Finder makes money from featured partners, but editorial opinions are our own.

Self-sovereign cryptocurrency private key recovery introduced by Squarelink


Picture not described

Private key management has come a long way, but there's still an enormous distance to go.

Squarelink is now "the only pure non-custodial private key recovery platform for cryptocurrency and blockchain applications", according to a press release.

It may be worth contextualising the problem this is solving in the wider context of what cryptocurrency needs for wider adoption.

Not your keys, not your crypto

Or maybe it's "your keys, your crypto" if you're more of a glass-half-full type.

Private key management is simultaneously one of the most commonly-identified obstacles to cryptocurrency adoption and one of the least-solved problems in the space.

Part of the issue is that it's just so comprehensively alien to what people are used to and to what they want. One of the most definitive technology trends of the last decade is a constant consumer preference for convenience over security and a strong desire to outsource management of our personal data to third parties for the sake of even more convenience.

But cryptocurrency, by its self-sovereign nature, inhabits the exact opposite end of the scale. Suddenly, the full weight of management is put back onto the end user, who mostly just wanted to make a quick buck rather than babysit a password in perpetuity. It runs counter to everything we've come to expect from other technologies that gravitate towards speed and convenience.

Beyond convenience, there's also the risk of having no recourse if something goes wrong. The strong growth of digital asset custody services in recent years is a testament to the fact that a lot of people would much rather risk using a licensed and regulated third party than be left with no recourse in case of human error on their end.

It's a valid concern.

According to BitInfoCharts, 64% of Bitcoin in circulation has not moved in over a year, 39% has not moved in two years and 24% has not moved in five years. The first possible conclusion here is that all these hodlers have strong hands. The second conclusion, which is potentially much more likely based on the fact that the overwhelming majority of dormant addresses over the years never made a single transfer out, is that private key management sucks and the vast majority of Bitcoin is gone forever.

Another piece of evidence, which lends further support to the theory of lost keys rather than strong hands, is that private key management does indeed suck. That said, the immutability and censorship resistance of cryptocurrency, and to a certain extent the generally low cost of using it, hinge on personally managing one's own keys.

At the intersection of these problems, we find the highly-specific, but also potentially very important, question of how to create a reliable non-custodial private key recovery system.

The answer, in short, is lots and lots of cryptography.

Username and password and private key

Squarelink aims to be a holistic private key management service, bringing that "single sign-in" convenience to blockchain, where you can use the same account to sign into a wide range of dapps.

As such, the main event of a Squarelink account is an encrypted 512-bit Master Key, which can be used to access a number of private keys on the same Squarelink account.

This Master Key is generated at the time of account creation. When a user sets up an account, they enter their email address and choose a password as usual. Their email and password are then individually put through the cryptographic wringer and combined with additional cryptographic mojo from the Squarelink application, and then they are put through the wringer again. This combination is used to generate the Master Key.

The Master Key is heavily encrypted and never accessible to Squarelink, but a user can still unlock it with their email and password combination on the Squarelink application. With this, you now have a system for managing multiple private keys with one email and password combination in a way that the manager cannot see the email and password.

Now you add a password recovery system.

This is done with a Recovery Seed, which can be used to re-generate the Master Key. It's an encrypted bundle kept in two separate parts, which can only be unlocked by bringing both parts together.

One of these parts is a combination of a public key derived from the Master Key and the aforementioned cryptographic mojo, which is stored in relation to the user's password. As such, this half is intrinsically tied to the account's Master Key and the account, but it's also encrypted in its own way and useless by itself.

The other half is a separately-encrypted version of the password, which can only be unlocked by data the user provides. This data can be any combination of security questions, PGP authentication and Universal Second Factor (U2F) authentication. The user chooses which recovery method(s) they want at the time of their account creation, which is encrypted separately.

Now the user can recover a complete account simply by providing their chosen combination of security questions, PGP authentication and/or U2F authentication. This opens half the bundle, which can then be combined with the other half, which then folds out into the Recovery Seed, all without giving Squarelink or any other third party the ability to do the same.

The end result is a system where

  • The user can sign in and manage multiple private keys with an email and password login combination.
  • No third party is (theoretically) ever able to access the user's account.
  • The user can recover their account if needed by providing just the necessary information.
  • The user can choose their own balance of convenience, ease of use and security.

It's not completely trustless though.

The keys will keep working on the blockchain regardless of what happens to Squarelink and its servers, but you're still dependent on Squarelink's servers for accessing funds through the email and password combination or for recovering a password. Plus, any account recovery option creates a potential new avenue for theft. You probably don't want to choose something like "mother's maiden name" as your security question – not that you'd likely even be able to.

On the one hand, this is an example of how the cryptocurrency space is evolving to become more user-friendly and solve the problems of convenience and account recovery that are limiting uptake.

On the other hand, this is an example of how difficult it is to solve the private key problem and how much further there is to go before cryptocurrency's user experience and account recovery options can match what we're used to in other technologies.

Also watch

Disclosure: The author holds BNB and BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site