While the DeRec Protocol makes it possible to backup and recover any secret in a safe, secure, and decentralized fashion (see What types of secrets can be protected with the DeRec Protocol?), there are three types of blockchain-related secrets that are especially vulnerable to loss or misplacement; blockchain account private keys, wallet passwords, and mnemonic wallet recovery phrases. Understanding the differences between these three types of secrets is also helpful to understanding why it’s so important to securely guard all three against a catastrophic loss. 

Every blockchain account comes with a unique private key. That private key is necessary in order for any asset associated with that account to be transferred to another blockchain account. The reason it is called a private key is because it should be kept private to the owner(s) of the account. If the private key is made available to another party besides the owner(s) of the account, that party could mistakenly or maliciously transfer some or all of the associated assets to another account.. 

In the blockchain world, a  hierarchical relationship can exist between wallets and private keys. Typically, only a single password is needed to login to wallets such as Metamask or Hashpack (the latter of which is a member of the DeRec Alliance). But wallets can simultaneously support multiple private keys connected with multiple accounts across multiple public blockchains. This way, when an end-user uses their password to authenticate themselves to use a wallet, that user doesn’t have to go through any additional reauthentication steps to use any of the associated blockchain accounts. The convenience is similar to taking a wallet out of your back pocket and being able to transact with any of the credit cards (each representing a different account) in that wallet. 

In the same way that a blockchain account’s private key is literally the key to all the assets connected to that account, a wallet’s password is what gives the user access to the wallet itself and all of the blockchain accounts that are associated with it. It’s almost like a master key. The mnemonic recovery phrase enters the picture when the end-user has either lost that password or they need to create a new instance of the wallet. For example, if they’ve been working with their wallet through a browser extension that work on Google’s Chrome web browser and they want to start using Mozilla’s Firefox instead. Or, if a new copy of the wallet needs to be installed on an entirely different device. In these cases, the password is not enough and the new wallet’s installation process will ask for the mnemonic recovery phrase. 

Whereas a private key is typically a very long string of numbers and letters, a mnemonic phrase is usually a unique string of 12, 18, or 24 common words. Words like “shove”, “horse”, and “mushroom.” As long as the user has access to the original mnemonic recovery phrase, they can add the same wallet to another browser or another desktop computer and even a smartphone. Or, perhaps more importantly, if they lose access to the only installation of their wallet (and the connected accounts), they can use the mnemonic phrase to recover from that loss by installing a new version of the wallet. Most wallets include a means for the end-user to input a mnemonic phrase as part of an import or wallet recovery process. 

Like the private key to a blockchain account, a wallet’s password and mnemonic phrase are important secrets that should not be shared. Some wallets present obtrusive dialogs that warn users to never share their keys or mnemonic phrases, and never to write them down or paste them into applications or websites. But, in the course of attempting to keep these credentials secret from malicious actors, end-users sometimes end up keeping those credentials a secret from themselves as well. They lose the piece of paper on which they recorded the secret. Or, they stored it in a file on a hard drive that crashed. Every user of computer technology has at some point in their lives lost a digital secret like a password. However, whereas passwords to most services are recoverable through a standard password recovery procedure, there’s no central helpdesk or password recovery routine for blockchain accounts and cryptocurrency wallets. 

In fact, one of the key differentiating features of public blockchains (in a good way) is the absence of any central system administrator who can restore an end-user’s credentials should they somehow forget how to access their blockchain account. To blockchain aficionados, this lack of a centralized administrator is one of the key advantages of using distributed ledger technology (DLT). For example, unlike banks that can decide who gets an account and who doesn’t, blockchains don’t involve a central authority that decides who can be included in the system, or who cannot. 

But along with that lack of a central blockchain administrator also comes the lack of that safety net that we’ve all come to depend on at least once in our life; that helpdesk that can reset our credentials to a locked-out account. With public blockchains, there’s nobody to call, email, or otherwise contact if you get locked out of your wallet or blockchain accounts. The wallet, accounts, and any tokens (cryptocurrencies, NFTs, etc.) associated with them, will remain inaccessible for as long as the associated secrets are lost or forgotten. Most industry experts concur that about 20 percent of the circulating supply of the Bitcoin cryptocurrency (worth hundreds of billions of dollars in total) has been forever lost due to such Bitcoin account inaccessibility. 

Centralized Exchanges to the Rescue?

Until the DeRec Alliance introduced the Decentralized Recovery (DeRec) Protocol, the main option for protecting against such a catastrophic loss has been to rely on centralized bank-like custodians to provide blockchain account and wallet continuity. The most well-known examples of such custodians are centralized cryptocurrency exchanges like Coinbase and Binance. Centralized exchanges are akin to centralized banks because, if a customer loses the credentials to their accounts, wallets, or funds, the centralized institution can usually restore that access once the customer is able to prove their identity. 

On first blush, this seems like an ideal solution. However, along with that supposed safety of a centralized entity comes the risk of a catastrophic problem; one that is beyond the control of the end-user. For example, the customers of one such exchange – FTX – infamously lost access to all of their accounts and associated assets due to the malfeasance of the organization’s executives.To be clear, the risk associated with centralized financial institutions is not limited to the blockchain industry or cryptocurrency exchanges. In the 21st century alone, over 550 US banks have already failed. If it wasn’t for the Federal Deposit Insurance Corporation (FDIC) which insures individual bank accounts against bank failure for up to $250,000, most of the associated account holders would have lost all of their money. And even then, there were undoubtedly some depositors with more than $250,000 in their accounts, some of which was never recovered.

Damned if you do. Damned if you don’t.

The risk cuts both ways. If blockchain account and wallet users try to protect their secrets on their own, they are damned if they do. As demonstrated by the many passwords that have been lost or forgotten over time, there is too much risk in trusting one’s self to safeguard such important secrets. On the other hand, if, instead of being the caretaker of your own secrets (the “damned if you don’t” option), you give the responsibility to a centralized entity like a centralized cryptocurrency exchange, you are waging a bet that that central organization will never fail in their responsibility to you. Especially because the US Government offers nothing like the FDIC to insure cryptocurrency depositors against any amount of loss.

When it comes to protecting yourself against the loss of these three very important types of secrets – the private keys to your blockchain accounts and the passwords and mnemonic/seed phrases to your wallets – the DeRec Protocol is a royalty-free open standard protocol that offers the best of both worlds. It’s a single protocol that makes it easy to recover any of these secrets in the event that they somehow get forgotten, destroyed, misplaced, lost or stolen. The end-user is relieved from the burdensome responsibility of fashioning their own failure-prone system for making sure they never lose access to their accounts and any associated assets. At the same time, there’s no need for users to encumber themselves with the risks inherent to centralized service providers such as centralized exchanges. 

To learn more about how the protocol works, see What is Decentralized Recovery?