“It’s 10 p.m. — do you know where your keys are?” Self-, hybrid, and third-party custody

One of the most critical maxims in the crypto industry is the motto “not your keys, not your crypto.” Ownership of private keys provides users with full control over the assets these keys hold but includes the responsibility of keeping them safe (also known as HODLing).

All private key solutions come with their pros and cons.

With great power comes great responsibility

Practicing self-custody over your keys includes being responsible for storing, transferring, and even backing up the cryptographic primitives that define the private keys, which is often daunting to the average user. But what are the alternatives? In this article, we’ll expand on the challenges around managing our private keys and what forms of custodianship (self, external, and hybrid) exist to help handle some of the responsibilities of crypto ownership.

Let’s talk about private keys

Whether you store them on a piece of paper, via a Google Chrome extension, engraved on a metal plaque, in your Portis account, or within a hardware wallet, your private keys are, without a doubt, the most crucial piece of information for controlling your digital assets. If there were a real-world equivalent of your wealth, it would be your bank account and a power of attorney to pretty much move everything within that account at any point in time.

Your private keys are your most important asset.

In short, there’s nothing more important than knowing and holding your private key, as well as keeping it secret. Regardless of the specific blockchain ecosystem (e.g., Ethereum, Bitcoin), maintaining ownership of your private key is the first lesson anyone trying to get involved in the crypto ecosystem should learn. From secure key management, hot and cold wallets, to backup storage, there are multiple topics that must be understood by any crypto user.

Where are you keeping your keys? Proof of Keys is a bitcoiners’ annual event that aims to remind everyone of the importance of monetary sovereignty.

The challenges with ownership

Handling this amount of responsibility can be extremely difficult. There are numerous stories from users who have lost assets more than once due to mismanagement of their keys, hardware wallets, or devices that hold them.

As time goes on and your presence in the crypto industry increases, chances are that the number of keys you are managing will only grow, alongside the time and effort it takes to keep track of them.

A crypto user needs to familiarize themselves with concepts like public-key cryptography, seed words, signatures, and so on. It’s unrealistic to ask every person to back up 24 seed words correctly or buy a metal container for each wallet. Although hardware wallets are good, they still require updating firmware, safekeeping the devices, and following technical instructions.

Self-custody does not come without its costs. Despite being extremely secure, hardware wallets require some maintenance and general technical knowledge. Furthermore, there are still security issues even when using secure providers like Ledger, which recently appears to have gotten their customer database hacked.

Massive consumer adoption will never happen if we expect the layman to safeguard a series of random bytes.

The custodian alternative? not so fast

If asking every individual to maintain their wealth’s knowledge and responsibility by securely storing 256 bits is too much, the “simpler” alternative does not come without a cost. Delegating full control of our private keys to a provider (e.g., an exchange) or a third party (e.g., a regulated entity) usually solves the problem of storing, managing, and even recovering access to your digital assets, yet opens up a new set of challenges.

First, we have to trust that the custodian or third party is securely handling your keys, and often, this isn’t the case. Over the past few years, many exchanges have been hacked, showing us that trusting a company’s security can be dangerous. Unless a reputable third-party auditor has completed a full assessment of the company holding your assets, you have to trust whether the security measures put in place to safeguard your information are adequate.

Blindly trusting a third-party with your assets can be an extremely dangerous move, as a security vulnerability on their end might mean the partial or total loss of your assets.

Second, depending on the third-party jurisdiction, the organization must meet a specific set of regulations to operate as a company. These rules can change at any point in time, forcing them to freeze (or worse, transfer) your assets or your account, just like a bank.

A middle-ground for a better UX

Custodianship introduces an issue of trust, while ownership introduces an issue of responsibility. The drawbacks of both underscores why committing fully to only one approach is unsuitable for various use cases.

A better way is to mix both so that the user is never fully responsible for securing their assets, yet enjoys all the flexibility as if it had them at hand.

Hybrid custody is the approach where the private keys’ security is no longer the user’s sole responsibility, without compromising its flexibility.

Unlike full self-custody, hybrid security can rely on experts’ knowledge to implement strategies that have been battle-tested and audited by security experts.

A user does not need to understand all the dynamics and mathematics around cryptography or private keys to use them within the context of blockchain, let alone to use a decentralized application.

Simultaneously, unlike custodians, hybrid custody solutions can delegate access to users only, without involving them in the key generation process. As a result, a hybrid custody solution could be safer from being hacked or pressured to freeze your account, since the cryptographic primitives are never at the provider’s disposal. The provider offers an interface that the user can leverage only to interact with their assets.

“Which approach is right for me?”

There’s more than one way to skin a private key.

There are multiple cases where pure self-custody is more than enough to interact with the blockchain or a decentralized application. With proper care, knowledge, and attention, your assets’ safekeeping with secure hardware devices is still the only existing option where full-ownership of your digital wealth remains in your hands. On the other hand, for enterprise solutions and different settings like governmental institutions, regulated authorities, and neo banks, custodian implementations are the most suitable approach.

However, in cases where you don’t expect users to be tech-savvy, it might be best to rely on hybrid solutions that remove entry barriers to newcomers. Companies like Portis and Argent have created an architecture where users can have complete yet frictionless control over their assets. In the case of Portis, those same users can take the next step and actually use their assets. As Portis is also a web3 provider, they can interact with decentralized applications while making sure they always remain the sole owner of the keys to the kingdom — their private keys.