The Need for Speed

Crypto markets can be volatile. And since crypto never sleeps, big swings can happen at any time, day or night. As an investor, responding to market movements quickly can be the difference between capping losses and holding a losing position. In quantifiable ways, speed matters.

Even so, not all custodians agree that fast transaction times are desirable, particularly when large sums are involved. Across the institutional crypto landscape, transaction times vary wildly — from a range of minutes to hours on the fast end, to a range of hours to days on the slow end.

But the range of times isn’t the issue, so much as what some providers suggest those times to mean.

Slow ≠ Secure

For some, slowness and security are one and the same: the more time a transaction takes, the more secure it is. Why? Because crypto transactions are irreversible, and in the event of a malicious transaction, moving slowly gives a custodian more opportunity to stop the transaction before it goes through.

Some have gone so far as to claim long transaction times are an intentional part of their security architecture, even offering delays as a security feature in the form of time-locks. But transaction speed and transaction security are independent variables, tied together only when a custodian’s technical limitations require it. Delay-as-a-feature only makes sense when custodians can’t be certain that a given transaction is authentic.

So how can custodians provide the security that crypto investors require, and also facilitate fast transactions? By truly authenticating every transaction, quickly.

Two Key Problems

When authentication systems depend on usernames and passwords, email addresses and phone numbers — all of which can be compromised — there’s just no way to be certain, up front, that a given transaction is legitimate.True authentication requires two levels of certainty: certainty that each individual initiating or endorsing a transaction is who they say they are, and certainty that the transaction itself reflects organizational intent. Put a different way, authentication needs to rule out the possibility of malicious actors posing as legitimate users, and the possibility of internal collusion or external coercion.We engineered Anchorage to do exactly that.

Authenticating End Users. As a form of user authentication, passwords leave much to be desired. First, they can be leaked or stolen. Second, a password doesn’t establish an end user’s identity; it only proves that someone — anyone — possesses it.Setting up SMS-based two-factor authentication (2FA) on a personal device improves security, but it still doesn’t prove an end user’s identity. Ask anyone who has fallen victim to a SIM-swap attack — say, the people who literally wrote the book on blockchain technology, or the BitGo engineer whose personal Coinbase account was drained of more than $100k worth of digital assets — and they will likely agree that there’s a difference between authenticating devices and authenticating users.

Whitelisted devices and paired hardware security keys protect against attacks like SIM-jacking by ensuring an attacker can’t access your account from an unfamiliar device, but if a trusted device is stolen, an attacker can use the trusted device to authenticate transactions as if they were you.

While they each represent different degrees of security, passwords and whitelists and hardware keys simply don’t authenticate users. Biometrics do.

Biometrics establish end user identity — and multiple parallel forms of biometrics prove, without a doubt, that all end users are who they say they are. This is why Anchorage couples biometric signatures with sophisticated behavioral analytics to authenticate users: because all other authentication measures fall short. Biometric authentication also has the added benefit of being fast.

Definitively authenticating end users is a huge part of authenticating transactions. On its own, though, it’s still not enough.

Authenticating Organizational Intent. Even legitimate users can set malicious transactions in motion, either intentionally or under coercion, and disgruntled insiders can collude to move funds. For these reasons, custodians also need to authenticate organizational intent — to determine whether or not a requested transaction is really what a given entity wants. How? With transaction-governing rules that match a client’s organizational structure.

Say, for instance, five people at your company can initiate transactions, and the CEO wants final say on everything. First, requiring multiple users to approve transactions means no one can move funds unilaterally. Second, requiring CEO sign-off makes it impossible to move funds otherwise, even if a quorum of approvers worked in concert to meet the numerical approval threshold.

To complete transactional review, Anchorage uses a combination of machine learning models and human reviewers to identify outliers in client behavior, location, and a variety of other data points. With these safeguards in place, atypical transfer behavior — behavior that may indicate internal collusion or other malicious activity — stands out against an established pattern of legitimate behavior. In this context, signs of end user distress typically associated with external coercion become similarly conspicuous.

Giving client organizations the power to customize account policies to meet their organizational needs ensures each transaction aligns with organizational intent. That said, approval quorums are only as secure as their end user authentication. When organizational structure and security architecture align on top of biometric signatures, the process itself becomes impossibly difficult to corrupt — and we get true authentication.

Execution

After a transaction is authenticated, it still needs to be executed. At Anchorage, since the bar for authentication is exceedingly high, we’re able to execute transactions in a range from minutes to hours, with 90% of transactions processing in under 15 minutes.

With cold storage, execution times fall in a range of hours to days. Why? Because the process itself is slow. To transact, a human has to physically get themselves to whatever secure location is storing private key material. That location might be a secret vault, a safe deposit box, or somewhere deep inside a Swiss mountain. Wherever it is, it takes time to get there. It’s precisely this lag in transaction time that cold storage custodians try to sell as part of their “security architecture.”

To speed things up, some cold storage custodians designate specific transaction windows each day — times designated for a human to visit the vault/deposit box/mountain to sign batches of transactions en masse. While this may result in shorter transaction times if you schedule ahead, or if you hit the window just right, it still makes investors beholden to their custodian’s schedule.

Beyond being inherently slow, this part of the process introduces the possibility for error. Signing from cold storage ultimately depends on a number of manual human operations. And humans make mistakes. A lot of them.

What humans do best

In the world of digital assets, the risks associated with human error are irreversible. If someone makes a mistake — say, pushes through a transaction that they shouldn’t have, or loses or destroys even a shard of a private key — there are no second chances.

Of course, nobody is suggesting we eliminate humans (at least not entirely).

Humans are great at some things and bad at others. They are great at reading body language, great at understanding context, great at picking up on nuance, and great at making judgments based on those readings. That’s why we have human reviewers who know their clients examine all the data when they validate every transaction. But we never put humans in contact with private key material. The risk is just too great.

Humans are bad at flawlessly executing commands, perfectly, over and over again. For that job, we have specialized hardware. All key generation and signing is done entirely within HSMs, so there’s no risk of a human operator messing it up. That, and it’s fast.

True authentication and flawless execution

Ultimately, custodians need to be able to 1) authenticate end user identity with certainty, 2) verify organizational intent by supporting sign offs that map to clients’ own internal processes, and 3) execute commands flawlessly, every time. Anything less leaves the process as a whole vulnerable to compromise. And doing things slowly does nothing to change that fact.

When you have all three pieces, from a security standpoint, it makes no difference if a transaction takes minutes or days. So, we choose minutes.

As an investor, simply having the option to use your funds as you wish, on your schedule, without compromising security, is a significant advantage over investors who have to wait a day or two whenever they need to move funds — or compromise security to get it done faster.

So, the next time your custodian tells you it’ll take hours or a day to transact, ask them: what’s taking so long?