How Copay, BitPay’s Multisig Wallet, Helps Keep Your Bitcoins Safe
Bitcoin security is a difficult topic, not because of any particular feature of Bitcoin, but because computer security in general is a difficult topic. Because we do not live in a world that takes security seriously, no major modern operating system does automatic, performance-friendly sandboxing of applications — which means that if you’ve ever installed a third-party application on your computer, there’s a chance that the entire machine has already been compromised by malware.
That malware could do a lot of things, but the thing that’s of the most concern to you as a Bitcoin user is that the malware could simply hang out on your machine, periodically scanning the hard drive and RAM of your computer until it sees something formatted like the private key to a Bitcoin wallet, at which point it could simply phone home and let its master empty your Bitcoin wallet. This can, of course, also occur with your bank account details, but that thread is made less serious because centralized systems can offer a human-adjudicated recourse in the event of this sort of theft, a luxury that Bitcoin does not have.
Right now, this sort of malware is relatively uncommon. However, if you expect Bitcoin to continue to gather speed and momentum, you must also expect this sort of malware to become more common and more effective, as it becomes more profitable to create it.
Today, BitPay, the world’s largest Bitcoin payment processor, released a product that may be able to reduce the effectiveness of this kind of malware, and help to keep locally-stored Bitcoin holdings safe from malicious hackers. Copay is an opensource Bitcoin wallet that runs in the browser as a web app, but does all processing locally and uses browser storage to hold sensitive information. BitPay does not have access to your private keys, and can’t access your Bitcoins, reducing the level of trust required by a solution like CoinBase. The interface is clean and useable and, as a simple wallet, is a very effective solution.
This is all well and good, but the really cool part is that Copay makes use of a technology called multi-signature technology. The way this works is that individual wallets can be created with multiple private keys in such a way that money can only be spent when all of the private keys sign a particular transaction. You can do a lot of cool things with this: You can create the equivalent of joint bank accounts that can only be accessed with the consent of all parties — handy for married couples, or the boards of corporations. Or, you can give money to people under the supervision of someone else, where they need the consent of the supervisor to make purchases (you can imagine these sorts of wallets being handed out to underage relatives as part of an inheritance, where the parents are given the second key and need to sign off on any expenditures). These sorts of applications give us a glimpse into what the world of Bitcoin finance might look like in the near future as Bitcoin (or another cryptocurrency) stabilizes in value and becomes the standard unit of account across the world.
More relevant, though, are the implications of multi-signature technology to Bitcoin security. Multi-signature allows you to create two-factor authentication wallets without the need to trust a central service to manage your wallet. In other words, you can operate a cold wallet with one private key stored on your PC, and one stored on your phone. Both devices would then be needed to authorize the transfer of Bitcoins out of your cold wallet. If either device has a malware infestation, your Bitcoins are still safe: An attacker would need to compromise both devices individually in order to be able to steal your Bitcoins. In the future, it’ll likely also be possible to use dedicated, malware-hardened hardware devices that link to your phone via Bluetooth to provide the second key, allowing you to make secure transactions from your phone on the go, protecting your hot wallet as well as your cold one.
To make the entire scheme more robust, the Copay system connects the payers of multi-signature wallets together in a peer to peer fashion. The service’s only centralized component is servers that provide a bridge into the network, and those servers are open-source and can be run by anyone. The result is that the network can’t be destroyed by the failure, defection, or destruction of any central authority, including BitPay itself, which is important if you plan to entrust a significant amount of money to a multi-signature wallet, and aren’t bullish on the odds of the current round of Bitcoin companies still existing five years out.
Although multi-signature technology is not new, Copay is the first service to expose that functionality in a robust, decentralized, and user-friendly way, and it’s very exciting. This technology is going a long way to reduce the risk associated with Bitcoin, and help people to feel safe using it — which is, in turn, going to make it much easier to sell the world on the value of a Bitcoin future.