CoinKite’s Coldcard MK3 - The Safest Bitcoin Hardware Wallet?
VerifyInvestor.com
In 2020, the value of cryptocurrencies rose dramatically, driven in part by greater institutional acceptance and bitcoin buying. As a result, VerifyInvestor.com has noticed an uptick in investors qualifying as accredited investors due to the value of their cryptocurrency holdings. Whether people hold their cryptocurrencies on an exchange or a wallet, they can use crypto to get verified as accredited investors. Regulation D allows verified accredited investors to participate in private deals similar to those conducted by Filecoin, Hashgraph, and tZERO.
Privacy and security are two things that draw people to cryptocurrencies to begin with, but they are also some of the most misunderstood aspects of cryptocurrency. At VerifyInvestor.com, we also take privacy and security very seriously. Today we wanted to review the Coldcard MK3, which is currently regarded by most as the safest commercially available hardware wallet for bitcoin. There are some up and coming contenders for that coveted top spot, however, that we might review in the future. There are already a significant number of reviews and guides on the Coldcard MK3, so we’ll focus mainly on what matters most to us, which is security and ease of use.
We ordered a Coldcard MK3, which arrived in the mail about two weeks later. Like VerifyInvestor.com, the privacy and security experience with the Coldcard is obvious throughout the entire experience. They start protecting you at the supply chain level before you even have the hardware wallet. The Coldcard itself is shipped in a tamper-evident clear bag with a unique bag number that is written into the secure element of the hardware wallet (more on secure elements below). You can compare the bag number that’s written on the bag with the bag number contained within the bag once you open it and the bag number that’s hardcoded into the actual hardware wallet. The hardware wallet itself is also designed to be see-through so that you can easily see if the insides of the hardware wallet might have been tampered with. The hardware wallet itself is sturdy and made well, difficult to open without destroying.
When setting up the hardware wallet, you’ll note that it's different from most hardware wallets. Most hardware wallets will have some sort of pin for access, but the Coldcard MK3 uses a dual pin methodology. After you enter the first pin, it’ll ask you to confirm two words on the hardware wallet, which will always be the same two words. If those words look correct, then you’ll enter in a second pin. If you lose or forget either pin, you’re in trouble. After a number of incorrect entries, you’ll permanently destroy the device. The Coldcard also lets you set up a Duress Pin, which opens up a different set of wallets, but a knowledgeable person will know if you’ve used a Duress Pin. Yet another feature is the ability to set a BrickMe Pin, which destroys the hardware wallet if used.
The cryptocurrency industry tends to favor open-source as the gold standard for security, with the idea being that open-sourced information can be vetted by the public. On the flip side, open-sourced information makes it easier for hackers to discover and exploit flaws. The gold standard shouldn’t just be open-sourced code but rather open-sourced codebase that is thoroughly vetted by the public and found to be safe. Trezor, probably the 2nd most popular hardware wallet out there, enjoys a strong reputation for its commitment to open-source ideologies. However, Ledger, the most popular hardware wallet today, takes a slightly different approach. While Ledger does open source part of their code, they also leverage closed source code in conjunction with a secure element to guard secrets. Ledger explains the secure element here. Essentially, you give up a little bit of trust in exchange for the added protection of the secure element. It’s not as bad as it seems. The closed source aspect is intended to be a feature, not a bug.
What’s life without a little bit of friendly competition? Trezor gave the following five reasons why they don’t use secure elements, and Ledger gave this response. But sometimes, you can have your cake and eat it too. The Coldcard MK3 leverages a secret element to store secrets and still manages to open-source its code. That’s taking security one step further than most hardware wallets.
Another feature of the Coldcard MK3 is that it can be used in an air-gapped fashion. Most hardware wallets require you to connect the wallet to a computer or other device to use. The Coldcard MK3 supports that use case but also allows you to use it without ever connecting it to another device. Instead, by leveraging the partially signed bitcoin transaction (PSBT) format, the Coldcard MK3 allows you to effect transactions through the use of a microSD card. Air-gapping is more convenient but comes at the cost of usability if you use that feature.
That brings us to usability. The Coldcard is larger than the Trezor of Ledger, and because of its size, it incorporates a keypad. This makes data entry much easier. However, if you use its air-gapped functionality through a microSD card, usability falls off a cliff. First, you have to create a skeleton wallet file on your Coldcard which gets saved onto the microSD card; then, you have to transfer that file to your device and import it into your device’s wallet from the microSD card; then, you have to create the transaction on the device’s wallet and save the file to the microSD card; then, you have to transfer back the microSD card to the ColdCard, sign the transaction on the Coldcard, and save another file to microSD card; and then finally, you bring the microSD card back to your device and transmit the complete transaction on your device’s wallet. It’s not as bad as it sounds, but it’s still a lot of effort. The great news is that this is an optional feature. If you don’t mind not using the Coldcard through air-gapped techniques, you can just directly connect it to your device and use it like you would a Trezor or a Ledger.
There’s a lot more about Coldcard’s security features that we didn’t get to cover in this post, but if you’re interested in learning more, definitely check out their website and the numerous Coldcard guides and reviews out there. Coldcard currently occupies the top spot when it comes to security for bitcoin hardware wallets. Still, unless it continues to innovate, it stands to lose its position to newer hardware wallets. In particular, it’s worth watching the development of air-gapped wallets that rely on QR codes instead of requiring that a microSD card be used to transfer between the hardware wallet and the software wallet. Still, we love the Coldcard because its commitment to security is evident throughout, and that sort of ng VerifyInvestor.com mentality matches how we approached both privacy and security.