Bitcoin Magazine
Passport Prime: A New Security Device For a New Generation
Passport Prime, Foundation Devices’ latest retail hardware wallet, is about to hit the market in Q3 of 2025. The device features a full-color touch screen the size of a credit card with a modern industrial aesthetic. It aims to be a developer platform for Bitcoin and crypto software with high security demands.
Besides serving the basic wallet needs of Bitcoin users, the device is designed as an open source platform for app developers to bring a new experience of crypto-native cybersecurity to the public. The Passport Prime is expected to ship with a powerful Bitcoin wallet app, as well as virtual YubiKeys, a 2FA app, a seed vault for imported or low-value crypto wallets, 50 GB of storage, NFC, and encrypted Bluetooth support, among other features.
Frustrated with the public’s lackluster adoption of hardware wallets as the crypto industry enters the mainstream adoption phase, Foundation has been working since 2020 to bring security hardware devices to feature parity with mainstream consumer technology. However, the path is not simple.
The Adoption Problem of Hardware Wallets
Hardware wallets have been a critical security product for Bitcoin users since 2014 when Satoshi Labs created the Trezor. Before that, users had few options, and many of the funds lost in that era were due to user ignorance of how to manage and properly secure private keys in Bitcoin. Armory, funded by Trace Mayer in the early days, was one of the first solutions but it was highly technical and was best used with hardware the user had to modify themselves — like removing antennas from a laptop. This kind of technology became a security foundation for exchanges, who, through many hacks and hard lessons, slowly got better at securing user funds from organized crime and hackers while playing jurisdictional arbitrage to avoid hostile governments.
As the first hardware wallets started to enter the retail market, significant adoption was seen. With the massive growth of Bitcoin since its inception, the best security practices have failed to keep up with the ease of use provided by custodians while also failing to deliver security and feature parity to users in an interface they are familiar with.
In a keynote presentation on the Passport Prime landing page, Zach Herbert, CEO and co-founder of Foundation, explains their analysis of the market and why they believe only 2.5% of the market is using hardware wallets today, despite mainstream adoption of digital assets like Bitcoin — a concern felt across the industry that too many people are getting accustomed to custodial services.
The small screens, iconic to the hardware wallet ecosystem, are often a barrier for users. The shape of the device, often small and with few buttons, can make people nervous, especially when the wrong combination of clicks means an irreversible financial transaction.
In the case of touchscreen devices like the Trezor T, while certainly an improvement from the Trezor One, the buttons are still far smaller than what the public is used to for smartphones, the most prolific computer platform of this era.
The problem with trying to bring hardware wallets to feature parity with mobile phones is the massive complexity introduced by the corresponding software and hardware. Mobile phones, after all, are designed for mass manufacturing and with ease-of-use priorities in mind, rather than securing life-changing amounts of digital currency, which, once sent, cannot be reversed.
The hardware wallet industry has had to build out open source, verifiable, security-optimized hardware and software that addresses top security concerns, while also delivering a familiar and comfortable user experience to the public. In general, the industry recognizes the need for bigger screens and bigger buttons, as seen in new models by Ledger, for example, with their Ledger Stax, and, of course, Coldcard Q’s Blackberry-style hardware wallet.
When asked why not just try to build on top of a standard mobile phone platform, Owen Kemeys, hardware designer at Foundation Devices, told Bitcoin Magazine that “there’s a huge advantage to Passport Prime being a separate security device,” adding that “we need this stuff to work for the normal people. They are not going to be able to understand or have any interest in understanding what makes something safe or unsafe on their phone. Even if they were going so far as to have a dedicated phone for secret stuff or whatever. Everything that we develop, Apple and Google could bake into their phones and tell you it’s safe. But if it’s in a separate device that is built to do that one exact thing, then you know, OK, if it happens on the Passport Prime, it’s safe.”
The Passport Prime Feature Set
Foundation believes they have found an optimal and preferable middle ground between high security and a familiar user experience in a mobile phone-style device, but with very specific hardware and software inside. Kemeys explained that “the Passport Prime runs its own operating system,” adding that “We’re not running a fork of Android or something and then dressing it up differently. We wrote this from the ground up in Rust. It’s called KeyOS. It’s designed for this one purpose of running a smartphone-like experience, but with sandboxed apps.”
The wallet-related cryptography that’s normal to today’s Bitcoin and crypto wallets is also deeply integrated with the operating system. A master seed phrase is set up by the user; the seed’s corresponding master private and public keys are then used to derive secure, isolated keys for other apps on the Passport Prime. “All apps are sandboxed and receive hardened child seeds, meaning that even if an app is malicious, it has no access to the master seed and cannot communicate with other apps,” Herbert explained in his presentation.
This design builds the foundations necessary for secure app development on top of the Passport Prime, unique among hardware wallet manufacturers. While Ledger has made some progress in that direction, Herbert says that the Ledger operating system is very restrictive with such apps — primarily out of security concerns — making it difficult for developers to contribute to the ecosystem. Foundation believes they have solved the problem, unlocking a new kind of security device that can be used for more than cold storage of Bitcoin and crypto assets. It is a security platform for everyday use in the digital era.
As is generally expected of high-security devices like a hardware wallet, the Passport Prime comes without most of the normal sensors or antennas found in mobile devices. No Wi-Fi, no GPS, and no SIM card, of course. However, NFC, an increasingly popular communications module in hardware wallets and in payments technology in general, is included. NFC has a very short signal range and depends on power from the device sending the signal, making it a fairly secure protocol and bringing Bitcoin closer to the tap-to-pay credit card experience the general public is used to.
“We now have an NFC reader inside,” Kemeys explained, excited about the innovation space unlocked by NFC chips in Bitcoin. “As part of your onboarding setup, in the box, we’re going to ship three NFC cards with the Prime. And as our default onboarding workflow, we’re going to encourage people to make a two-of-three Shamir setup, and back up the shares onto some of those cards.”
Shamir secret sharing is an old and well-known cryptographic algorithm similar to multisignature schemes in Bitcoin but entirely off-chain. It allows users to grab a master private key and split it into shares that can come together later to recreate and recover the secret. What’s special about Shamir is that any individual shard that is lost or stolen is not sufficient to compromise the private key: If you have enough shares, you can securely recreate the private keys and derive the corresponding addresses. A default standard is a threshold of two out of three shares having to come together for successful recovery. The downside of Shamir is that enough key material usually has to come together in a secure computer environment to regenerate the master private key, but that is arguably a workable trade-off in the context of hardware wallets.
In fact, Trezor integrated Shamir into their setup flow as an optional tool already in 2017; it is fully open source cryptography. Foundation’s implementation of Shamir was developed in collaboration with the Blockchain Commons, and the source code will be published alongside the official release of the Passport Prime.
The only mainstream antenna expected to be integrated into Passport Prime is Bluetooth, a decision critics are likely to focus on. The Bluetooth hardware and software are very complex and have suffered many hacks throughout the years while also having a fairly long range. However, it offers one of the most well-known device-to-device connection platforms in the market. The public knows Bluetooth; they use it every day, they know how to pair devices and unpair them, and they understand that you have to push a button here and push a button there to get them synced. So, from a user experience perspective, Foundation believes Bluetooth is worth it.
To mitigate the risks, however, they’ve taken various steps to isolate the Bluetooth chip and lock it down with a very strict protocol they call QuantumLink. “We developed a new quantum-secure encryption standard. It links your Passport Prime to one specific app on your phone, Envoy. And only that app can decrypt communications; Prime will only listen to encrypted comms sent from the app. So anything else that it receives, it just ignores. The protocol will be documented so other apps can establish their own separate connections if the user chooses to allow them” Kemeys explained about the protocol, also developed in collaboration with Blockchain Commons and expected to be open-sourced upon official launch later this year.
“Nothing else on your phone can get into any of the comms from Prime. And anyone that’s snooping on your wireless link is just getting gibberish. We don’t expect the Bluetooth chip to do this. We don’t trust the Bluetooth chip. The data is encrypted even before it makes its way physically onto the Bluetooth chip. So that’s just broadcasting meaningless gibberish as far as it’s concerned as well,” Owen says, explaining the adversarial approach taken to lock down the Bluetooth chip.
For Foundation, the Bluetooth integration solves a very common and tricky user experience problem, which wallet developers have experienced with QR code scanning. “We’re still going to have a camera, so you can do everything QR-based if you want to. They work well, but there are natural limitations: you’re dependent on the lighting, focus, camera quality, screen quality, glass reflections; all with both devices. It takes a few seconds, and longer if there’s a lot of data to exchange.” Owen explained all the issues with QR codes that seasoned Bitcoin users are probably entirely used to by now, but which the public does not expect to deal with when making payments, adding that “The QR code flow works, but it could be better. And especially for newbies and more naive users, they can get frustrated with it. So the Bluetooth is excellent for them. That’s the immediate obvious benefit, that we can make everything completely seamless. You just move across to your Prime to authorize the transaction, and then it just happens.”
The issues with QR code scanning were best demonstrated by the viral clip of President Trump struggling to make a Bitcoin Lightning payment at PubKey in late 2024. Contrary to popular tweets at the time, it was not an issue with the Lightning Network, but in fact a camera issue; scanning that QR code with so many lights pointed at them was no easy feat!
An essential set of apps are expected to be shipped with the Passport Prime, among them a two-factor authentication app to replace Google Authenticator, as well as a virtual YubiKey app, which could replace security devices like YubiKeys with a better user experience and comparable security.
Foundation will also offer an encrypted cloud backup service to users to store encrypted metadata and facilitate account transfers from one device to another. According to Foundation, the information is stored anonymously and encrypted on the device with user-generated keys. The Prime even comes with 50 GB of memory storage, so that you can store all the JPEGs your heart desires, a feature that is likely to appeal not just to the broader crypto ecosystem but even alternative social media protocols like Nostr.
The Passport Prime is on sale now for $299 on their website, and Cake Wallet, the popular privacy app, is expected to be the first third-party KeyOS app deployed into Passport Prime.
This post Passport Prime: A New Security Device For a New Generation first appeared on Bitcoin Magazine and is written by Juan Galt.
Source link
