Foundation Passport Official Thread

[Pmalek]

I'm not sure about the new recovery system, but until now, the microSD backups were just encrypted files that you could open on any computer and unzip, giving you a regular old seed phrase to import anywhere you like.

Digital or online/cloud backups as replacement for physical offline copies of seeds isn't and shouldn't become any sort of standard in the future. If it was Ledger that had something like that, everyone would lose their mind. I understand it's optional and you don't have to use it, but it's a dangerous option to have.

[1714284529]

1714284529

[1714284529]

1714284529

[n0nce]

You reduce the security of your seed phrase, and therefore all your coins, to the security of your Apple or Google account, which in many cases is only a simple password (and often a leaked or reused one at that!) or an insecure 2FA method which can be fairly easily intercepted such as SMS.

Your statement is unfortunately somewhat inaccurate. I'm not completely sure about the details, but both platforms require using 2FA, without an option to skip it.

From what I can tell, Apple requires 'hardware 2FA' which as a side effect notifies the user on all their devices when someone tries to log in on a new device:
https://support.apple.com/en-us/HT204915

Google apparently does allow you to use highly insecure SMS 2FA, but at least they advise against it, for what it's worth...

We recommend you use Google prompts as your second step. They’re easier to enter than a verification code and can help protect against SIM swap and other phone number-based hacks.

I've also read about the way iCloud encryption keys are generated and to the best of my knowledge, there is no known bypass / successful attack to date, besides (obviously) first- and second-factor compromise. I do think Google Cloud contents have been leaked in the past, although if they use good encryption, that shouldn't be a problem.
Let's keep in mind that we're talking about backing up a hot wallet here. So compromising the second factor for your cloud (your phone) is equivalent to compromising your hot wallet. No added risk through the backup, and added safety against data loss (e.g. through device destruction).

Bottom line is: if you have strong encryption of your files, you can post the backups anywhere you want, even on a public forum. But the question remains: how to back up these encryption keys. In case you have a secure enclave on your hardware that you trust to generate and store such keys, you do 'reduce' (in the logical sense; not quantifying) the security of your seed phrase to the security of this hardware.

I think it's fine to have such a solution, if users are aware of this fact and this circumstance is made explicitly clear.


I'm not interested in this cloud backup myself, because I'm happy with my current backup solutions. However I like the idea of having a way to back up the wallet configuration (user settings, account labels, ...) - without private keys. I even pondered about a standardized format for this a while back; something like a universal 'wallet export / import format'.


Edit: From what I can tell, this cloud backup only refers to the hot wallet, making it completely 'fine'. To the best of my knowledge, Envoy cannot access Passport's seed phrase at all; that's the whole point of a hardware wallet.

[The Sceptical Chymist]

The range is not 1 to 2²⁵⁵, but rather 1 to just under 2²⁵⁶. <snip>

Wow, your complication of their simplification taught me more about crypto than I've probably learned in the last 6 years (and yeah, I'm that ignorant of what's under the hood).  Hope it's not too off-topic to thank you for that with a comment and some merits.

Digital or online/cloud backups as replacement for physical offline copies of seeds isn't and shouldn't become any sort of standard in the future. If it was Ledger that had something like that, everyone would lose their mind. I understand it's optional and you don't have to use it, but it's a dangerous option to have.

I absolutely agree with you, and that pearl of wisdom I'm happy to say I did know.  Ledger announced their recovery thing in an attempt to bring their wallets to the unwashed masses, who probably aren't nearly as paranoid as they should be about crypto.  What I hope is that making devices less secure so as to make them more marketable doesn't become a trend among HW wallet manufacturers--or at least that they make things like cloud backup and recovery via distributed shards and who knows what else optional rather than required.

And that they're transparent about it, too.  I'm lookin' right at you, Ledger.  Tsk tsk.

[o_e_l_e_o]

I'm not completely sure about the details, but both platforms require using 2FA, without an option to skip it.

I've never had either an Apple nor a Google account, but I know both used to be accessible only via an email/password combo. If they both now mandate 2FA, then that is somewhat better. However, I suspect both still have procedures in place which would allow someone who has lost their 2FA device, be that their phone or a hardware key, to recover access to the account via some kind of social recovery or KYC, which is highly insecure. Happy to be proven wrong again.

Let's keep in mind that we're talking about backing up a hot wallet here.

That's what I was hoping for clarification on as I asked above. That this is completely confined to Envoy and there are no plans for anything remotely similar on Passport? I was a little concerned that Magic Backups were brought up in response to a discussion about Passport implementing something different to seed phrases...

[Pmalek]

I've never had either an Apple nor a Google account, but I know both used to be accessible only via an email/password combo.

They still are. I had to create a Google account a few months ago for my job, and an email + password is all you need. 2FA is an optional feature.
I also changed the password for one of my personal Google accounts around the same timeframe, and I wasn't asked to input any 2FA codes as an added security measure. The usual entry of the old and new passwords was all that was needed. 

[Agbe]

The device is nice from mere distance looking at it. But I don't know when it is seeing in a close range. And also the OP would have given the break down of the price to different continent so that those who are interested would click the link and make an order for shipping. I even checked the website but there is no such order link. Things like this one can't have too much input without using the device. Though you can make some lite input but not in-depth.

[o_e_l_e_o]

They still are. I had to create a Google account a few months ago for my job, and an email + password is all you need. 2FA is an optional feature.

So just to confirm - if your password is hacked, leaked, keylogged, haveibeenpwned.com, etc., then all I need to do is take any old phone, log in to your Google account, sync your back ups to this phone, and now I have your seed phrase and can empty your wallets?

[zherbert]

Hi all, just to confirm, Magic Backups is for our Envoy hot wallet only. It has nothing to do with Passport.

We are building out Envoy into a fully featured standalone mobile wallet complete with in-depth account management and privacy features. Magic Backups is a really great way for new Bitcoiners to get set up and running with a mobile wallet in 60 seconds, fully self custodial, with what I would argue are reasonable security tradeoffs.

Passport will never have any kind of backup system where the seed touches the internet, even in an encrypted form.

[o_e_l_e_o]

Passport will never have any kind of backup system where the seed touches the internet, even in an encrypted form.

Thanks for the confirmation Zach. I suppose you would have to be crazy to implement any such system given the fallout from the recent Ledger debacle.

Can you provide clarification on the question I asked above? I don't have a Google or Apple account and have no intention of ever creating one, but is it really as simple as if someone accesses your username/email and password, then they can recover your Envoy wallet and steal your coins?

[n0nce]

The device is nice from mere distance looking at it. But I don't know when it is seeing in a close range. And also the OP would have given the break down of the price to different continent so that those who are interested would click the link and make an order for shipping. I even checked the website but there is no such order link. Things like this one can't have too much input without using the device. Though you can make some lite input but not in-depth.

I have a few somewhat close-up pictures in my reviews:

• Passport Founders Edition
  
• Passport Batch 2
  

They also have video setup instructions here that may help you get a better understanding of the look & feel of the device, as well as the user interface.

You can even try out the device in a simulator, as I explain here:
https://bitcointalk.org/index.php?topic=5421713.msg61304211#msg61304211

Passport will never have any kind of backup system where the seed touches the internet, even in an encrypted form.

Let me archive this, just in case.

I don't have a Google or Apple account and have no intention of ever creating one, but is it really as simple as if someone accesses your username/email and password, then they can recover your Envoy wallet and steal your coins?

I may try to do this 'attack' later this week on some burner devices, but I'd assume that compromising someone's credentials would indeed give you full access to their hot wallet seed.
Part of the reasoning is apparently that many users back up their device to their cloud provider (including app data, of course) anyway (correct me if I'm wrong), but it would be better if they had numbers backing that up.

[foundationdvcs]

Yeah, I had no idea this was a "feature" Envoy offered...

Since most users have iCloud Keychain or Android Auto Backup enabled, the seed is automatically synced to your other iOS or Android devices – fully end-to-end encrypted, without needing to give Envoy permission to access your iCloud or Google account.

I'm sorry, but this is horrible. You reduce the security of your seed phrase, and therefore all your coins, to the security of your Apple or Google account, which in many cases is only a simple password (and often a leaked or reused one at that!) or an insecure 2FA method which can be fairly easily
intercepted such as SMS. I would also wager that the subset of users who feel they cannot use a seed phrase properly and would back up their seed phrase to the cloud overlaps pretty heavily with the subset of users who have substandard account security or general security practices.

Is this in any way usable with a Passport, or is it confined to Envoy only?

This is absolutely only possible for Envoy's mobile wallet seed, and not ever possible for Passport's seed. Those are *very* different threat models, and Magic Backups only make sense for a mobile wallet with a small amount of funds. As this is all open source anyone can verify this, but due to Passport's airgapped nature there isn't even a way to easily do this if you wanted to (and of course we don't want users backing up there Passport cold wallet seed into the cloud).

This approach is a great fit for onboarding new users with small amounts, and we both always allow seed export from the app and will be adding prompts to have people backup their seed phrases separately down the road after onboarding as well for full sovereignty. Magic Backups are 100% optional and 100% open source, no one has to use them, and those who opt-in can only use them with Envoy's mobile wallet portion which should of course only be used for small amounts!

Apologies for the confusion there, I could have been clearer with the language used!

Can you provide clarification on the question I asked above? I don't have a Google or Apple account and have no intention of ever creating one, but is it really as simple as if someone accesses your username/email and password, then they can recover your Envoy wallet and steal your coins?

It is not that simple, as both accounts should be protected by 2FA. In reality an attacker would need to compromise your Apple/Google email and password, as well as SIM swap you (assuming you used SMS for 2FA). If the user does not have 2FA, then yes, their account could be logged into on a new device owned by the attacker, Envoy installed, and then funds swept as the seed is stored end-to-end encrypted and secured with their account.

If a user has hardware key or TOTP 2FA enabled than it would be practically impossible without a sophisticated spear phishing attack.

And remember this is only for a mobile wallet, and can never be for cold storage! So ideally users just have spending money in this wallet. If a user's Apple or Google account was 100% compromised for this (they would have to be able to fully login and setup a new device with their account) they would have larger problems, as they are also likely storing their bank login etc. within the same storage mechanism as we are using.

The issue with adding any other secret on top of their Apple/Google account is that you're back to square one with needing to have the user record a secret and verify it before they can start using a Bitcoin wallet. Magic Backups provide a sane and open-source alternative to that flow that does not give up custody and does not give up privacy, but it does of course change the attack vectors over a standard seed phrase backup.

That is why we will always have the option for a user to generate or import a seed phrase and leverage a manual backup, but we wanted more of an in-between solution that maximized security as much as possible while greatly simplifying the onboarding flow for new users.

Digital or online/cloud backups as replacement for physical offline copies of seeds isn't and shouldn't become any sort of standard in the future. If it was Ledger that had something like that, everyone would lose their mind. I understand it's optional and you don't have to use it, but it's a dangerous option to have.

Agreed that this is certainly something that would be a bad idea for cold storage seed phrases, and differs heavily from Ledger in that it's only for hot/mobile wallet and all code is 100% open source and verifiable. There is no need to take our word for it, unlike Ledger, and we would love any code review and comments from those who have the time and expertise!

We feel that Magic Backups can greatly aid onboarding new users to Bitcoin in a way that is drastically easier, without giving up custody and with an easy path to a more standard seed backup once they're comfortable with that. Once a user backs up their seed, we also have the functionality directly in Envoy to delete their seed from their Apple/Google account and delete their app data (we never store their seed, even encrypted) from Foundation's servers, if they so choose.

[Agbe]

The device is nice from mere distance looking at it. But I don't know when it is seeing in a close range. And also the OP would have given the break down of the price to different continent so that those who are interested would click the link and make an order for shipping. I even checked the website but there is no such order link. Things like this one can't have too much input without using the device. Though you can make some lite input but not in-depth.

I have a few somewhat close-up pictures in my reviews:

• Passport Founders Edition
  
• Passport Batch 2
  

They also have video setup instructions here that may help you get a better understanding of the look & feel of the device, as well as the user interface.

You can even try out the device in a simulator, as I explain here:
https://bitcointalk.org/index.php?topic=5421713.msg61304211#msg61304211

Thank you for reminding me again, I totally forgot that you created such thread last year. As it is said the device is good and also as I said, I can't judge the device from a distance of just looking at the image and it description. In most time when we order things online, what we received from the company is different from what we order. I have discussed with them on rhe telegram channel to send me the order link so I do it from there.

[Pmalek]

So just to confirm - if your password is hacked, leaked, keylogged, haveibeenpwned.com, etc., then all I need to do is take any old phone, log in to your Google account, sync your back ups to this phone, and now I have your seed phrase and can empty your wallets?

It's hard to say really, and I am not sure. Google products have SMS 2FA verification and even email confirmation. If they notice different IP ranges, you might have to verify yourself over SMS/email. Google probably keeps identifiable data on the devices that have logged in in the past and request more verification when a new one is detected. Additionally, Envoy's backups seem to be encrypted, so you would get an encrypted file at worst. 

[dkbit98]

I'm not interested in this cloud backup myself, because I'm happy with my current backup solutions. However I like the idea of having a way to back up the wallet configuration (user settings, account labels, ...) - without private keys. I even pondered about a standardized format for this a while back; something like a universal 'wallet export / import format'.

That would be a good idea to have, losing labels is almost like losing all your history and content behind all your transactions.
I think some other hardware wallets have a way of exporting and saving this, but I would like to have something like smartphones have, export all settings and data in encrypted offline way.

From what I can tell, this cloud backup only refers to the hot wallet, making it completely 'fine'. To the best of my knowledge, Envoy cannot access Passport's seed phrase at all; that's the whole point of a hardware wallet.

Export to cloud is bad in my opinion for both hot and cold wallets, but I hope this is at least optional ''feature''.
If I remember correctly this ''secure'' iCloud was recently hacked and I don't trust any cloud solutions very, much, that is just other people hard drives.

Hi all, just to confirm, Magic Backups is for our Envoy hot wallet only. It has nothing to do with Passport.

But Envoy is connected with Passport so this can be confusing for some people.
I would add clear notification that holding anything in cloud is never going to be secure as keeping backup offline.
Is Magic Backups feature optional or not?

We feel that Magic Backups can greatly aid onboarding new users to Bitcoin in a way that is drastically easier, without giving up custody and with an easy path to a more standard seed backup once they're comfortable with that. Once a user backs up their seed, we also have the functionality directly in Envoy to delete their seed from their Apple/Google account and delete their app data (we never store their seed, even encrypted) from Foundation's servers, if they so choose.

Easier is not better option most of the time.
Hunter Biden had all his dirty photos saved in his ''secure'' iCloud account, and look how that ended up.  

[o_e_l_e_o]

Those are *very* different threat models, and Magic Backups only make sense for a mobile wallet with a small amount of funds.

I appreciate that completely, but we both know people store large amounts of money on mobile wallets when they shouldn't.

It is not that simple, as both accounts should be protected by 2FA.

Again, should be, but we both know lots of people don't use 2FA, use weak passwords, reuse passwords, have had passwords leaked in various databases such as haveibeenpwned, and so forth. In an ideal world an encrypted back up stored in the cloud secured by a long and random password and hardware 2FA key is very secure, but very few people actually use this set up, and the people who do use a secure set up like this will likely be using seed phrases and not cloud back up in the first place. As I mentioned above, I suspect the subset of users who would back up their seed phrase to the cloud overlaps pretty heavily with the subset of users who have substandard account security or general security practices.

Once a user backs up their seed, we also have the functionality directly in Envoy to delete their seed from their Apple/Google account and delete their app data (we never store their seed, even encrypted) from Foundation's servers, if they so choose.

Maybe it will be deleted from your account, but I doubt very much Google actually ever delete anything. Data makes them money. Google have been fined in multiple jurisdictions for collecting data they weren't meant to or not deleting data they were meant to. Not to mention it could have been leaked, hacked, stolen, shared, or whatever from the many servers around the world it is likely duplicated on. Once your back up has been exposed to the cloud, you should assume it is there permanently. The only safe course of action here is to move all your coins to new wallet.

I appreciate this is optional, and I appreciate it is only for the hot mobile wallet, but I am of the opinion that cloud storage is never secure.

[Pmalek]

Is Magic Backups feature optional or not?

foundationdvcs said that they are optional and only related to the hot wallets created on Envoy. You can't backup your Passport seed in this way.

Magic Backups are 100% optional...

On request, the data can be deleted. Whether or not you want to trust Google and Apple that they have permanently deleted your files off of every single server they own is another question.

[RickDeckard]

However, as for the new device, it seems that it will be even better than the previous two, so the question arises, is it worth waiting for it to become available or buying the current version? Is there somewhere an official counter of how many units have been sold so far, or how many are still available in total?

While I can't say too much about the new device, it will be in a bit of a different vein than the current one. If you love the current approach of Passport, the current gen will be a good fit for a long time! Our plan is to sell them alongside each other most likely as they will serve different use-cases and compliment each other well.

Yesterday, out of nowhere, I had an idea/guess regarding this new device you're working on - Would it make sense to be something to co-exist with products such as Ronin Dojo Tanto[1], myNode[2] and others alike? From my perspective it would make sense considering your mission[3]:

Foundation builds Bitcoin-centric tools that empower you to reclaim your digital sovereignty.

You are already providing a great tool regarding taking control of our money (and data) by means of being total open source, so the only part that is left is making sure that we are safe from prying eyes whenever we interact with that same data (and money). This would be where such devices would enter - taking the same approach that you did with Foundation Passport - such device, fully open sourced as well as their components, would allow to close the circle and cut ties with any kind of intermediate running a node or even blockchain explorers. Total digital sovereignty in it's pinnacle.

I might have gone rogue on this idea but I couldn't stop to share with the community .
[1]https://ronindojo.io/en/tanto
[2]https://mynodebtc.com/order_now

[n0nce]

~

I like your line of thought! Fully agree that running your own node is basically a necessity.
I've shown myself how to do it (hardware and software), even on the cheap, but do also like the idea of 'node in a box' solutions.
The main benefits I see are:

• Easier setup for new users (some options have great-looking GUIs for installing everything)
• Smaller form factor
• Lower power usage

Because of points 2 and 3, I've even considered building something small and efficient myself, e.g. based on the Argon One M.2 case for the Raspberry Pi 4B.

[foundationdvcs]

I'm not interested in this cloud backup myself, because I'm happy with my current backup solutions. However I like the idea of having a way to back up the wallet configuration (user settings, account labels, ...) - without private keys. I even pondered about a standardized format for this a while back; something like a universal 'wallet export / import format'.

That would be a good idea to have, losing labels is almost like losing all your history and content behind all your transactions.
I think some other hardware wallets have a way of exporting and saving this, but I would like to have something like smartphones have, export all settings and data in encrypted offline way.

This is actually available if you use your own seed with Envoy's mobile wallet, as you are then prompted to save the Envoy backup file somewhere, which includes wallet settings, labels, etc. without any private key. You can also do this at any time manually if you use Magic Backups under the Backups settings so you can always restore, even if Foundation's servers ceased to exist for some reason.

Hi all, just to confirm, Magic Backups is for our Envoy hot wallet only. It has nothing to do with Passport.

But Envoy is connected with Passport so this can be confusing for some people.
I would add clear notification that holding anything in cloud is never going to be secure as keeping backup offline.
Is Magic Backups feature optional or not?

100% optional for mobile wallets, and intentionally impossible to use with Passport itself. Users are prompted on setup if they want to use Magic Backups or manual seed phrase, and both are always an option. We will *never* lock our users into features like this, and will always support the more advanced, more fully self-sovereign approaches. That is a key part of our company DNA and will not change!

I appreciate this is optional, and I appreciate it is only for the hot mobile wallet, but I am of the opinion that cloud storage is never secure.

Appreciate your input, sounds like you are definitely someone who will not be using Magic Backups and that is totally fine! We want to support people opting into Bitcoin from all walks of life, and not everyone is comfortable with manual seed phrases from day one. Envoy will prompt users to backup their seed manually as well, and will remind people to stop using a mobile wallet for all of their funds if they have over $1,000 stored there starting with the next update.

We will continue to push users to the fully self-sovereign path and simplify that where we can, and will always support users like yourself (and even parts of our team!) who would not feel comfortable putting any private key material online, even if encrypted.

[RickDeckard]

Foundation has just released[1] quite a considerable upgrade regarding their firmware version (Envoy) (they went directly to v1.3.0 (they were on v1.1.0) and I think that is more than reasonable. There are a ton of quality improvements and bug fixes, but I'll just point out two that stood out to me: Azte.co[2][3] integration and the possibility for anyone that has the Founder edition to update within Envoy (no one is left behind!). Tremendous job @foundationdvcs, keep it up!  

EDIT: Per satscraper reply bellow, I've updated the thread with additional information - This update is applied to the Envoy app and not the firmware running on their devices. Thank you satscraper!
[1]https://foundationdevices.com/2023/07/envoy-version-1-3-0-is-now-live/
[2]https://azte.co/
[3]https://bitcoiner.guide/azteco/