Hi There,
It would be really useful if you could add support for watch only wallets on the Trezor devices.
When I create a new bitcoin wallet, I generate twenty addresses and I use one address each month to withdraw the new purchase from my exchange, as I invest in DCA. As soon as I have generated these addresses, I store my hardware wallet in a safe deposit box so my private keys are safe. I don’t want to keep any hardware wallet with my private keys at home for extended periods of time.
The only problem with this approach is I cannot verify that the bitcoin withdrawals have definitely been received successfully in my wallet. For example, I could have made a mistake when I copied and pasted an address when I withdraw coins from the exchange. Or the file where I keep these addresses could have been compromised by an attacker and replaced with a malicious address.
Hence I would like to be able to configure an hardware wallet so it becomes a watch only wallet. I would still have a proper hardware wallet with the full master key in the safe deposit box, but I could keep a hardware based watch only wallet at home to check the withdrawals are successful.
I know it is possible to export an xpub and use software wallets as watch only wallets. Even though public keys are not as sensitive as private keys, they still allow criminals to track all your assets. Hence I don’t want to take the risk of keeping my xpub stored on my computer. I consider any data which is stored on a computer can be compromised. This is the point of having hardware wallets.
I believe this feature would be easy to implement in the firmware, and it would give your products a unique differentiating feature.
Thanks
Mark
Hi @marksanders , Thank you for the feedback.
The good news is that the feature you’re describing is already available in Trezor Suite 
In earlier versions, the view-only mode was turned off by default. However, in newer versions of the Trezor Suite app, it’s enabled automatically. This means that even when your Trezor device is disconnected, you can still see your accounts, balances, and transaction activity.
You’ll only need to connect your Trezor when you want to perform actions that require signing (such as sending funds or trading). For simply monitoring your wallet activity, the device does not need to be connected.
For more information, you can refer to this article : Getting to know Trezor Suite | Trezor Knowledge Base - Section Manage your Trezor devices and wallets
Hi @Andrew00, we are talking about two different things here.
You are talking about having your public key stored in Trezor Suite, hence on your computer or smartphone which are internet connected devices, while your private key remains safe on the hardware wallet. I am talking about keeping both the public and private keys securely stored on the hardware device.
I know the public key is much less sensitive than the private key. But even though people cannot sign transaction without the private key, attackers are just one step away from being able to do so if our public key is exposed.
With segwit bitcoin addresses (starting with “bc1q”), your public key is not exposed until you spend your UTXO. These addresses are generated by hashing the public key twice. Hence for an attacker to spend your coin, they must first manage to reverse the double hashing to derive your public key from the bitcoin address, and then they must be able to derive the private key from the public key. Hence there are two big challenges for someone who wants to spend your bitcoin.
I am using Trezor hardware wallets because I understand that computers and smartphones have a very large attack surface, and anything which is stored on an online device can be stolen without me even knowing it happened. If you keep your public key (xpub) stored on your computer and it gets stolen, attackers are just one step away from having your private key, and this will become more realistic with quantum computers.
What I am asking is for an option which allows us to downgrade the hardware wallet to a mode where it delete its copy of the private key and only keeps the xpub. This way the wallet can be used to determine the public addresses, and hence you can see the transactions details, without these being exposed to internet connected device. This way the wallet could not be used to sign transactions in case you are being physically threatened by attackers who came to your home and who are forcing you to give them your PIN.
The idea is to keep a watch only hardware wallet at home to be able to verify that the transactions of my regular purchases have definitely been successful (dollar cost averaging), while the wallet with the private key is stored in a safe deposit box, as it is not required if we just want to buy and hold bitcoin for the long term.
Thanks
Mark
One significant problem with this idea is that there is no single xpub that the Trezor could store. Due to hardened derivations, you would need an xpub per account, so you’d have to create a selection mechanism that would let you pick all the accounts / xpubs to store.
(In contrast, in normal operation, the seed is the only thing stored in memory, and all accounts are derived from it on demand.)
This is sufficiently different from what Trezor currently does that it’s a step towards a wholly new product.
1 Like
Thanks for the clarifications @matejcik. So if we cannot determine the public keys without having the master private key stored in the device, there is an alternative. Instead of removing the private key from the device, we can introduce a feature flag named something such as “watch only wallet”. This feature can be enabled anytime but it could not be disabled easily (otherwise it would be pointless). When this feature flag is enabled, the wallet will refuse to sign outgoing transactions. Even though the master private key is still in the device, and assuming the secure elements remain secure, there is no way to extract the private key from the device or spend any coin.
If the legitimate user decides to turn off the “watch only wallet” feature, he will have to wipe out the device and restore the wallet from the seed phrases (which can be stored in one or multiple secure locations away from home).
The point of all of this is to be able to say to criminals that there is no way for you to send them your coins in case of a physical threat. And if they don’t believe you, you just have to try to sign a transaction until you get a clear error message saying “this is a watch only wallet hence it is impossible to sign any transaction”. Any rational criminal would then just try to go away as soon as possible before they get caught.
I think hardware wallets are excellent for protecting against remote attacks, but there is more work to do deter criminals from attempting physical threats. With the increasing financial regulations, both exchanges and governments are collecting data about all our transactions. It’s only a matter of time before these data get leaked. If not leaked through remote attacks, there are also corrupt employees of these organisations who sell data to criminals (I have just heard of such a case). And once criminals have your name, address, and list of transactions, you become an easy target for both fishing and physical threats. So I am trying to find solutions so we can be prepared and be able to convince criminals that physical threats are not worth the risk from their point of view.