pull down to refresh

Photon SDK for seedless bitcoin wallet designsdocs.photonsdk.org/
1277 sats \ 21 comments \ @Scoresby 18 Jun bitcoin
I saw @moneyball post about Photon SDK on X. It was made by @tankredhase (on X) in 2022 (it was for lightning back then, but looks like it's an onchain thing now) but looks similar to the Bitkey model of seedless backup.
App developers can build compelling seedless user experiences using encrypted cloud backup and multi-sig.
The SDK is open source and includes a key server, api, react native client and a demo app.
I'm torn on the seedless idea. Bitkey makes it very difficult for users to extract their private key data and in a panel at Bitcoin 2025, Max Guise, from Block/Bitkey, said that wallet portability could mean "sending to a new address." This feels a lot like vendor lock in to me.
On X, I pushed on the question a little bit: do Bitkey users have to use Bitkey electrum nodes? Can Bitkey prevent users from signing or broadcasting a transaction? And the answer seems to be negative in both cases. But it's not exactly easy. Users have to download an emergency recovery kit from a github repo and sideload it on their phone and a lot of the redundancy goes away (if you are in a situation where you cannot access Bitkey's services AND you lose either your phone or your Bitkey device, you are screwed).
So, if this SDK is similar to Bitkey, I hope it allows users to export key material more easily. How do stackers feel about seedless?
write
preview
related posts
202 sats \ 11 replies \ @moneyball 18 Jun
The emergency kit is only needed if the mobile app is forcibly removed from your phone. That's an extreme case.
Otherwise just send your funds using the app to move to a new wallet.
Vendor lock-in is made up FUD come on.
reply
203 sats \ 10 replies \ @Scoresby OP 18 Jun
There is still a fundamental difference between key material that can be imported into multiple different wallets and the design that is move to a new wallet by sending your coins (signing a transaction).
If I am in a country that gets sanctioned by the US and I use a Bitkey, I will likely no longer be able to connect to any Bitkey server. Okay, this is fine if I can turn on the app and get to the point where I can select a different electrum server.
However, if there is any point during the process of creating, signing and broadcasting a transaction that requires something from a Bitkey server, then I have to rely on the emergency recovery kit.
Seeds, though they carry other risks, do have a great advantage on this. I can stop using whatever wallet won't work for me and import the seeds into a different wallet pretty easily. This seems valuable to me. I wish the Bitkey design made it easier to export my keys if I really wanted to.
reply
100 sats \ 9 replies \ @moneyball 18 Jun
If you use your own Electrum server and sign with your mobile app and Bitkey device why do you need Bitkey's server?
And again, in the scenario where the US sanctions a country, the emergency exit kit exists.
You said vendor lock-in. Please support such a claim.
reply
187 sats \ 8 replies \ @Scoresby OP 18 Jun
I'm thinking of the scenario where I'm just a normal Bitkey user. I don't know much about public electrum servers. But I happen to be in a country the US suddenly picks a fight with.
If I haven't preplanned for this scenario, will I be able to still sign a transaction?
In the case of seeds words, I don't have to worry. Lots of wallet software supports the standard.
Bitkey's solution is not so much like a standard. It is unique to Bitkey and telling users that there's no vendor lock in because they can send their coins to a new wallet is very tenuously true.
In general, users have understood bitcoin wallet lock in to mean you can only restore the wallet with that specific vendor's software. This is true for Bitkey.
Spend your coins to a new address is a new definition of not being locked in.
reply
117 sats \ 7 replies \ @moneyball 18 Jun
If a user is at high risk of US sanctions, then maybe Bitkey isn't the right product for them. But again, even if such a user buys Bitkey, they are not screwed if sanctions come, because they have the emergency exit kit.
There are MANY users in the world who are ill-prepared to handle private key material directly, so seedless designs are a better solution for them. Bitcoiners should rejoice that we have more options on the market.
And again, please stop with the FUD / outright lie of vendor lock-in. I still haven't seen you provide an example.
reply
0 sats \ 6 replies \ @Scoresby OP 18 Jun
Do you agree that "send to a new address" is a new definition of not being locked in?
Is it true that I can only restore my Bitkey wallet in another instance of Bitkey app?
Those are my examples.
There are MANY users in the world who are ill-prepared to handle private key material directly
Sure, but why not make it just a little easier to export my keys? It doesn't have to be super easy, but what is the risk of allowing users (with some very large scary warning) export their keys, or even seed words that make it easy to import to another wallet?
view all 6 replies
136 sats \ 5 replies \ @k00b 9h
The way I see it is that everyone complains about how no one self-custodies and it's too hard, then someone comes up with an alternative approach to self-custody and everyone complains that it's foul play because it doesn't work like everything else.
Moving the conversation to ulterior motives without assessing whether seedless has a better UX or not is a tad suspicious. If the UX isn't improved, feel free to claim lock-in is the reason for the difference. If the UX is better, and the seed can't be exposed without compromising this better UX, then perhaps lock-in isn't the motive.
afaict most of the lock-in narrative is radiating from competitors, who just might be hyper sensitive to flaws, or might have ulterior motives of their own. afaict these competitors are failing to steward us into an era of self-custody via The True Way, and their "solution" is to call retail stupid and lazy and competitors corrupt.
We need people/companies experimenting with new approaches to self-custody with new tradeoffs if we want more folks to self-custody.
reply
100 sats \ 4 replies \ @Scoresby OP 9h
If the UX isn't improved, feel free to claim lock-in is the reason for the difference. If the UX is better, and the seed can't be exposed without compromising this better UX, then perhaps lock-in isn't the motive.
The UX of their backup and recovery flow is interesting and seems like it could be a good new way for Bitcoiners to do long term storage.
What I'm struggling with is the way they prevent users from exporting key material.
In Bitcoin, where "not your keys, not your coins" has been such a rallying cry, I don't agree that "you can send your coins to a new address" = just the same as normal self-custody portability.
"You can send your coins to a new address" is not as strong a guarantee as "you can import your wallet state into a lot of other software."
Bitkey's design could have included a reasonably safe way to export keys (unless they believe there is no safe way for users to handle raw keys...which again is a pretty big departure from Bitcoin culture, not just a UX change).
However, the design of their multisig or how they set up the keys makes it difficult to import into other wallets as well. If a wallet wants to do fancy things that no other wallet supports, this carries a pretty big risk, I think; but, even in that case, I'd like a wallet that lets me export my keys and descriptor or state so I could at least attempt to recover in another wallet.
I still feel that a hardware wallet that is only portable to a different device via a transaction feels a lot like vendor lock in.
We need people/companies experimenting with new approaches to self-custody with new tradeoffs if we want more folks to self-custody.
This is a great point. Nobody was being too critical of Bitkey until they began their "Seedless is safer" advertising campaign. I agree that new solutions are needed and Bitkey is definitely one of them. I think they could have avoided many reactions like mine if they had said "We've got a new solution, it's very robust for all sorts of reasons, one of the trade-offs is that you can't export your key material" instead of saying, "Actually, you shouldn't be able to export your key material because it's dangerous."
reply
102 sats \ 3 replies \ @k00b 9h
I still feel that a hardware wallet that is only portable to a different device via a transaction feels a lot like vendor lock in.
I disagree, and I feel like it's worth saying so. This is sort of like calling a white lie fraud. It quacks like a goose not a duck.
Imagine apple cloud let you transfer your photos to google cloud via a button click. Is this lock-in? Sounds like the opposite to me. Is it suddenly lock-in if a competitor, say dropbox, syncs everything locally and you don't have to do the transfer to move to another solution? Not to me - it's just a different solution to the same problem.
I think they could have avoided many reactions like mine if they had said "We've got a new solution, it's very robust for all sorts of reasons, one of the trade-offs is that you can't export your key material" instead of saying, "Actually, you shouldn't be able to export your key material because it's dangerous."
It's hard to get attention being meek like this. Everyone took the rage bait and amplified the message. Marketing accompli.
reply
100 sats \ 0 replies \ @Scoresby OP 8h
It quacks like a goose not a duck.
This is a really nice metaphor.1 phenomenal!
Imagine apple cloud let you transfer your photos to google cloud via a button click. Is this lock-in?
In the world of Bitcoin, I believe the answer is yes. Because at any point apple cloud can refuse to honor your click.
Now, Bitkey has the Emergency Exit Kit for this scenario. But my complaint is that it makes a security trade off not made by seeds (and being able to export your key material).
A hardware signer that creates a wallet that no other type of wallet can recover is definitely a new way of thinking about security and, I believe, deserves a healthy amount of inspection.
While I enjoy marketing via controversy, it's not really "fud" when people react to the controversial statements.
But I take your points, especially the reality that self custody is not coming to Bitcoin in any great number and that we need good solutions for lots of use-cases.

Footnotes

  1. I had to take a minute to figure out if it was a metaphor or an analogy.
reply
102 sats \ 1 reply \ @k00b 8h
Anyway, I'm obscuring my own point. I just think trying to get to motive is tricky.
I also find myself in a weird position apologizing for every variation of self-custody [that offers unilateral exit in all but the worst case at least] because the alternative is much worse and the alternative dominates right now.
reply
0 sats \ 0 replies \ @Scoresby OP 8h
You are right. I somewhat thoughtlessly thought "lock in" did not imply some kind of nefarious motive. It probably does.
But "not portable" does not do justice to my thoughts.
reply
34 sats \ 0 replies \ @moneyball 18 Jun
The Photon project hasn't changed. It has always been about backing up your seed.
reply
17 sats \ 0 replies \ @SevenOfNine 18 Jun
There's always a seed. It's just not yours in this design.
reply
102 sats \ 0 replies \ @seashell 13h
Seedless wallets seem nice for newbies who don’t wanna deal with keys, but that whole send coins to a new wallet thing kinda feels like slow vendor lock-in. If the app or key server goes down, you’re stuck rushing to move coins instead of just restoring keys anywhere. They should seriously let users export keys with big warnings so the power users don’t get trapped. Otherwise, it’s just trading convenience for resilience, and that’s a tough pill if you live somewhere sketchy.
reply