NOAH’s Non-Custodial Wallet
Learn why we’re a non-custodial wallet at NOAH, how we implemented it, and why it gives our users best-in-class security and functionality.
Wallets. We all have them. We all use them. And much to our chagrin, we’ve all lost them. Or we know someone who has. Whether it was a physical wallet left behind at a restaurant or an online account that was hacked, wallets have become synonymous with loss. How can something so essential to our lives be so vulnerable?
In reality, we’ve been forced to choose between security and convenience when it comes to wallets. That rings especially true when it comes to Bitcoin. On the one hand, we have online wallets controlled by centralized exchanges that own our private keys. It's convenient, but it's also a massive security risk. On the other hand, we have offline "cold storage" wallets that are ours and just ours, which is excellent for personal autonomy but not-so-great when it comes to keeping our Bitcoin accessible and fool-proof.
It's the difference between custodial and self-custodial wallets, and it's a trade-off that we shouldn't have to make. But what if there were a wallet that gave us the best of both worlds? A wallet that was secure and convenient?
We do. It's called a non-custodial wallet, which we use here at NOAH. Non-custodial wallets are the next evolution in Bitcoin wallets, and in this blog post, we're going to explain why we chose to use them at NOAH, why they're our favorite wallets in the game, and why they'll become the standard in the years to come.
Design PrinciplesThe world should have wallets that are easy to use — full stop. The world wants a wallet so easy that your grandma could open it up and know exactly what to do immediately. But they also want a secure wallet. So how do you design a wallet that's both? The days of needing to be a tech expert to own Bitcoin are gone. When creating the NOAH wallet, we told ourselves that we would never compromise on three core design principles: security, ownership, and simplicity.
At NOAH, nothing is more important than security. If your funds aren't secure, nothing else matters. And to us, that matters most. So our wallet adheres to the most stringent security standards in the industry, like the Payment Services Directive 2 (PSD2) Strong Customer Authentication (SCA) standard.
Furthermore, we subject our source code and wallet application to ongoing, certified security experts to help us identify any vulnerabilities.
But the most important thing to note is that we don't store any cryptographic material on your device. Instead, we use Ephemeral Key Cryptography — once a device performs its function, it deletes all cryptographic material from the device, minimizing the risk of attackers accessing your assets.
What makes NOAH's wallet fundamentally different from most is that only the NOAH wallet owner can authorize the transfer of assets. We've built NOAH to enforce your ownership, preventing anyone else — not even us — from accessing and transferring your assets to external addresses.
For full transparency it should be noted that Noah does have internal liquidity operations that transfer assets between internal customer vaults. The separation of customer vaults is a security feature that to help mitigate the risks of a security breach. These liquidity operations occur on-chain and visible to the general public.
We've put ownership in your hands through a combination of Ephemeral Key Cryptography (EKC), Multi-Party Computation (MPC), and other security controls. That's what we mean when we say that our wallet is non-custodial. We don't control your keys. You do. And that's how it should be.
However, there is one exceptional circumstance where a third party can authorize asset transfers, but this is only if disaster strikes both NOAH and one of our critical service providers. Even in this circumstance, the assets can only be transferred to a self-custodial address that you provide.
No matter what, in any scenario, you have the final say.
As the Money App of the Future, our mission is to be your one-stop shop for all things money. And as such, user experience is of paramount importance to us. In fact, we believe simplicity is fundamental to the global adoption of Bitcoin. Think of it like the internet. It wasn't until browsers that the internet really took off. The same goes for Bitcoin.
We've invested significant time and energy to engage with our community, learn from them, and design a wallet that meets their needs. The result is a beautiful, easy-to-use wallet with an intuitive design that anyone can use.
Authorizing and Signing Transactions
To convey how NOAH ensures your assets' ownership, let's look at how our wallet authorizes and signs transactions.
As a NOAH wallet owner, you are the only entity that can authorize asset transfers. To initiate a transfer, a NOAH customer must provide credentials that allow NOAH to authenticate that you are you. This is the first layer of security. As discussed, we use Strong Customer Authentication and require a secret 6-digit transaction PIN every time you initiate a transfer.
If you provide the correct pin, NOAH generates an Ephemeral Customer Signing Key that signs the transfer request. In future we plan to offer our customers the option to install a private key shard directly on their device. This option means customers devices can participate directly in MPC and, in the event of a disaster, can manage the recovery of their assets themselves.
Once NOAH receives the transfer request from the customer, we carry out security checks and ensure the availability of funds requested for transfer. Finally, suppose all the necessary criteria are met. In that case, NOAH sets the on-chain transaction signing process in motion by sending a message to the Digital Asset Service Provider (DASP), which initiates MPC.
Digital Asset Service Provider
DASP is the third corporate entity involved in the MPC on-chain transaction signing process. By using the services provided by the DASP, NOAH introduces another layer of security that prevents bad actors within NOAH from attempting to steal customer assets. In addition, a set of robust transaction authorization policy rules makes it incredibly difficult for unauthorized actors (human or otherwise) to attempt the transfer of NOAH users' assets.
Disaster Recovery Service Provider
In the event of a disaster or other black swan event, there's another actor which ensures owners' assets are returned to their self-custodial addresses. This disaster recovery service provider has no corporate affiliation with NOAH , and its only responsibility is to help NOAH account holders recover their assets in the event of an incident. For a disaster to be declared authorized, the service provider must physically identify personnel at NOAH and a semi-automated process can initiate the transfer of customers' assets to self-custody.
From the ground up, NOAH takes security and customer asset protection seriously. We designed our Non-Custodial wallet to be as secure as possible while making it easy for customers to use. As a result, your assets are well-protected, with three corporate entities involved in the signing process and disaster recovery. Crypto is rife with risk, so when building NOAH, we wanted to ensure that we went above and beyond to protect our customers' assets. We believe we've done that, and by using NOAH's Non-Custodial wallet, we hope you can sleep soundly at night knowing that your assets are safe.
This information contained in this blog post is subject to change and may be updated from time to time as NOAH’s products and services evolve. This blog post is for informational purposes only and does not constitute investment, legal, or financial advice.
*About the author: Hussein Badakhchani is a Distinguished Technologist and CTO of Noah. Hussein has 30 years of professional experience in financial services technology. Having worked for institutions such as the Bankers Automated Clearing System (BACS), Deutsche Bank, VocaLink - MasterCard, YouTrip, Wave Money, and Ziglu; Hussein has a proven track record of delivering innovative banking and financial services platforms in some of the most competitive markets in the world.*
Please be aware that:
- Cryptocurrencies are unregulated in the UK;
- Cryptocurrencies are not protected under Financial Ombudsman Service or Financial Services Compensation Scheme (FSCS);
- Profits may be subject to capital gains tax;
- The value of investments can go down as well as up