Meeting notes (based on Topics for Wallet Ring gathering tomorrow 15:30 in the workshop room of National House Smichov and extended a bit)
Attendees:
- Corey Petti - Security Eng.
- Michelle - Hardware wallet dev.
- Guy-Louis Gray - Product and biz
Imtoken: Popular in china, handling 10% of Ethereum transactions volume.
- Kaz - dev
- @p0s - Business dev.
- @brunobar79 - Dev
Talking points
Hardware wallet from status:
- Integration with phones and card reader
- 6-digit PIN or pin-less paths
- has no screen
- There are other ones (UBI or coolwallet which use bluetooth
- Would be cool to integrate with metamask (leverage NFC on phone via wallet connect maybe?) USB not an easy way through card reader
- Android support only (iOS is blocked because of limited NFC support) (note from ligi: this is not a bug, but a feature)
- Status has a Java library already: https://github.com/status-im/hardware-wallet
- higher level Kotlin libary emerging: https://github.com/walleth/KHardWareWallet
- Discussed the challenges of backing up cards without exposing the key to a untrusted device
- Biometrics for PIN auth? Ideally would be a good 2nd factor auth. Could be added optionally
- BIP 44 for different set of keys for whisper / other identity scenarios (for ex. Door unlocking)
- using it as a backup solution - no more mnemonic keys - improving UX. Question: will the card work in XX years? A: 1) same chips used for sim-cards with some guarantees of keeping working. 2) they are cheap - so one could get multiple ones and distribute them (even to untrusted parties) - then there could be a protocol that you challenge these parties to prove that they still have the cards (via pinless path)
- using them as a initial token/ETH distribution way (like ether.cards) - Idea: wrap them in sealed and aluminium wrapped packaging - so no pin is needed - just get to a store - buy a card preloaded with eth. Unwrap and tap to your phone -> finished. This also prevents from trolls rendering them inaccessible by making requests with wrong pins without buying
- How to remove the tight coupling to a specific wallet. Currently it is already quite decoupled - one thing is left: when a user has no wallet installed that can deal with the cards - the play store is invoked and suggests installing status.im. In the future it will be possible to change this via commands - currently you have to recompile the applet. Ideally there is a proxy app that knows about what wallets that are compatible with the phone/card/region and offers to install any of them (can be build using https://github.com/ethereum-wallets - field needs to be added there)
- Plausible deniability (we need to get the ability to define a pin that leads to a different derivation path - the status hardware wallet team mentioned they think about this problem and want to add this in the future)
Imkey
- Hardware wallet from imToken
- Works via Bluetooth
- Has a screen
Action items:
- Create a specific “room” on ETH-Magicians to follow up
- Get these wallets in the hand of users (status.im will make an initial run of 1000 in january)
- Get more wallets to support this
- Add field in https://github.com/ethereum-wallets to indicate which wallets support which hardware wallets (might at some point also help with 3)