Security tradeoff
How Screenless Bitcoin Signing Works
TAPSIGNER separates the key from the phone, but the companion wallet remains the transaction-review surface.
TAPSIGNER isolates a BIP-32 signing key on a separate NFC card, but it has no display. The companion wallet constructs the transaction and shows the amount, destination, fee, inputs, and change. TAPSIGNER signs the requested digest after authentication; it cannot independently prove that the wallet's screen describes that digest honestly.
What the separate card protects
During normal signing, the unencrypted master XPRV stays on TAPSIGNER. Malware that can read ordinary phone storage does not automatically obtain that XPRV. A signature also requires physical NFC interaction and the current PIN/CVC, creating a separate authorization step.
The protocol protects authenticated command data with an ephemeral ECDH-derived session. The card also carries a factory certificate that a compatible wallet should verify before trusting its responses.
These controls address key extraction, card impersonation, and unauthorized use differently. None turns the companion wallet into a trusted display.
What the card cannot show
TAPSIGNER cannot independently display or confirm:
- the destination address;
- amount and fee;
- selected inputs;
- change address;
- network;
- multisig policy or cosigner set;
- the human meaning of a message-signing request.
The card receives a 32-byte digest and path information, not a complete human-readable transaction interface. A compromised wallet can ask for a valid signature over something other than what it shows.
A tap is authorization, not verification
The physical tap proves that the card participated. Entering the PIN authorizes the protected command. Neither action proves that you reviewed the correct transaction.
Before tapping, verify the destination through an independent communication channel. For meaningful payments, compare the transaction or PSBT in another trusted wallet, use allowlisted destinations where appropriate, and consider a second display-equipped signer in a multisig policy.
After signing, inspect the finalized transaction before broadcast when the coordinator permits it. Confirm that inputs, outputs, fee, and change still match the reviewed intent.
Compare three signing models
| Model | Key isolation | Review surface | Main residual risk |
|---|---|---|---|
| Phone-only wallet | Key and interface share the phone | Phone | Compromise can extract key and misrepresent transactions |
| TAPSIGNER + wallet | Key is on a separate NFC card | Companion wallet | Wallet can request a signature for misrepresented details |
| Display-equipped hardware signer | Key and review display are on separate device | Hardware device plus wallet | Device/policy limitations, supply chain, and user verification still matter |
A display is only useful when the device parses the transaction and the user checks it. Screenless signing is a deliberate convenience/security tradeoff, not proof that one model is universally better.
Safer operating habits
- Install the companion wallet from a verified publisher source.
- Keep the phone OS and wallet current, but review release changes before urgent use.
- Verify the TAPSIGNER factory certificate during setup.
- Back up before funding, then change the factory PIN.
- Never store the working PIN with the card.
- Verify receive and destination addresses independently for meaningful amounts.
- Test with small transactions before increasing value.
- Use multisig only with a preserved descriptor and rehearsed recovery.
- Move funds if both the encrypted backup and printed decryption key may be exposed.
When to choose a screen
Choose a display-equipped hardware wallet when independent on-device review is required by your threat model, especially for large or infrequent transactions, an untrusted coordinator, or strict organizational controls.
Choose TAPSIGNER when compact NFC convenience and key separation from the phone address the dominant risks, and you are prepared to trust and verify the companion-wallet workflow.
For the full mechanism, read What is TAPSIGNER?. Before funding, complete backup and recovery and review the security model.
Official sources
Protocol claims on this page were checked against these first-party sources on 2026-07-10.