|Things to know:
|– The Innovation Lab is Ledger’s team of experts dedicated to exploring new ideas and improving your experience with the Ledger ecosystem. Its latest initiative is Ledger Fresh.
– Your Web3 experience needs to be secure, but it also needs to be flexible and seamless. Validating all of your Web3 transactions across your devices (PCs, mobiles, etc) through your Ledger wallet can be time-consuming, and it shouldn’t be. Ledger Fresh works to solve this hurdle with the goal to bring your Web3 experience to a new level of convenience.
– Ledger Fresh, a temporary project code name, is our upcoming platform – a security-oriented web wallet interface – that will bring more flexibility when interacting with the Ledger ecosystem. It will leverage Ledger’s strict security standards while delegating other safety checks on other devices (mobile, PCs, etc). This process will enable you to interact with DApps seamlessly, without the need for constantly approving your transactions on your hardware wallet.
– Ledger Fresh is currently being developed by Ledger Labs and the community (with the support of Only Dust), targeting a release for the official Starknet mainnet launch scheduled around the end of Q1 2023. The security mechanisms and user flow described below are still being discussed and could change.
Ledger Fresh: Our New Project To Enhance Your Web3 Experience
Ledger is built on world-class security. Smartcards are historic security technologies that we have improved to make them suitable for the next Internet era.
Ledger has done so in three distinct ways:
- By removing the need to have a card reader to use a smartcard. It can now be directly connected to the USB port of a computer or used over Bluetooth.
- By providing an open Operating System, BOLOS (Blockchain Open Ledger Operating System) lets developers load their native code into the device and users pick applications from a thriving ecosystem.
- By adding a screen and buttons connected directly to the smartcard to prevent malware from changing the information displayed to the user or faking user consent, thus ensuring that What You See Is What You Sign.
While security will always be our North Star, we collected feedback about Ledger devices and found a few user pain points:
- Onboarding your Ledger Nano devices requires writing down a list of 12/24 words (the mnemonic) to back up the private cryptographic keys. This backup is critical to recovering the assets if the device is lost and for interoperability with multiple wallets. As those words unlock a lot of power and value, attackers are getting more creative in tricking users into giving them.
- When using a Ledger device, the user always performs the same actions regardless of the transaction amount. This process can lead to fatigue and a lack of attention to detail for more important transactions.
- As users spend more time transacting cryptocurrencies, NFTs, and navigating Web3, they may move to different governance solutions (such as multi-signature) or plan for an inheritance. With current solutions, this is complex and costly as this requires moving all assets to a new wallet.
A Smarter Wallet. A Better Web3 Experience.
How to solve these pain points? A smart wallet that can run its independent logic lets users customize part of this logic. With Ledger Fresh, you can interact with DApps seamlessly without the need to approve all your transactions on your hardware wallet and without compromising on your digital security. If you’re a new user, Ledger Fresh will open the possibility to enter the Ledger ecosystem without a Ledger device while gradually increasing your safety as your usage grows.
Here are a few scenarios on how Ledger Fresh could address the pain points we’ve just examined:
- A revamped onboarding process. The new onboarding phase would let users register different devices to the smart wallet. The recovery phrase would only be used once if all devices are lost, after giving notifications on all possible media and a grace period to cancel the operation to the user.
- Personalized security profiles. Smart wallets could set distinct security profiles. For instance, one profile for daily use cases and another for specific use cases. This process could be done through allowlists or more complex policies linked to sources of truth operated off-chain by the user.
- Updatable standards. The smart wallet logic would be updatable/upgradable on the fly without moving assets to a new wallet implementing new features.
We’ll see next how the Ledger Fresh wallet is the ultimate smart wallet and which technical components it contains.
Ledger Fresh’s Building Blocks: Account Abstraction, FIDO, Starknet & Account Plugins
Account Abstraction is a long-term goal of the Ethereum ecosystem to use the execution capabilities of a blockchain to implement the account verification logic instead of just implementing the logic of applications. Account Abstraction replaces the traditional concept of accounts associated with keys by account smart contracts, making it possible to use custom verification logic (for example, different signature schemes) and to perform additional checks such as using an allowlist of contracts and functions.
It has been partially implemented on Ethereum, with Argent pioneering its use since 2018. There are currently several competing specifications (EIP 4337, EIP 3074 and EIP 5806) being reviewed to move to full implementation, enabling, for instance, to pay for network fees using different assets (e.g any ERC-20 token), or define transaction orders.
Unfortunately, even partial implementations of Account Abstraction didn’t get a lot of traction because of the related network costs, notably when gas prices surged during Defi Summer in 2020 and then during the NFT era in 2021. This will change with a growing range of efficient L2 solutions aiming to reduce gas costs.
FIDO / WebAuthn
In 2012, FIDO defined a web-native protocol using cryptographic signatures to replace standard Second Factor Authentication (2FA) and One Time Password algorithms using a shared secret. While not protecting users against malware, FIDO helps solve phishing attacks and attacks targeting the server credentials database.
FIDO support was initially only provided by dedicated devices such as Yubikeys, but things got more interesting in 2019 when Apple and Google started including FIDO 2 (aka WebAuthn) support directly in their devices, with keys, signatures, and authorizations backed by the hardware security features of the platform – the Secure Enclave and Face ID for Apple, StrongBox and biometric authentication for Android.
We now have a solid and reliable cryptographic authentication mechanism available on most smartphones that can be used from the browser.
It would be great to use it as an everyday signer with additional restrictions in the user account contract. Currently, verifying WebAuthn signatures on-chain is too costly since the only curve supported by the FIDO2 compliant hardware solutions is secp256r1, the neighbor of Ethereum secp256k1; most chains don’t natively support it.
Starknet is a scalability second layer released in 2021 by Starkware. It allows to compute more expensive transactions on that layer and only submit a brief proof of proper execution to be verified by the settlement layer of the rollup, Ethereum.
Given the substantial savings, Starknet uses an Account Abstraction model for all users. Interestingly, as Starknet execution model is not based on the Ethereum Virtual Machine, complex mathematical operations are also less expensive, and it is thus possible to implement a validation of WebAuthn signatures at the application level. Cartridge has pioneered this.
Thanks to Starknet, we can run an acceptable cost Account Abstraction model with several devices that can authenticate to the account smart contract, including smartphones implementing WebAuthn in the browser.
Account plugins are a flexible mechanism to extend an account smart contract logic with pluggable logic (plugin). The reference implementation is currently being worked on jointly by Argent, Cartridge and Ledger.
Account plugins allow updating mechanisms to validate transactions on the fly. Different signing mechanisms (such as WebAuthn) or security schemes (such as reduced signature friction for games or social applications with session keys) can be added to an account smart contract supporting the plugin architecture after it has been instantiated, without having to move assets or create a new wallet.
Ledger Fresh usage
Ledger Fresh builds a security-oriented web wallet interface interacting with an account smart contract on Starknet with different security validation mechanisms (such as creating an allowlist or relying on an external source of truth) depending on the device interacting with the account. This can be, for instance, either a WebAuthn device or a Ledger device. Moreover, this wallet can be enhanced/extended by external plugins.
Without a Ledger device
When starting his journey without a Ledger device, the user can register different WebAuthn devices (mobile phone, laptop, etc) to Ledger Fresh.
Ledger Fresh will provide additional guidance when an operation is risky, or the user account value is significant enough to get protected against malware with a Ledger device.
Switching between security profiles or modifying the current security profile will be performed with a customizable delay and notifications to allow users to cancel the operation if it was initiated by malware.
Adding a Ledger device
Adding a Ledger device provides full protection against malware – thus security operations can be confirmed instantly on device (What You See Is What You Sign). The user will also be able to bypass security restrictions set to the account (for example a spent amount per day) if and only if using a Ledger device.
Future Ledger Fresh services
In the future, we plan to extend the support of Ledger Fresh – both by connecting other chains to Starknet and by supporting the same concept on different chains if it is economically viable.
Additional services will also be implemented as plugins, such as a multi-signature service or a trustless legacy service allowing to send crypto to a predefined address if the account has been idle for some time.
Ledger Fresh plugins – technical deep dive
Plugins must follow an interface defined here. All functions need to be implemented. Is_valid_signature validates a signature made off-chain and can be called by other contracts. Validate is the function that allows the plugin to validate a transaction. This function cannot read the state of other contracts. Initialize is called when adding a plugin, and it is a delegate call, so your storage variable must be prefixed by your plugin name to be unique.
If you need more functions in your plugin, the account features an “executeOnPlugin” method to perform arbitrary calls to your plugin. This is used to do a delegate call on the plugin to update its state.