Not Your Keys, Not Your Coins: A Cold Wallet Overview

Taking a look at the best hardware crypto wallets and best practices to keep your digital assets secured.

Introduction

If your portfolio is kept on reputable exchanges or browser wallets, you don’t have too much to worry about so long as due diligence is done on your behalf. Furthermore, with two-factor authentication (2FA) options enabled, anti-phishing settings on, and responsible opsec by your exchange, your crypto assets are secured in good hands. Many of the current safeguards and other air gaps being employed by crypto custodians and hardware wallet devices are derived from lessons learned from past hacks or other exploits. 

The most catastrophic consequences are always shared far and wide on social media and through mainstream sources. However, sensational headlines are not typical, and in fact provide useful examples on how not to proceed with caution, which makes us all the wiser via observation. Past hacks in which users’ losses were catastrophic still linger from recent memory, so it’s prudent to adopt a mixed approach to suit your short, medium, and long term holdings and manage your risk tolerances accordingly.

Though security has been shored up even more, there are always threats lurking in the unknown horizons of our knowledge. Plenty of exchanges or wallet providers are still of questionable repute, or who don’t prioritize operational security above all else.

The private keys to your crypto are held by the exchange and if something goes wrong, the exchange needs to be trustworthy enough to be able to make its clients right. The best exchanges also have digital asset insurance, meaning affected users will be reimbursed even if the worse were to happen. See the most recent dispute with crypto lending provider Celsius and their bankruptcy proceedings.

Major exchanges definitely take security and regulatory compliance seriously, insisting that users complete KYC checks at registration. The exchange itself will likely hold all or most of its funds in cold storage, without access to the internet. That means the pooled assets are held on hard drives with all the users’ private keys. In some cases, they’re even stored into massive vaults with a variety of air gaps, and armed guards. 

Private keys are essential to accessing your digital assets, and should be treated as with the most robust opsec protocols and code which further enhances privacy features. Some custodians offer multi-sig arrangements in which three private keys are created, two of which must be activated at a time in order for a transaction to be initiated. In this case, custodians keep one of the keys with users controlling two, which works particularly well for business management, long term trusts, IRA accounts, or even married couples with prenuptial arrangements.

Trezor Model One vs. Trezor Model T

First and foremost, the Trezor Model T is the flagship model available from a company called Trezor, based in the Czech Republic. Trezor is one of the most well-known and trusted hardware wallets available for the everyday consumer. It’s been time-tested, open-source software has been audited by a range of third-party security firms. Trading or staking tokens can also be managed via the downloadable Trezor Suite app on desktops; or integrated with other hot wallets like Metamask, Electrum, Exodus, MyEtherWallet, and more. 

Interestingly, some major tokens like Polkadot and Solana were not supported, which will obviously drive those token holders towards other companies right away. ADA, XRP, XTZ, and EOS are supported on the Model T only, so keep that in mind if you plan to utilize the blockchains of these tokens.

Since coming onto the scene, there haven’t been any notable hacks of users’ private keys or any personal information collected by the company. Of course, a keystroke tracker could potentially capture one’s private keys in rare instances. This is mitigated by the Model T since it has its own touchscreen, while the Model One requires users key in their seed phrase and passwords using the computer, which adds some inherent risk.

As mentioned, Trezor also offers a cheaper hardware wallet, the older and less robust Trezor One. The Model T offers more coin support than the Model One, but the wallet integrations are all the same no matter which version is used. Connecting your Trezor Wallet with your internet browser is as easy as downloading the appropriate Bridge. Since sensitive information passwords and recovery phrases are entered directly on-screen for the Model T, it’s considered more safe due to this air gap which separates it from systemic risks derived from one’s desktop.

Setting up the Model T or Model One is also fairly user friendly. After downloading the Trezor Suite App and connecting the hardware wallet to your computer, you’ll want to ensure that the firmware is up to date and wait for the bootloader to be verified by SatoshiLabs. In addition, users will want to make sure that the packaging and tamper-proof hologram seals have not been broken. Users can then set their recovery seed phrase using 12, 18, or 24 words. This is the key to your digital assets should the hardware itself be damaged, lost, or stolen physically. 

If the additional asset support of the Model T is unnecessary, and you don’t need a touchscreen, then the Trezor One is a much cheaper option. Many users don’t feel that it’s worth more than double the price for the Trezor Model T in comparison to the Trezor One, but it definitely depends on everyone’s risk tolerances whether or not the air-gapped touchscreen feature is worth the higher price tag. $80 for the Trezor One and $250 for the Model T, take your pick.

Ledger Nano S Plus vs. Ledger Nano X

The Ledger Nano X and Nano S Plus are thumb-drive styled hardware wallets from French company Ledger. The Ledger Nano X is the flagship product, while the Nano S Plus represents their cheaper, entry-level wallet. While the Nano X is more expensive, it also comes with Bluetooth capability, a larger screen, and compatibility with a wide variety of Web3 applications, compared with the Nano S Plus.

The Nano X supports nearly 5,000 different crypto assets, and is constructed out of an EAL5+ Certified chip, which is one of the strongest evaluations for security and quality. Both devices are meant to be plugged into a personal computer or the mobile application, and are compatible with Windows, Mac, Linux, IOS and Android. Aside from power users, the cheaper Nano S Plus should serve the needs of those looking to hold the most commonly-held digital assets.

Contrasting with Trezor, Ledger has actually suffered a data breach a few years back, though it didn’t involve seed phrases or digital assets directly. The breach allowed hackers to access the personal information of customers like names, addresses, phone numbers, and email addresses. Hackers pretending to be Ledger employees used the sensitive data to send out fake emails asking for login passwords and seed phrases. While this doesn’t necessarily reflect the security of their hardware wallets specifically, it still reveals a certain level of risks which consumers will need to consider.

No Cables, No Batteries: Tap the Arculus Key Card

The Arculus Key Card utilizes your phone’s biometric security features so that it can more seamlessly connect users to their crypto and NFTs. The Arculus Key Card is used alongside the Arculus Wallet App and your phone’s fingerprint scanner. Simply tap the card on your mobile device with the Arculus Wallet App open to gain access to your assets. Of course, your private keys are encrypted and stored in a secure element within your Arculus Key Card’s hardware.

Setting up and transacting makes use of 3-factor authentication:

1. 6-digit PIN for signing in
2. Biometric security systems: fingerprint or facial recognition
3. Embedded element (encrypted keys) must be physically near mobile device while signed in to permit transactions

While the 3-factor authentication is indeed a strong combination of security features, it’s nevertheless prone to user error or theft like any other hardware wallet. That is not to say that it is unsecure, but rather that the change for losing seed phrase would result in a total loss of funds, which is an ever-present risk. Furthermore, since the seed phrase must be typed into a phone or computer device, this allows for key tracking software to intercept sensitive data from users inadvertently.

Having noted the above, Arculus offers a really cool concept, and it may prove to be a pioneering example which leads the entire hardware industry in the direction of using biometrics. It is laudable to see companies offering novel and seamless integration of security with convenience.

Securing Your Bags on a Budget with KeepKey

Launched in 2015, KeepKey is a larger-sized, yet cheaper hardware wallet from the Swiss firm ShapeShift. The ShapeShift’s platform is accessed within a desktop web browser, with the initial setup requiring an account setup and 12-word recovery phrase creation. Following the initial setup, addresses can be paired with a few third-party wallets like Electrum and MyEtherWallet.

The main drawback with KeepKey is its relative lack of coin support in relation to others, as it only supports around 40 coins. It natively supports Bitcoin, Bitcoin Cash, Binance, Dash, Dogecoin, Ethereum, Litecoin, Tether, and a range of others. This is still a pretty limited list in comparison to its rivals and so if users need access to smaller altcoins, other wallets on this list are the way to go.

Final Thoughts and Discussion

Of all the devices mentioned, Trezor and Ledger are the two names which stand out as the dominant brands for hardware storage. Not only have they been heavily audited for security over several years, they’ve been around for long enough to gain users’ trust by simply being on the market for so long without any major breaches or hacks. However, new technology is always working to surpass standards of the past, so there are always new market entrants which will be competitive in terms of features like multi-chain interoperability, quick settlements, privacy, and security guarantees.

Here’s a quick reference guide to sum up the details:

Hardware Model	Key Features	Price (USD)
Trezor Model T	Touchscreen, USB-C, Web3 add-ons	$250
Trezor Model One	Manual buttons, Mini-USB, Web3 add-ons	$80
Ledger Nano X	Bluetooth, large capacity (100 apps), USB-C, 100 mAh battery	$150
Ledger Nano S Plus	Fewer crypto assets and 3rd-party apps	$80
Arculus Key Card	Tap Feature, biometrics, cordless, no battery, bespoke Web3 app	$100
ShapeShift KeepKey	Largest and cheapest device, fewest Web3 add-ons, fewest available tokens	$50

Regardless of the chosen wallet, there are several ways to protect your pin codes, passwords, or seed phrases used for recovery. Writing down recovery seed phrases in multiple locations and locking them into safes or deposit boxes is one commonly used method. In addition to being hidden from view, having multiple copies also protects you from losing or forgetting the phrase since there would be another copy to preserve your ability to recover your wallet if it became lost, damaged, or stolen. 

Therefore, we should always keep in mind that hardware devices themselves can only protect our crypto up to a certain degree. Announcing ownership of crypto could paint oneself as a target for thieves, especially if they believe the reward for doing so would be worth the effort of trying. In terms of local and physical theft, if a criminal manages to find out about your crypto ownership, then they could force you to plug in your wallet and sign into your account right in front of them. This is obviously a worst-case scenario, but there is still another layer of defense.

Fortunately, Trezor and Ledger both offer a ‘hidden wallet’ feature. This enables you to set up additional wallets on your device with a unique private key. If someone forces you to unlock your wallet and enter your password, PIN code, or seed phrase, they wouldn’t immediately see all of your wallets. In this case, you could keep an empty wallet as a visible decoy, or else sequester a small amount to be kept in the visible wallet, and use the hidden wallet feature for deeper storage. 

Not to worry, all of this can be avoided with a bit of prudence and planning on behalf of all of us. Depending on how much crypto you need to store, it makes sense to spread out one’s assets across multiple wallets to sequester any losses, even if a wallet were lost or somehow compromised. As for putting your assets to work, Trezor and Ledger offer staking services which users can take part in, so hardware wallets don’t necessarily mean that you’re taking your cards off the table, so to speak. 

No matter what, always do your own research and evaluate your own risk tolerance for any financial decisions or purchases of any hardware wallet. Furthermore, it’s universally recommended to only do business with the companies themselves or authorized dealers to avoid counterfeit products.

Disclaimer: This article should not be construed as consumer, financial, or investment advice.

Read Next

• Towards a Multi-Chain World: Technological Hurdles and Enablers
• Web1, Web2, Web3: What’s the Difference?
• A Primer on Smart Contract Wallets