Topic: Foundation Passport Official Thread - page 8. (Read 4649 times)

Yesterday, out of nowhere, I had an idea/guess regarding this new device you're working on - Would it make sense to be something to co-exist with products such as Ronin Dojo Tanto[1], myNode[2] and others alike? From my perspective it would make sense considering your mission[3]:
You are already providing a great tool regarding taking control of our money (and data) by means of being total open source, so the only part that is left is making sure that we are safe from prying eyes whenever we interact with that same data (and money). This would be where such devices would enter - taking the same approach that you did with Foundation Passport - such device, fully open sourced as well as their components, would allow to close the circle and cut ties with any kind of intermediate running a node or even blockchain explorers. Total digital sovereignty in it's pinnacle.

I might have gone rogue on this idea but I couldn't stop to share with the community .

---

[1]https://ronindojo.io/en/tanto
[2]https://mynodebtc.com/order_now

foundationdvcs said that they are optional and only related to the hot wallets created on Envoy. You can't backup your Passport seed in this way.
On request, the data can be deleted. Whether or not you want to trust Google and Apple that they have permanently deleted your files off of every single server they own is another question.

I appreciate that completely, but we both know people store large amounts of money on mobile wallets when they shouldn't.

Again, should be, but we both know lots of people don't use 2FA, use weak passwords, reuse passwords, have had passwords leaked in various databases such as haveibeenpwned, and so forth. In an ideal world an encrypted back up stored in the cloud secured by a long and random password and hardware 2FA key is very secure, but very few people actually use this set up, and the people who do use a secure set up like this will likely be using seed phrases and not cloud back up in the first place. As I mentioned above, I suspect the subset of users who would back up their seed phrase to the cloud overlaps pretty heavily with the subset of users who have substandard account security or general security practices.

Maybe it will be deleted from your account, but I doubt very much Google actually ever delete anything. Data makes them money. Google have been fined in multiple jurisdictions for collecting data they weren't meant to or not deleting data they were meant to. Not to mention it could have been leaked, hacked, stolen, shared, or whatever from the many servers around the world it is likely duplicated on. Once your back up has been exposed to the cloud, you should assume it is there permanently. The only safe course of action here is to move all your coins to new wallet.

I appreciate this is optional, and I appreciate it is only for the hot mobile wallet, but I am of the opinion that cloud storage is never secure.

That would be a good idea to have, losing labels is almost like losing all your history and content behind all your transactions.
I think some other hardware wallets have a way of exporting and saving this, but I would like to have something like smartphones have, export all settings and data in encrypted offline way.

Export to cloud is bad in my opinion for both hot and cold wallets, but I hope this is at least optional ''feature''.
If I remember correctly this ''secure'' iCloud was recently hacked and I don't trust any cloud solutions very, much, that is just other people hard drives.

But Envoy is connected with Passport so this can be confusing for some people.
I would add clear notification that holding anything in cloud is never going to be secure as keeping backup offline.
Is Magic Backups feature optional or not?

Easier is not better option most of the time.
Hunter Biden had all his dirty photos saved in his ''secure'' iCloud account, and look how that ended up.  

It's hard to say really, and I am not sure. Google products have SMS 2FA verification and even email confirmation. If they notice different IP ranges, you might have to verify yourself over SMS/email. Google probably keeps identifiable data on the devices that have logged in in the past and request more verification when a new one is detected. Additionally, Envoy's backups seem to be encrypted, so you would get an encrypted file at worst. 

Thank you for reminding me again, I totally forgot that you created such thread last year. As it is said the device is good and also as I said, I can't judge the device from a distance of just looking at the image and it description. In most time when we order things online, what we received from the company is different from what we order. I have discussed with them on rhe telegram channel to send me the order link so I do it from there.

This is absolutely only possible for Envoy's mobile wallet seed, and not ever possible for Passport's seed. Those are *very* different threat models, and Magic Backups only make sense for a mobile wallet with a small amount of funds. As this is all open source anyone can verify this, but due to Passport's airgapped nature there isn't even a way to easily do this if you wanted to (and of course we don't want users backing up there Passport cold wallet seed into the cloud).

This approach is a great fit for onboarding new users with small amounts, and we both always allow seed export from the app and will be adding prompts to have people backup their seed phrases separately down the road after onboarding as well for full sovereignty. Magic Backups are 100% optional and 100% open source, no one has to use them, and those who opt-in can only use them with Envoy's mobile wallet portion which should of course only be used for small amounts!

Apologies for the confusion there, I could have been clearer with the language used!


It is not that simple, as both accounts should be protected by 2FA. In reality an attacker would need to compromise your Apple/Google email and password, as well as SIM swap you (assuming you used SMS for 2FA). If the user does not have 2FA, then yes, their account could be logged into on a new device owned by the attacker, Envoy installed, and then funds swept as the seed is stored end-to-end encrypted and secured with their account.

If a user has hardware key or TOTP 2FA enabled than it would be practically impossible without a sophisticated spear phishing attack.

And remember this is only for a mobile wallet, and can never be for cold storage! So ideally users just have spending money in this wallet. If a user's Apple or Google account was 100% compromised for this (they would have to be able to fully login and setup a new device with their account) they would have larger problems, as they are also likely storing their bank login etc. within the same storage mechanism as we are using.

The issue with adding any other secret on top of their Apple/Google account is that you're back to square one with needing to have the user record a secret and verify it before they can start using a Bitcoin wallet. Magic Backups provide a sane and open-source alternative to that flow that does not give up custody and does not give up privacy, but it does of course change the attack vectors over a standard seed phrase backup.

That is why we will always have the option for a user to generate or import a seed phrase and leverage a manual backup, but we wanted more of an in-between solution that maximized security as much as possible while greatly simplifying the onboarding flow for new users.


Agreed that this is certainly something that would be a bad idea for cold storage seed phrases, and differs heavily from Ledger in that it's only for hot/mobile wallet and all code is 100% open source and verifiable. There is no need to take our word for it, unlike Ledger, and we would love any code review and comments from those who have the time and expertise!

We feel that Magic Backups can greatly aid onboarding new users to Bitcoin in a way that is drastically easier, without giving up custody and with an easy path to a more standard seed backup once they're comfortable with that. Once a user backs up their seed, we also have the functionality directly in Envoy to delete their seed from their Apple/Google account and delete their app data (we never store their seed, even encrypted) from Foundation's servers, if they so choose.

I have a few somewhat close-up pictures in my reviews:

• Passport Founders Edition
  
• Passport Batch 2
  

They also have video setup instructions here that may help you get a better understanding of the look & feel of the device, as well as the user interface.

You can even try out the device in a simulator, as I explain here:
https://bitcointalksearch.org/topic/m.61304211

Let me archive this, just in case.

I may try to do this 'attack' later this week on some burner devices, but I'd assume that compromising someone's credentials would indeed give you full access to their hot wallet seed.
Part of the reasoning is apparently that many users back up their device to their cloud provider (including app data, of course) anyway (correct me if I'm wrong), but it would be better if they had numbers backing that up.

Thanks for the confirmation Zach. I suppose you would have to be crazy to implement any such system given the fallout from the recent Ledger debacle.

Can you provide clarification on the question I asked above? I don't have a Google or Apple account and have no intention of ever creating one, but is it really as simple as if someone accesses your username/email and password, then they can recover your Envoy wallet and steal your coins?

Hi all, just to confirm, Magic Backups is for our Envoy hot wallet only. It has nothing to do with Passport.

We are building out Envoy into a fully featured standalone mobile wallet complete with in-depth account management and privacy features. Magic Backups is a really great way for new Bitcoiners to get set up and running with a mobile wallet in 60 seconds, fully self custodial, with what I would argue are reasonable security tradeoffs.

Passport will never have any kind of backup system where the seed touches the internet, even in an encrypted form.

So just to confirm - if your password is hacked, leaked, keylogged, haveibeenpwned.com, etc., then all I need to do is take any old phone, log in to your Google account, sync your back ups to this phone, and now I have your seed phrase and can empty your wallets?

The device is nice from mere distance looking at it. But I don't know when it is seeing in a close range. And also the OP would have given the break down of the price to different continent so that those who are interested would click the link and make an order for shipping. I even checked the website but there is no such order link. Things like this one can't have too much input without using the device. Though you can make some lite input but not in-depth.

They still are. I had to create a Google account a few months ago for my job, and an email + password is all you need. 2FA is an optional feature.
I also changed the password for one of my personal Google accounts around the same timeframe, and I wasn't asked to input any 2FA codes as an added security measure. The usual entry of the old and new passwords was all that was needed. 

I've never had either an Apple nor a Google account, but I know both used to be accessible only via an email/password combo. If they both now mandate 2FA, then that is somewhat better. However, I suspect both still have procedures in place which would allow someone who has lost their 2FA device, be that their phone or a hardware key, to recover access to the account via some kind of social recovery or KYC, which is highly insecure. Happy to be proven wrong again.

That's what I was hoping for clarification on as I asked above. That this is completely confined to Envoy and there are no plans for anything remotely similar on Passport? I was a little concerned that Magic Backups were brought up in response to a discussion about Passport implementing something different to seed phrases...

Wow, your complication of their simplification taught me more about crypto than I've probably learned in the last 6 years (and yeah, I'm that ignorant of what's under the hood).  Hope it's not too off-topic to thank you for that with a comment and some merits.

I absolutely agree with you, and that pearl of wisdom I'm happy to say I did know.  Ledger announced their recovery thing in an attempt to bring their wallets to the unwashed masses, who probably aren't nearly as paranoid as they should be about crypto.  What I hope is that making devices less secure so as to make them more marketable doesn't become a trend among HW wallet manufacturers--or at least that they make things like cloud backup and recovery via distributed shards and who knows what else optional rather than required.

And that they're transparent about it, too.  I'm lookin' right at you, Ledger.  Tsk tsk.

Your statement is unfortunately somewhat inaccurate. I'm not completely sure about the details, but both platforms require using 2FA, without an option to skip it.

From what I can tell, Apple requires 'hardware 2FA' which as a side effect notifies the user on all their devices when someone tries to log in on a new device:
https://support.apple.com/en-us/HT204915

Google apparently does allow you to use highly insecure SMS 2FA, but at least they advise against it, for what it's worth...

I've also read about the way iCloud encryption keys are generated and to the best of my knowledge, there is no known bypass / successful attack to date, besides (obviously) first- and second-factor compromise. I do think Google Cloud contents have been leaked in the past, although if they use good encryption, that shouldn't be a problem.
Let's keep in mind that we're talking about backing up a hot wallet here. So compromising the second factor for your cloud (your phone) is equivalent to compromising your hot wallet. No added risk through the backup, and added safety against data loss (e.g. through device destruction).

Bottom line is: if you have strong encryption of your files, you can post the backups anywhere you want, even on a public forum. But the question remains: how to back up these encryption keys. In case you have a secure enclave on your hardware that you trust to generate and store such keys, you do 'reduce' (in the logical sense; not quantifying) the security of your seed phrase to the security of this hardware.

I think it's fine to have such a solution, if users are aware of this fact and this circumstance is made explicitly clear.

---

I'm not interested in this cloud backup myself, because I'm happy with my current backup solutions. However I like the idea of having a way to back up the wallet configuration (user settings, account labels, ...) - without private keys. I even pondered about a standardized format for this a while back; something like a universal 'wallet export / import format'.

---

Edit: From what I can tell, this cloud backup only refers to the hot wallet, making it completely 'fine'. To the best of my knowledge, Envoy cannot access Passport's seed phrase at all; that's the whole point of a hardware wallet.

Digital or online/cloud backups as replacement for physical offline copies of seeds isn't and shouldn't become any sort of standard in the future. If it was Ledger that had something like that, everyone would lose their mind. I understand it's optional and you don't have to use it, but it's a dangerous option to have.

Yeah, I had no idea this was a "feature" Envoy offered...


I'm sorry, but this is horrible. You reduce the security of your seed phrase, and therefore all your coins, to the security of your Apple or Google account, which in many cases is only a simple password (and often a leaked or reused one at that!) or an insecure 2FA method which can be fairly easily
intercepted such as SMS. I would also wager that the subset of users who feel they cannot use a seed phrase properly and would back up their seed phrase to the cloud overlaps pretty heavily with the subset of users who have substandard account security or general security practices.

Is this in any way usable with a Passport, or is it confined to Envoy only?

I'm not sure about the new recovery system, but until now, the microSD backups were just encrypted files that you could open on any computer and unzip, giving you a regular old seed phrase to import anywhere you like.

I am not familiar with Envoy or Magic Backups, but I just looked at your YouTube video where you explain the backup process. It involves storing sensitive information in digital form and on Passport servers. Encrypted and hashed but this is still a potential security threat. And it's a less secure way of storing private data than offline physical backups on paper, metal, etc.