The importance of plausible deniability in crypto products

One of the most important, yet overlooked, features of any crypto currency product is support for plausible deniability. This feature is best understood by example.

The Ledger and Trezor hardware wallets, like nearly all crypto wallets, are secured with a 24-word seed phrase. Access to the wallet is then secured with a four-digit PIN code. Most of us are familiar with this model by now.

What many people don’t realize is that these devices don’t just support one single wallet behind one single PIN, but rather support any number of wallets secured behind any number of PIN codes.

This feature, known as the “25th word feature”, allows you to add additional words to the seed—i.e. 25th words—thereby creating additional wallets, which you can then secure with additional PIN codes. And since there can be any number of 25th words, these devices support any number of wallets! Take a moment to think about the implications of that.

This feature provides both convenience and plausible deniability:

  • Convenience, in that you can have a default wallet, containing a small amount of currency that you use for day to day transactions, without having to expose your larger holdings.

  • Plausible deniability, in that if you were forced to open the wallet, you can open your default wallet containing a small amount of funds, and it would be impossible to know whether you have additional wallets, where you’d maintain your larger cold storage funds, secured behind additional PIN codes.

In my view, plausible deniability should be a core feature of crypto products, presented and promoted front and center. Uunfortunately, it’s often considered too complex by some products, and poorly implemented by those that do support it. Let’s look at at few more examples.

Mobile Wallets

The Secure Enclave makes iOS devices surprisingly good platforms for secure wallets. But I would never use my iOS device to store significant amounts of crypto currency because nearly none of the current wallets support plausible deniability, and the one that does, doesn’t support it well from a UX perspective.

TrustWallet, BRD and Edge are all high-quality mobile wallets, and all of them support the interaction of launching with a prompt for a PIN code. None of them, however, support multiple wallets, secured behind multiple PIN codes.

I once spoke with BRD about this, and their view was that plausible deniability was too advanced for their users. At the same time, however, they argued for using BRD as one’s primary crypto storage, due to the security of the Secure Enclave. That would be a terrible recommendation, for a product that supports only a single wallet.

(Note that all of these products claim to technically support multiple wallets, by the fact that you can restore any number of wallets from different 24-word seeds. That’s terribly impractical, however, from a UX perspective.)

Ledger Nano X

Since the recently-launched Nano X, which does support multiple wallets secured by multiple PINs, is accompanied by an iOS app, Ledger Live, I was hopeful that plausible deniability would finally be supported in a useful way on a mobile device. Unfortunately, the implementation is such that it’s nearly as unwieldy as restoring a 24-word seed in the other wallets.

The Ledger Live mobile app supports “accounts”, which are individual currencies within a given wallet. If you had two sets of wallets behind two PINs on your Nano X, each of which held BTC and ETH, you would either have to have all four “accounts” always visible in Ledger Live—say, “BTC”, “BTC Cold”, “ETH” and “ETH Cold”—which, of course, defeats the whole purpose of plausible deniability, or you would need to add your cold storage accounts only when needed, and then have to remember to delete them from the app when done. (Deleting them in the app doesn’t affect their presence on the hardware device.)

So, unfortunately, the Nano X, combined with the Ledger Live mobile app, doesn’t move us forward in terms of usable plausible deniability on mobile devices.

Portfolio Tracking Apps

It would be great to track my full crypto portfolio in an app like Blockfolio.

Again here though, Blockfolio doesn’t support plausible deniability. As with mobile crypto wallets, Blockfolio could launch with the presentation of a PIN interface, behind which multiple portfolios are managed—i.e. my real portfolio, and then a shadow portfolio I’d open if forced. But since this isn’t supported by Blockfolio, or any of its competitors, I’m left to track my crypto holdings in a spreadsheet, locked away inside a hidden encrypted disk image.

Conclusion

My hope in publishing this article is to bring more awareness to the need for supporting plausible deniability as a core feature of crypto products, and for those that do support it, surface it in the user interface as a primary function of the product, rather than hiding it away behind the “Advanced” settings.

For further reading, and a great example of how beneficial plausible deniability can be in general, be sure to see my article about the Espionage product for Mac OS X.

Leave a Reply

Your email address will not be published. Required fields are marked *