Improving the crypto wallet authorization experience with security level selector
We’ve made a design sprint around the topic of adoption and usability for the crypto wallets. Our focus was on the wallet creation process, making it more fun and usable specifically. This challenge was selected based on the idea that storing a password on paper or memorizing isn’t good enough for the mass market. Done with Oleg Bugrovoy, Eugene Reznik, Stas Varetsky and Max Semenchuk.
Most of the wallets now propose the mnemonic phrase and sometimes private key extraction. Gnosis Safe is researching recovery mechanisms leveraging know-your-customers (KYC) providers based on smart contracts. If people lost access to their funds, they could leverage a decentralized network of KYC providers to verify their identity and change the keys on their wallet. Opera mobile browser with crypto wallet uses Touch/Face ID for the authorization. Burner wallet keeps the private key in the cookies of the browser to quickly use and withdraw funds from it.
We’ve tried to understand whether
- users want the improvement in the authorization process
- we can make a more seamless experience on mobile devices
Previously we’ve already tested the solution with encoding the private key to the picture.
From the initial brainstorming, a couple of solutions emerged. The selected solution included the security slider. As in different contexts could prefer different levels of security, we offer the few options to choose from:
- No password — for one-time use, for the use case of food tokens on the conference or workshop/game setup
- Touch/Face ID — for storing a small amount of crypto, specifically dapps usage etc
- Social backup (Sharing with friends) — allowing specific users who know to help to recover the keys. Can be a good solution for family and team usage contexts (e.g. wallet for mom)
- Mnemonic — the standard seed phrase option
We haven’t dig deep into the technical aspects of each option, may be the subject of further research. Current task was in testing the user experience change, identifying the benefits and concerns.
You can try the interactive prototype here: https://share.protopie.io/RpHzbk7RtEa
We’ve made interviews with 5 people from our circles. They are experienced IT people, but not from the cybersecurity field. Their usage is from low to medium, with wallets like Metamask, Ledger, Jaxx, Coinbase, MyEtherWallet, IMToken, Poketto Cash on desktop and mobile. Mostly for transacting, dapps and sometimes development.
Several insights from a preliminary interview on their usage
- Respondents use 2–4 wallets simultaneously
- One respondent uses iPhone wallet, with restricted wifi access for security
- Jaxx for mobile has positive and negative feedback (not usable), desktop only negative
- Coinbase wallet lacks functionality and is not intuitive (not clear how to add ERC20 tokens)
- Recovery is rarely used but is pretty hard
- It’s convenient to store the seed phrase in the keychain
- MyEtherWallet was used once for ENS domain
- One respondent stores password for the metamask in the notes with touchID protection
- Metamask loading takes a long time even on the high performing hardware, has bugs with UI (fonts)
- IM token was used for ICO cause of its speed
- Liked Argent demo, but haven’t tried it
Feedback on the demo with quotes:
- “Design looks cool”, “got most of it”
- “Would rather use tap then slide for selection”
- “Lack of some headling that it’s the authorization selection”
- Next button was confused for selecting the next option, rather then submission
- “Not sure how I should select”, maybe context selection would work better then names of the options (e.g. one-time, transacting small amounts & dapps, storing big money).
- Share with friends looks concerning. “More people you share with, less secure it becomes”. Not clear from this step how it should work.
- “Won’t select mnemonic as would still need to put it somewhere”. “Don’t get the mnemonic functionality.”
- Touch/Face ID considered to be the leader (not sure why is less secure then mnemonic). “Banks use it so should be fine”. Can be the “optimal” security option. “Still can be hacked”
- “No password” option — not clear seems more compelling for several addresses use case. Am accustomed to one-time email, but not sure how this should work, makes no sense.
- “Don’t want to take responsibility, want the system to look security solid and shift responsibility to it”. “Am not concerned about storing the password in the cloud — lot’s of my passwords are already there”.
- User would like to have a login/pass option with storing the password in the cloud. Also possibly add the PIN functionality or graphical passwords (as in Android). Ideally, need hardware integration
Probably the would be a more clear divide in the future for wallets with different scenarios. While making the ultimate wallet suitable for everything may seem like a good idea, there’s a lot of concerns and clarifications needed to be made for different types of users.
Probably this solution can work better for networks that don’t have such a wide variety of options as Ethereum. Or can be used as a dapp specific solution, instead of the centralized login password mechanic.