[size=16]Setup Walkthrough[/size]
Unboxing
The Foundation Passport comes in sort of two layers of 'tamper-evident seals' / stickers. This is how it should arrive (inside a larger box) at your doorstep.
They have a very well made, and still relatively short, setup guide, which should make it really foolproof not only to setup the device itself (later), but also goes through even the unboxing and explains what to verify (integrity of the stickers and such) when receiving the package. It is very well suited as a first wallet, even for newbies.
The setup guide can be found here and contains text as well as videos.
What's interesting is that they say:
There is no way to verify the validity of such claims[don't saving codes] (no strong opinion for / against either way) and what I find funny is that they refer to these 4 batches of FE devices, but call the new wallet coming out in March 2022 'Batch 2'. I'll mention this later when I talk about Passport version 2.
Inside this box, there is the actual device's box which has a second tamper-evident seal, that I talked about before.
Both seals seem quite generic and like they could be bought from a random place & replaced in transit, however the inner box might be hard to source with logo and everything. Because of course, you can't break the seal and reuse the box, that would be visible. The outer box could easily be replaced for sure, though. But Foundation has additional technical mechanisms in place that I'll talk about later (boot counter, no 'resettability', supply chain validation).
Contents
The inner box is pretty well made and compact & can be used to keep the wallet safe in a closet or similar after being set up. Also has some space for spare batteries and micro SD cards (for PSBT!! don't store backups together with the device!).
You get a physical copy of the Bitcoin whitepaper, which from the styling resembles a bit a bible or other 'holy book', two stickers with the now old Foundation logo (future collectible?
) and a pretty postcard (not pictured here) as well as the standard thank you card with QR code to the above linked setup guide.
Setup QR code
QR code with link to setup webpage: https://docs.foundationdevices.com/en/setup-guide
Terms of use
I found it a bit amusing to read the terms of service only then, after buying this thing, waiting, opening two seals and starting a non-reversible setup process (hence no way of returning it or anything like that), but it was the next step in the setup process, so I read it through. Maybe read TOU before buying a wallet (in general) since they can't be returned in case you don't like em!
What I liked is that they're not very long and pretty straightforward. You also have to accept them on the actual device itself to continue, which I found interesting.
Of course, I disagree with this but I think they have to put it for legal reasons
Supply chain validation
During setup, you go through a so-called 'supply-chain validation' process. This is supposed to ensure that it hasn't 'been tampered with or swapped out with a malicious device before it got to you'[https://docs.foundationdevices.com/en/setup-guide#step-3-supply-chain-validation]. They do that by programming a key into the secure element.
Now, to be honest, I've got an issue with this. They introduce a single point of failure. They talk about how they have a dedicated, air-gapped laptop that is used to program all Passports with that key, it is done locally in the U.S. and the laptop is tightly monitored and everything like that. I'm also not entirely sure how other wallets make sure the device is untampered (maybe rely solely on seals?) and also not sure how it could be improved, but it seems odd to me with this 'magic laptop' and everything.
PIN Setup
The next step of the guide instructs to set a permanent device PIN. I'm interested in your opinions here; I think I didn't come across a basically non-resettable wallet so far like this.
It seems you can reset the seed but not the device PIN.
For example, when resetting the BitBox02, it also resets the device password. Maybe you're screaming at your screen right now that the BitBox is super insecure, in that case enlighten me in which scenario having a non-resettable device PIN would be more secure!
Firmware updates
I'm just continuing through the setup guide here, because in this step there are again a few things worth mentioning. Instead of any other device I had so far, they don't instruct how to or even recommend checking the sha256 checksum of the provided .bin file, instead you shall just write it to a microSD card and insert it. Before the Passport upgrades its firmware, it displays you the checksum on the screen.
I personally find this easier, especially for Windows users without shell access with preinstalled shasum command. Also, it kind of forces you to do it since it comes 'right in your face' while trying to upgrade.
However, there is no PGP key to import / verify against. I'm not sure this is needed though, since the firmware update file itself is signed and only runs if it has 2 out of 4 Foundation developer signatures. So in a way, it does check PGP, but just all on-device, opposed to doing that on the host before transferring the file.
One could also argue this method is secure, because otherwise a virus on the host machine could replace the firmware last-minute after it was verified for PGP and SHA256, right before the microSD card is ejected. Maybe you could also write a virus that hooks into Windows' 'eject' function for example, to only then replace the .bin, which would make all the previous integrity checks void. Hence I really like the approach of checking this stuff on-device!
Seed setup
The last setup step is the setup of the seed. A seed could be imported (e.g. from a broken / old hw wallet you want to replace) or generated new. It uses an open source true random number generator, which I find pretty cool.
Contrary to other wallets, which sometimes save the seed in plaintext to the SD card, the Passport saves a backup file on the SD card which is encrypted with an additional password. I think many users will end up with too much stuff: a microSD card, a password, and maybe additionally a pure seed word backup. In my opinion, the latter is enough; however the more complex microSD card backup will have the advantage of being importable into a new Passport and retain settings, multisig configuration etc.
Many users are also worried about the longevity of microSD cards compared to laminated paper or metal seed backups. I agree that these are safer than an SD card as they're more resistant to water, dust, radiation, heat and cold, as well as even fire (if using metal).
Foundation does use an SD card from SanDisk's 'industrial' lineup. It seems these are much more temperature resistant than other models, so you could bury them outside and stuff like this without worries.
Unboxing
The Foundation Passport comes in sort of two layers of 'tamper-evident seals' / stickers. This is how it should arrive (inside a larger box) at your doorstep.
They have a very well made, and still relatively short, setup guide, which should make it really foolproof not only to setup the device itself (later), but also goes through even the unboxing and explains what to verify (integrity of the stickers and such) when receiving the package. It is very well suited as a first wallet, even for newbies.
The setup guide can be found here and contains text as well as videos.
What's interesting is that they say:
We don’t save these codes except for the first few characters, which identify each batch of Passports. Founder's Edition batches begin with the following:
B722, B723, B732, B799
B722, B723, B732, B799
There is no way to verify the validity of such claims[don't saving codes] (no strong opinion for / against either way) and what I find funny is that they refer to these 4 batches of FE devices, but call the new wallet coming out in March 2022 'Batch 2'. I'll mention this later when I talk about Passport version 2.
Inside this box, there is the actual device's box which has a second tamper-evident seal, that I talked about before.
Both seals seem quite generic and like they could be bought from a random place & replaced in transit, however the inner box might be hard to source with logo and everything. Because of course, you can't break the seal and reuse the box, that would be visible. The outer box could easily be replaced for sure, though. But Foundation has additional technical mechanisms in place that I'll talk about later (boot counter, no 'resettability', supply chain validation).
Contents
The inner box is pretty well made and compact & can be used to keep the wallet safe in a closet or similar after being set up. Also has some space for spare batteries and micro SD cards (for PSBT!! don't store backups together with the device!).
You get a physical copy of the Bitcoin whitepaper, which from the styling resembles a bit a bible or other 'holy book', two stickers with the now old Foundation logo (future collectible?
) and a pretty postcard (not pictured here) as well as the standard thank you card with QR code to the above linked setup guide. Setup QR code
QR code with link to setup webpage: https://docs.foundationdevices.com/en/setup-guide
Terms of use
I found it a bit amusing to read the terms of service only then, after buying this thing, waiting, opening two seals and starting a non-reversible setup process (hence no way of returning it or anything like that), but it was the next step in the setup process, so I read it through. Maybe read TOU before buying a wallet (in general) since they can't be returned in case you don't like em!
What I liked is that they're not very long and pretty straightforward. You also have to accept them on the actual device itself to continue, which I found interesting.
Of course, I disagree with this but I think they have to put it for legal reasons
Quote from: https://foundationdevices.com/passport-terms/
(f) Bitcoin do not constitute a currency, asset, security, negotiable instrument, or other form of property and do not have any intrinsic or inherent value;
Supply chain validation
During setup, you go through a so-called 'supply-chain validation' process. This is supposed to ensure that it hasn't 'been tampered with or swapped out with a malicious device before it got to you'[https://docs.foundationdevices.com/en/setup-guide#step-3-supply-chain-validation]. They do that by programming a key into the secure element.
Now, to be honest, I've got an issue with this. They introduce a single point of failure. They talk about how they have a dedicated, air-gapped laptop that is used to program all Passports with that key, it is done locally in the U.S. and the laptop is tightly monitored and everything like that. I'm also not entirely sure how other wallets make sure the device is untampered (maybe rely solely on seals?) and also not sure how it could be improved, but it seems odd to me with this 'magic laptop' and everything.
PIN Setup
The next step of the guide instructs to set a permanent device PIN. I'm interested in your opinions here; I think I didn't come across a basically non-resettable wallet so far like this.
There is no way to recover your PIN. We recommend that you write it down during this step and store it in a safe, secure location. If you choose to commit it to memory, make sure it is a combination of 6-12 digits that you will not forget.
It seems you can reset the seed but not the device PIN.
Erase Passport's seed so that you can create or restore a new seed.
For security reasons, this does not reset Passport to a factory-fresh state.
For security reasons, this does not reset Passport to a factory-fresh state.
For example, when resetting the BitBox02, it also resets the device password. Maybe you're screaming at your screen right now that the BitBox is super insecure, in that case enlighten me in which scenario having a non-resettable device PIN would be more secure!
Firmware updates
I'm just continuing through the setup guide here, because in this step there are again a few things worth mentioning. Instead of any other device I had so far, they don't instruct how to or even recommend checking the sha256 checksum of the provided .bin file, instead you shall just write it to a microSD card and insert it. Before the Passport upgrades its firmware, it displays you the checksum on the screen.
I personally find this easier, especially for Windows users without shell access with preinstalled shasum command. Also, it kind of forces you to do it since it comes 'right in your face' while trying to upgrade.
However, there is no PGP key to import / verify against. I'm not sure this is needed though, since the firmware update file itself is signed and only runs if it has 2 out of 4 Foundation developer signatures. So in a way, it does check PGP, but just all on-device, opposed to doing that on the host before transferring the file.
One could also argue this method is secure, because otherwise a virus on the host machine could replace the firmware last-minute after it was verified for PGP and SHA256, right before the microSD card is ejected. Maybe you could also write a virus that hooks into Windows' 'eject' function for example, to only then replace the .bin, which would make all the previous integrity checks void. Hence I really like the approach of checking this stuff on-device!
Seed setup
The last setup step is the setup of the seed. A seed could be imported (e.g. from a broken / old hw wallet you want to replace) or generated new. It uses an open source true random number generator, which I find pretty cool.
Passport uses an open source true random number generator (TRNG), called an avalanche noise source, in combination with other sources of randomness to generate a 24-word seed.
One thing I know a lot of people might not like is that you can read out the seed after initial setup by navigating through the advanced menu. What do you guys think about it? I find it practical to e.g. verify a day later that you copied it correctly, or when creating a second backup in the future, it's better / safer to copy directly from the 'origin' than 'copying a copy', right? But I see how it's a tradeoff where maybe someone could be forced to show the seed or something like that; on the other hand, we still have passphrases, so I don't know.Contrary to other wallets, which sometimes save the seed in plaintext to the SD card, the Passport saves a backup file on the SD card which is encrypted with an additional password. I think many users will end up with too much stuff: a microSD card, a password, and maybe additionally a pure seed word backup. In my opinion, the latter is enough; however the more complex microSD card backup will have the advantage of being importable into a new Passport and retain settings, multisig configuration etc.
Many users are also worried about the longevity of microSD cards compared to laminated paper or metal seed backups. I agree that these are safer than an SD card as they're more resistant to water, dust, radiation, heat and cold, as well as even fire (if using metal).
Foundation does use an SD card from SanDisk's 'industrial' lineup. It seems these are much more temperature resistant than other models, so you could bury them outside and stuff like this without worries.
Quote from: https://www.engadget.com/2017-10-05-sandisk-industrial-sd-cards-extreme-temperatures.html
They can work in temperatures ranging from -40°F to 185°F for extended periods of time.
So for my metric friends, this is from -40°C to 85°C. Operating temperatures; so it can be used outside in most places of the world at most times of the year, which is great!