An open source collaboration between Unchained Capital and SatoshiLabs engineers gives Trezor hardware wallets the ability to confirm multisignature addresses displayed in a browser on the device, protecting bitcoin multisignature users from browser-based attacks.
Multisignature is a native address type in bitcoin that enhances the security of your holdings by eliminating single points of failure. If you are securing bitcoin with a single hardware wallet, losing your hardware wallet, recovery seed, or a passphrase means that your bitcoin are immediately put at risk. Compared with more familiar bitcoin addresses (single signature), multisignature requires multiple keys in order to build and spend from an address.
This increases security by creating redundancy, but also increases the complexity of your security system. A common multisignature address type is 2-of-3, meaning 3 unique keys are used to build the address, and 2 out of 3 of the keys used to build the address must be used in order to spend the address, like with a safety deposit box that requires 2 keys.
Bitcoin keys can be stored on hardware wallets, such as a Trezor, which allow users to generate addresses and sign bitcoin transactions. With multisignature, multiple public keys from multiple Trezors (or other hardware wallets) can be shared and used to generate bitcoin addresses; the same devices can then sign transactions with private keys that are exclusively stored on the hardware device (often requiring multiple keys such as 2-of-3 to sign and transfer any bitcoin). Whether using single signature or multisignature, public keys are shared from a device with a service that builds and displays bitcoin addresses (wallet.trezor.io or my.unchained.com), and the private keys are kept safe and secure on the device itself.
At Unchained Capital, we work with multisignature addresses in the browser, much like Trezor’s wallet (wallet.trezor.io) coordinates single signature addresses via the browser. One historical challenge of multisignature in the browser was that no hardware wallet was able to verify that it held 1 of the keys in a multisignature address on the device, until now.
Dhruv Bansal, co-founder of Unchained Capital, and Szymon Lesisz and Pavol Rusnak of SatoshiLabs collaborated on open source development in order to improve Trezor Multisignature functionality by enabling a critical function for multisignature security – the ability to easily confirm a multisignature address displayed in the browser on a Trezor.
This functionality means you no longer need to trust any internet-connected device to display multisignature addresses you control correctly, protecting you from malicious browser extensions, malware, or from Unchained Capital itself giving you incorrect information. With Trezors, you can always confirm that multisignature addresses presented to you are controlled and spendable by your Trezor hardware devices.
This is a big win for bitcoin security overall as more companies go bitcoin native by offering clients the ability to hold their own keys in collaborative multisignature, like Unchained Capital does today.
How it works
- When you see a bitcoin address in an Unchained Capital product or Caravan, an icon or button appears to allow you to confirm the address on your Trezor
- Selecting confirm on Trezor takes you to Trezor Connect where you are asked to export addresses from your Trezor. No private data is shared with Unchained Capital.
- If the Trezor contains 1 key that is a part of the multisignature address, the address will display on the Trezor
Confirming a multisignature address on your Trezor is easy from all Unchained Capital products and services where you hold at least 1 key. Any time you see an address that is under the control of 1 or more of your hardware wallets, a confirm on Trezor button will appear. Below is where the button appears when you are about to deposit bitcoin into a vault or loan address:
Vault or loan destination and change addresses also display a confirm on Trezor icon during the transaction signing workflow. This way you can confirm that the change address for your vault or loan is also controlled by a private key stored on your Trezor before broadcasting an immutable bitcoin transaction.
This functionality is also available in Caravan for anonymous bitcoiners securing their bitcoin in multisignature addresses without working with any company. The “Confirm on Device” functionality is found under the address details on the Addresses tab
Confirm that your Trezor contains a private key that controls your multisignature addresses by logging into your Unchained Capital account and trying it out today. Don’t Trust, Verify.
Setting the Standard for Multisignature
Trezor is currently the only hardware wallet manufacturer that supports confirming your multisignature address on device via the browser, so it is the easiest way to ensure that you own the keys that control addresses. For other hardware wallets, there is still a path to confirm that your device contains a public key included in a multisignature address by performing a key check with Caravan on a specific address under the Script Explorer menu.
Additionally, it is possible to rebuild all Unchained Capital multisignature addresses in Electrum, which can be used as an additional channel outside of a browser to confirm that your devices hold the keys to addresses.
Unchained Capital is excited to once again collaborate with the SatoshiLabs team on such important open source development projects for bitcoin like we did last year with SLIP-0039, and we look forward to working with additional hardware wallet manufacturers to enable similar features for their devices.
Improving the security of bitcoin multisignature in the browser is critical for enhancing the overall security of bitcoin, since browsers are one of the most common ways individuals interact with businesses and services. Enhancing the security of the most common workflows makes it more difficult for hackers or malicious businesses to steal bitcoin moving forward, making the entire bitcoin economy safer and more friendly to newcomers.
Please reach out to Hello@unchained.com for more information.