not take care to make backups before updating? I mean that if they lost the SEED, they could generate a new one and transfer it there from the current HW device and thus they would have a valid SEED.

And in general, in case of loss of SEED, it is advisable to make several backups.

I strongly believe that hardware wallets should require users to confirm SEED phrase awareness before allowing the firmware update. This may be done through the quiz or re-entry of the phrase ^{ultimately, the method of implementation is up to the developers}.  If users fail, the wallet should not proceed with the update. The key point here is that such feature should become something like standard safety measure for hardware wallets.

I agree that a notification about the possibility of losing access to the wallet after the update should be added to hardware wallet, but I consider the need for mandatory entry of the seed phrase to be unnecessary, since this creates an additional possibility of compromising the seed.

I recognize that such idea may face some resistance among experienced users, but 1) even the wisest of us can make fatal mistake 2) if implemented, it would virtually save many lives.

Please vote and share your thoughts.

Re-entering every time you update your HW device will be like an "extra step" on the way to accessing your assets. It would only irritate me.

Also, I repeat, this creates an additional risk of compromise, because it can be abused by attackers.

[PrivacyG]

I think four entries should be enough for the wallet to determine whether the user remembers their seed phrase.

But then, if it becomes a mandatory check, hardware wallets are only good for the convenience of not setting up an airgapped computer yourself.

One of the strong points of a hardware wallet was always in my opinion the way you could carry them on you.  If the device is lost, the chance of messing up really badly are little.  If the mobility is lost, airgapped computers are no doubt top of the notch.  They always were in my opinion, but this strengthens my belief.

I believe precaution is good but we are getting way too close to nursery style of teaching.  It is like being asked to look both ways in front of a camera before crossing a road.  A lot of people do not look both ways and die in a stupid way, but it would be just as stupid to enforce them to look both ways.

Look, all hardware wallets have a boot screen.  In my opinion, that is a great way to show some warnings.

Also.  I am not sure about all hardware wallets but if you want a quiz, how about being told that you SHOULD back up your seed before upgrading and after confirming, you are asked to answer a question like 'Why is it important to back your seed before upgrade?' with a few possible answers.  But even this would be an utterly annoying experience for me.  Still, it is better than asking the cryptocurrency holder to dig up their seed every few months.

Responsibility is becoming extinct nowadays and it shows.  How about these people who do not carry any responsibility on their own shoulders start caring?  Look, like I said yesterday, I did forget to back up seeds in the past.  It would have been helpful to be reminded about it every now and then and maybe being reminded to check whether the seed is still there and intact every once in a while, but more than that is overkill.

Though I may be boring the hell out of you, I will give an even worse example why this is bad.

Most of the well known hardware wallets do not even offer the option to back up the seed again if you lost it.  All you are left with is the device, which hopefully still works by the time you finish moving all your coins to another seed.  Now imagine this, you lost your seed and you need to move all your funds to a new one.  A week ago a new update arrived with critical vulnerabilities fixed but if you update you are forced to check the seed you no longer have, what do you do?

Edit.  More boredom, more scenarios for you.  If the seed check should be enforced before upgrades then I believe there should also be a mandatory address verification before being able to confirm a transaction because too many people lost so much money to clipboard scams and what not.  At some point in the future, the simple hardware wallets may then only become as bloated of quizzes and checks as Google is of ads and scams.

[A S M]

I will describe a case where mandatory SEED phrase checking before updating would be harmful and result in loss of funds. There is a case when you really lost access to SEED but you have a working wallet and a known pin code. You want to withdraw a coin from the wallet, but a warning pops up that there are changes in the protocol of this coin and you need to update it (this is often the case in Ledger wallets with different altcoins). In this case you have nothing to do but to agree with the update and in case of its success to withdraw coins to a new temporary address. If checking SEED before the update was mandatory, you would simply lose access to your coins.

Personally, I had a similar situation with the Tezor T wallet, the ZEC coin did not want to be withdrawn from it until I updated my wallet to the latest version.

A similar case occurred with the user Krypt which is described in the Russian branch of the forum.

[satscraper]

The question arises, why did these users not take care to make backups before updating? I mean that if they lost the SEED, they could generate a new one and transfer it there from the current HW device and thus they would have a valid SEED.

You should direct this question to those who fail to make backups before updating, not to me. The reality is that people are losing their funds due to lost seed phrases.

since this creates an additional possibility of compromising the seed.

Nope, four correct entries during the quiz will never compromise  12/24-word seed phrase, even if the user's wallet isn't air-gapped ^{not to mention  if it is}.

[
Also, I repeat, this creates an additional risk of compromise, because it can be abused by attackers.

The only way I see attackers potentially exploiting such feature ^{if it were implemented} is by fooling users with thefake firmware. But they already do it without this feature.

there should also be a mandatory address verification before being able to confirm a transaction because too many people lost so much money to clipboard scams and what not.  At some point in the future, the simple hardware wallets may then only become as bloated of quizzes and checks as Google is of ads and scams.

Wallet I use, ^{Passport Core}, displays the destination address on its screen ^{along with other transaction details} which given user must confirm before signing.

[Wind_FURY]

I will describe a case where mandatory SEED phrase checking before updating would be harmful and result in loss of funds. There is a case when you really lost access to SEED but you have a working wallet and a known pin code. You want to withdraw a coin from the wallet, but a warning pops up that there are changes in the protocol of this coin and you need to update it (this is often the case in Ledger wallets with different altcoins). In this case you have nothing to do but to agree with the update and in case of its success to withdraw coins to a new temporary address. If checking SEED before the update was mandatory, you would simply lose access to your coins.

Personally, I had a similar situation with the Tezor T wallet, the ZEC coin did not want to be withdrawn from it until I updated my wallet to the latest version.

A similar case occurred with the user Krypt which is described in the Russian branch of the forum.

It's definitely why people who can't be responsible enough to back up their seed phrases properly should probably NOT self-custody a large amount of Bitcoin or any crypto/digital asset.

It's better for those individuals to trust the legal system and buy an ETF, because if something goes wrong, they can call a lawyer to "fix" the problem.

 ¯\_(ツ)_/¯

[Forsyth Jones]

I voted NO.

I don't like the idea of having a hardware nanny taking care of me. People who own such devices should be aware of all the associated benefits and risks. No matter how hard manufacturers try to create protection mechanisms or even limit certain features, it's not worth compromising the user experience. People will continue to lose their funds. Eventually, they need to learn to be responsible with their own money.

If, no matter how many manufacturers invent new tricks, warnings, etc., people continue to lose their funds, the problem isn't the hardware, it's between the computer and the keyboard. This person isn't prepared for this market, or it's not for them. It's as simple like that. In their case, it's better to keep it on an exchange or go to the traditional market.

[m2017]

Ok.

Let's assume that the majority agrees with OP's opinion. What next?

Shall we write letters to each HW manufacturer? Will the manufacturers add this SEED confirmation in the next release of the new firmware? In any case, the decision is up to each specific manufacturer, who can ignore it.

It will take tens or hundreds of thousands of "votes" to attract their attention, but look at the number of views of this topic - less than 200 at the moment. Even within this forum, there are not that many readers in this section.

I'm not saying that this is impossible (because if there is an idea that offers the necessary improvements, then need to try to implement it), I'm just curious, "what next?" after this vote and discussion of this topic.

If anything, seed confirmation should be optional: enabled by default, but can be disabled by the user if desired. This way, "both camps" will be happy.