🤔

Hardened derivation cannot be done with xpub

Yeah

Your scheme is basically impossible or broken in its current state due to this.

is there any reason that Foundation picked the SAMA5D2 for the Passport Prime processor?

Same thing could be said about PIN codes. You could construct one the same way, but now you can change grids/patterns as well.

An SS does not work well when you want to carry around a small stash securely :) but it works great for multisig maybe you could use a smartcard I am making with SS to get best of all worlds for a distributed multisig (especially key shards held in less secure locations)

I think the conclusion is that all of these schemes are unreasonably complex to reason about (and provide an illusion of higher security) and multisig just works.

I think BT are not inherently bad (again, OS bloat is the bigger concern, but BT has some encryption issues which could be solved by a custom encryption layer) but they are unnecessary, so why have them? And now you need a battery, and… exploding money storage devices sound fun. An SD card is also more auditable.

Not really. Think of this: 1. Someone is following you (maybe via a surveillance network like Flock, etc.) 2. When you go out to do a spend, they see where you store your passphrase, and your HWW. 3. They hold you at gunpoint and ask for your HWW and your PIN. You think this is safe, but this is enough as they can now export your seed. 4. They already know where your passphrase is and can break your wallet. If you kept your seed and passphrase on the HWW in an unexportable way, and had a 2-part PIN, this would happen: 1. They see where you store your HWW. 2. They have a much harder time tracking where you store your PIN, as you could change this every few uses. 3. They would have to get the PIN out of you, the HWW, and the location of the other part of the PIN.

QR is expensive to implement on a device (needs a better MCU and camera hardware and tuning. possible, but the amount of overlap between “secure against attacks” and “high performance” and “cost effective” is tight), so would not be great on an entry level model. As a tradeoff, SD cards could work. Technically, an airgap is not going to stop anything if the device is malicious, as some methods like screen brightness could still modulate data. And people have turned a GPIO pin on a $1 chip into a LoRA transmitter. I had this discussion a few times, but most of the USB concerns originate from bloat on the host OS, which supports a million different things, compared to a small device which you basically have 0 chance of finding a bug in.

Displays release EM that depend on the displayed content, and could be used to steal your seed.. it is much more likely than button presses 😬

Require a verification of the backup

Security is not always additive. Each step has a cost (in terms of usability, in terms of you permanently locking yourself out, and a lot more) and they can interact with each other as well. Adding one step may allow you to break another step much easier.

What features do you use the most? And want? Custom apps? 😄

A decoy PIN would fix this. A 2-of-2 would as well to some extent. It does not matter what they believe, because if they want to kill you, they probably will.

> You can also send to another malleated seed so the Passphrase can be changed too Yes, but that is much more costly and risky (visit all backup/storage locations, rekey, retest) than a PIN change which can be done instantly. > PINs are nearly identical in threat model. Pin counters versus the literal nonadecillion combinations of passphrases. A passphrase can be brute forced until the end of time. There is overlap between what you can remember, and what is secure is small. If you have to write down your passphrase somewhere to be able to use it, it may be best to instead use a 2nd seed and do a 2-of-2. > Because regardless the security there is additive. Why not split up your PIN AND have a separate passphrase? Instead of that we could have a longer PIN and split the PIN into 3 parts! This assumes security has no "cost" and is *always additive*. It is not. Adding more moving components can make it weaker as you get the weakest path as your security level. With a HWW(seed+passphrase inside) + PIN, and then separate seed+passphrase, each method has distinct locations. But with HWW(seed) + PIN + passphrase, and seed+passphrase, you now have the HWW path (which is the most common) making it more likely your passphrase gets found. Because every time you have to use it, you have to go there, someone might be following you. They get a headstart on stealing your physical backup just by monitoring you, and all they need is the seed now.

Your approach would be So, there are 2 routes: - They find your seed (location A), and the passphrase (location B) - They find your HWW (location C), the passphrase (location D) and your PIN (your head) But you could easily split your PIN and get this: - They find your seed (location A), and the passphrase (location B) - They find your HWW (location C), the 1st part of the PIN (location D) and the 2nd part of the PIN (your head) Except now you can change your PIN for the 2nd path in case you think it may have gotten lost and have a significantly more secure system. And for the most common route, you don't reveal location B, as you rarely go to it.

> Literally the PIN used to open the HWW and the passphrase have the same usage frequency so why is the PIN secure but the Passphrase not? Because the PIN has a try counter, and can be changed. > Okay, the point is if the PIN is found (written elsewhere) then the Passphrase is a final bulwark against signing your money away Then why not split your PIN into 2 parts? One that you remember, and the other you keep where you would put your passphrase.

That you can never prevent, as you have to enter it at least once into the device. That would ideally be solved with FROST + keys never leaving the device, so you could easily swap new members if you wanted without having physical backups ever.