Skip to content

Bitclout (DeSo) Stores Seed Phrases in Google Drive Secure Enclave. But is it Really That Secure?

Decentralized Social (DeSo, former BitClout), a blockchain designed to power Web 3.0 decentralized social networks, has implemented a…

Decentralized Social (DeSo, former BitClout), a blockchain designed to power Web 3.0 decentralized social networks, has implemented a “Login with Google” feature to all apps built on its platform, which has stirred up discontent the crypto community.

Nader Al-Naji, head of the DeSo Foundation, posted the news in his twitter and emphasised that such functionalities would expedite mainstream adoption. “Lowering the mainstream’s barrier to entry, as DeSo Identity does, is required for mainstream adoption of crypto,” he said.

Although Al-Naji acknowledged that Chrome extensions like Metamask ****are more secure, he said that ordinary users would never install them due to UI / UX and other technical complexities.

Notably, DeSo saw a private token sale worth over USD 200m to high-profile investors, including Andreessen Horowitz, Sequoia, Coinbase Ventures, etc.

While describing the new feature, Al-Naji said that the “Login with Google” uses a seed phrase but backs it up to a secure Google Drive enclave. He added that users who prefer not to use this new feature can still sign up with a seed phrase.

However, the crypto community did not welcome this new functionality with open arms, pointing out that the backed seed phrase into Google Drive enclave can be easily deleted or even hacked.

Major figures including Sino Global Capital CEO Matthew Graham seemed to agree: using the cloud to store seed phrases controlling potentially hundreds of thousands of dollars’ worth of crypto assets is, on its face, about as stupid as it gets.

Perhaps the most energetic rant in response to DeSo’s new “feature” came from Taylor Monahan, cybersecurity expert and CEO of wallet developer MyCrypto.

Other users mentioned that with this, the platform is further receding from crypto’s core ethos of decentralization.

Why exactly is it so bad to ask users to input the seed phrase from a crypto wallet into a web extension? For software wallets, a seed phrase is similar to a “private key” that grants direct control of a single on-chain Bitcoin account. It is generated automatically, and unlike, say, a Google password, even the wallet’s developer can’t see the phrase — or reset or recover it if it’s lost. And once someone has a wallet’s seed phrase, they can simply steal its contents.

As much as DeSo itself is dancing with the devil here, the much larger issue for critics seems to be that their seed-phrase login flow will train users in poor security practices. That could lead to even more misunderstanding and tragedy across the entire nascent Web 3 ecosystem.