Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of the crypto.news main article.
Traditional software-as-a-service-based multi-party computer administrators are often seen as the “convenient” solution in the crypto universe, managing a staggering portion of decentralized assets. But the reality is that convenience is quickly diminishing, revealing a host of limitations, unexpected risks and challenges as you delve deeper into the technological aspects of protecting digital currencies.
You might also like: How crypto can reach the next billion users | Opinion
Regardless of your attitude toward decentralization or centralization, it is essential to recognize that the appearance of control over private keys can be marred by a lack of control over policies and infrastructure that you do not control.
The rise and risks of SaaS-based MPC wallets
The rise of SaaS-based MPC wallets has had a significant impact on the crypto landscape, allowing businesses to manage digital assets with ease and perceived security. These wallets are typically provided by technology companies that are currently increasingly positioning themselves as non-custodial service providers. Despite this label, however, these solutions still require users to rely on a centralized party to securely coordinate signing and key generation, placing them high on the custody spectrum when it comes to control over assets.
This dependence on a centralized service provider creates a situation where control and security are not entirely in the hands of the institution using the service. While these technology providers don’t operate like traditional third-party custodians like BitGo or Anchorage – which are highly regulated and offer fully managed custody services – they still introduce a central point of control and potential vulnerability. MPC technology, as used by both SaaS-based providers and traditional administrators, involves splitting cryptographic keys needed for transactions into multiple parts, distributed among different parties to improve security.
However, in the case of SaaS-based solutions, the centralization of these services within a few dominant players brings new risks. One is that these providers become attractive targets for hackers because of their significant control over many customers’ assets, creating a vulnerability similar to that of centralized exchanges. Second, the concentration of control in these SaaS-based models not only increases security risks, but also indirectly limits the autonomy of crypto companies.
Relying on a third-party vendor to manage critical aspects of digital asset security can limit institutions’ ability to manage policies, procedures, and overall management of their assets. This centralization contrasts with the decentralized ethos of the crypto industry, where individual sovereignty over digital assets is paramount.
The challenges of dependency and trust in MPC custodians
While MPC wallets often claim that they are not held in escrow because the institution holds part of the key, the reality is much more complex: the heavy reliance on third-party providers for day-to-day operations, security and service availability poses significant risks with it. . Although the customer institution holds a key share, all other components that influence the use or potential misuse of key shares remain under the control of the seller. This setup creates vulnerabilities around the integrity of key signing, but more importantly creates friction in the customer experience, an operational risk that must be taken into account. For example, each policy change could take a few weeks if the supplier doesn’t prioritize it, causing significant delays and operational inefficiencies.
Analyze this potential impact further. MPC wallets can have longer transaction times, and their reliance on vendors for routine account changes and maintenance can be problematic. If a team member leaves, access is revoked at the vendor’s pace. This can take significant time, resulting in a period where asset safety may be at risk. In addition, service interruptions for maintenance during business hours can disrupt business operations. Additionally, recovery of assets in disaster scenarios can take up to 48 hours; a period that is far too long for any organization dealing with high-value transactions. These operational dependencies can be very difficult. Ultimately, they pose security risks that contradict what decentralization stands for, which is running your own wallet infrastructure.
For regulated financial institutions or companies with strict security requirements, these dependencies are deal breakers. That’s because the operational risks and costs associated with relying on third-party MPC wallet solutions are often unacceptable to internal risk teams. These teams may be uncomfortable with the inherent uncertainties and potential for delayed response times that these products bring. As a result, many MPC wallet solutions fail to pass rigorous risk assessment scrutiny, preventing them from being adopted by institutions that require the highest levels of security and operational control.
A new paradigm for crypto custody
If current SaaS solutions represent the “trust us” model, the ideal solution should move to a “trust but verify” approach and ultimately to a “never trust, always verify” model. This shift allows customers to partially or fully host the software, giving them control and ownership over critical IT infrastructure. By eliminating the opaque activities inherent in black box SaaS solutions, institutions not only mitigate the operational risks hidden in the friction of operating in a third-party sandbox, but also enable more flexible infrastructure management.
This improved control supports better risk management and allows institutions to quickly adapt to market demands, ultimately driving revenue growth and positively impacting the bottom line.
A practical solution integrates critical management and policy controls into a comprehensive platform, allowing institutions to manage their digital assets within a zero-trust security framework. This architecture continuously validates every interaction, eliminating implicit trust and improving security. By using a service-oriented architecture, institutions can tailor the system to their unique requirements, ensuring scalability, high performance and robust security.
Today’s market offering, which is completely dependent on SaaS-based MPC wallets, places over-reliance on vendors that control all components, including cryptographic processes, keys, policies and transaction data. By moving toward solutions that enable institutions to own and control critical parts of their digital asset infrastructure, the industry can mitigate risk and reduce vulnerabilities while more closely adhering to the principles of decentralization. Such a transformation is essential for promoting trust and security in the rapidly evolving crypto landscape.
Now is the time for institutions to take control of their policies. By implementing models that provide partial or full control over key management and enforcement of policies, institutions can better align themselves with the appropriate treatment and supervision of service providers or outsourcing arrangements. This paradigm shift is essential to the future of the industry, and it is something that is poised to protect crypto’s core values while paving the way for continued innovation and trust.
Read more: Ownership of Everything: Centralization vs. Decentralization | Opinion
Haden Patrick
Haden Patrick is director of operations for Cordial Systems, a provider of institutional-grade self-management software that uses a zero-trust security model. Haden has leadership experience in team leadership, engineering and education, stemming from his 24-year career as a Navy officer. After co-founding SoloKeys, the first open source security key company, he managed projects connecting web3 with traditional finance at a cryptocurrency trading firm before joining Cordial Systems.