Secure login — best practices
When you access a hardware wallet's web or desktop interface, always confirm the application's origin and integrity. Use bookmarks for official URLs, verify SSL/TLS certificates in your browser, and keep firmware up to date. Trust only the official recovery flow: seed phrases are generated and confirmed solely on the hardware device, never typed into a browser or shared with anyone.
On-device confirmation
The core security model for hardware wallets relies on on-device display and manual confirmation. Actions that move funds or reveal sensitive data must be confirmed on the device. If a website asks you to confirm a transaction without prompting the hardware device, stop and investigate.
Recognizing phishing and fake pages
Phishing sites mimic official interfaces to collect credentials or trick users into revealing seeds. Look for misspellings, slight domain variations, and missing security indicators. Official wallet projects publish checksums and PGP signatures for releases — verify these using trusted tools if you're downloading firmware or software.
Two-factor and passphrase
Many users pair their hardware wallet with additional protections: a device PIN, optional BIP39 passphrase (also called a 25th word), and using the device in combination with a verified host. A passphrase is powerful — losing it may make funds inaccessible if forgotten. Treat it as a secret separate from your seed.