What is TAPSIGNER?

A simple Bitcoin wallet in your pocket. Think of it as a Bitcoin private key on a card! You can sign mobile wallet transactions by tapping the card on your phone. Your mobile wallet provides most of the wallet logic and TAPSIGNER holds the secrets. It's essentially a hardware wallet you can slip inside your regular wallet.

What's the motivation for TAPSIGNER? You already make COLDCARD®.

  • TAPSIGNER's lower cost makes hardware wallet features and security available to a wider market around the world.
  • An NFC card provides fast and easy user experiences.
  • TAPSIGNER is a great way to keep your keys separate from your wallet(s).
  • Card form factor makes it easy to carry and easy to conceal.

What are some possible uses for TAPSIGNER?

  • Phone wallet cosigning
  • Opening and closing Lightning Network channels
  • Using an NFC module with a Lightning Network node
  • Message signing
  • Collaborative multisig service applications
  • Raw transactions
  • Partially signed Bitcoin transactions (PSBTs) via HWI
  • App Authentication

Do I need this paper envelope it came in?

Yes! That's a special radio frequency (RF) blocking sleeve. It prevents unwanted access by RF readers with bad intentions. Be sure to insert TAPSIGNER fully into the sleeve: even 5 mm sticking out can allow a sneaky reader to get a signal.

I lost the RF-blocking sleeve! What can I do?

Thousands of RF-blocking (you can search for RFID) sleeves, wallets, and other card protectors are available for purchase at Amazon or elsewhere online. Any of these should work.

Will you have different graphics?

Yes! We are actively working with artists to produce more designs.

And if you are a brand looking to white label it, please get in touch.

Can I use TAPSIGNER for multisig co-signing?

Absolutely! TAPSIGNER works perfectly for multisig transactions.

Can I use TAPSIGNER with a computer (desktop, laptop)?

Yes! You need a USB NFC card reader and the cktap command-line software. Or any desktop wallet that uses our open protocol.

Plans include adding Hardware Wallet Interface (HWI) support.

Is the private key unique and secret?

Yes. TAPSIGNER comes without a private key. The setup process combines your entropy (random bits) with secret entropy picked by the card.

How do I see the deposit address?

Use your mobile wallet to view the deposit address.

How do I know a TAPSIGNER is genuine?

There are a number of ways to verify the card:

  • Check it with any TAPSIGNER-ready mobile wallet.
  • Use our cktap command-line software.
  • Tap the card on your phone. TAPSIGNER opens a webpage verifying the card logic (but not the certificate chain).

How do I know I'm depositing to the correct address?

You must use a mobile wallet that supports TAPSIGNER. Ideally, you tap the card as part of verifying the deposit address. However, once a wallet is set up, it can generate deposit addresses using the usual BIP-32 derived address paths.

Can I store data on my TAPSIGNER?

No. The TAPSIGNER cannot hold arbitrary data.

How long will a TAPSIGNER last?

Like most electronic devices, if stored properly, it should last decades.

For long-term HODL/storage and large amounts, we recommend a COLDCARD® Hardware Wallet, an ultra-secure Bitcoin wallet also made by Coinkite.

Can't the phone just grab the private key and use it later?

No, the private key (XPRV) that controls the funds never leaves the card.

The backup feature provides an encrypted (AES-128-CTR) copy of the key. Using it requires the decryption key printed on the card. Rogue software cannot read the back of the card without your help.

What if someone takes my TAPSIGNER?

If you changed the PIN code, they could record the AES decryption key (take a picture of the back of the card), but they can't do anything useful with the card's electronics.

Can I use it on an untrusted computer?

The private key is generated inside and never leaves the TAPSIGNER, regardless of any malware and keyloggers that may be present on a connected computer.

However, the wallet you paired with the TAPSIGNER can ask the TAPSIGNER to sign any transaction. You can't verify what you're signing since the TAPSIGNER does not have a screen and, therefore, cannot display transaction information. We recommend the COLDCARD if this is a concern.

What's the seed phrase (BIP-39)?

TAPSIGNER is BIP-32 based and does not use BIP-39 seed phrases (mnemonics), but you can securely back up the XPRV.

The TAPSIGNER encrypts the XPRV with AES using a 16-byte key printed on the back of the card. The backup file plus the key lets you recover the XPRV.

How do I back up a TAPSIGNER?

  • Run the backup command to capture the data on your phone.
  • Record the 16-byte decryption key on the back of the card. We recommend writing it down on paper.

That's all you need to restore the XPRV.

What if I lose my TAPSIGNER?

Use your backup file and a copy of the decryption code from the back of the card to recover the XPRV. If you have those, you don't need the original card.

How do I know the verification link is genuine?

A different random nonce (short for "number once," a single-use numerical value used in cryptography) is signed each time you tap the card on your phone to receive the URL over NFC. Our server verifies the signature and uniqueness of the nonce.

You can also tap again to get a new nonce and corresponding signature.

cktap can do additional verification over the NFC interface that is not possible via the single NFC tap to webpage method. All verification code is open source Python.

Is this a centralized service?

No. It is never necessary to use a centralized service with TAPSIGNER. Our protocol is fully open and the card stores the private keys.

TAPSIGNER works with any Bitcoin wallet that uses our NFC protocol.

How do I know the manufacturer doesn't know the private key?

When setting up your TAPSIGNER for the first time, you provide a 32-byte chain code for entropy. That chain code plus a private key picked by the TAPSIGNER are combined using the BIP-32 standard to derive the payment address.

Because you provided the chain code, and the TAPSIGNER shares the public part of its key, you can derive the payment address and confirm that it matches the address given by the card.

Effectively this means you know the XPUB, the card knows the XPRV, and it's easy to prove the two correspond.

Could TAPSIGNER be generating private keys that look random but aren't?

No. Each customer provides their own chain code for entropy. Before making a deposit, a customer can verify TAPSIGNER incorporated the chain code entropy when it generated the keys.

Do I give the TAPSIGNER to other people as payment?

No. Keep the TAPSIGNER under your control at all times.

You might be thinking of the SATSCARD.

Can I use a TAPSIGNER to sign a message?

Yes, a TAPSIGNER can sign arbitrary messages. It's the same as signing a transaction.

What if I make a malicious TAPSIGNER?

Each TAPSIGNER made by Coinkite carries a certificate, signed by our factory. Like the X.509 certificate chain for OPENDIME®, it can be traced back and verified in the field.

The Python code in cktap will always verify the certificate chain when speaking to TAPSIGNER, and mobile wallets should do the same.

What about an active MiTM attack or relay attack over NFC?

A man-in-the-middle can't change what you're doing with the card. ECDH (Elliptic-curve Diffie-Hellman) is used to encrypt key values like the card verification code (CVC) required to modify the card or view keys. Similarly, all key activities, such as signing a transaction, are ECDH-encrypted and require the CVC.

Still have questions? Contact support: [email protected]

Does "tapping" reveal my public key?

When you tap the TAPSIGNER on a phone it provides a URL for verification purposes, which contains a signature. The URL will typically take you to tapsigner.com/start which decodes it and shows a verification message if it all checks out. This lets you know that a real TAPSIGNER card (not a generic NFC card) is being used, and helps to on-board new users by providing useful links to suitable wallet apps.

That URL does not contain any part of your public key (or XPUB) and cannot be linked to any of your on-chain activity. It is unique for each card.

What about an Evil Maid accessing my TAPSIGNER card when I am absent?

(We will assume you have changed the CVC (PIN code) from the value printed on the card.)

An evil maid could try to gues your PIN, however, after 3 wrong PINs, there is a 15-second delay before she can try again. The delay is enforced by requiring the 'wait' command to be executed 15 times. If you try any command which requires a PIN, you'll get a error unless you do the delay steps first.

Chain code cannot be changed once set (nor can private key).

An evil maid without CVC (PIN code) can take pictures of the outside; this gives them the AES key for the backup decryption. This is a problem going forward if they ever gain access to a copy of the encrypted backup file.

Without the CVC, the maid cannot make her own backup, but if you have stored a backup file from the card insecurely (ie. elsewhere that the maid has access to), then you're toast.

The maid can confirm the card's identity (printed on back, but also available by NFC without authentication). But that doesn't reveal XPUB or anything related to blockchain. It could be a privacy issue if they are tracking your wallet by long-range NFC, but we assume the RF blocker sleave is used.

Last used derivation path (hardened components) will be revealed with a tap. Small info leak there, but will be constant value for most users.

Card Specifications

  • Card size: ID-1: 85.6 × 53.98mm
  • Temperature limits: -15℃ ~ 50℃
  • There are no magnetic or gravity constraints.
  • The presumed operational lifespan is 10 years.
  • Communications by NFC via ISO-7816, specifically ISO/IEC 7816-4:2020 and/or ISO/IEC 14443-A.

Still have questions? Contact support: [email protected]